Options

Same problem: Nexplore popups, Google search redirect

I noticed that a lot of people are having the same problem.
I'm not able to run Malwarebytes' Anti-Malware. I tried renaming it but it didnt work.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:54, on 2009-12-29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\System32\clubbox.exe" -l
O4 - HKLM\..\Run: [eSnips] "C:\PROGRA~1\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hegijumoy] Rundll32.exe "c:\windows\system32\pagapobo.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [TudouVAStart] C:\Program Files\Tudou\飞速Tudou\TudouVa.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: ???QQ?? - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: ???QQ???? - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: ???QQ????? - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: ?QQ??????? - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ìú??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170604411623
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170612040234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C39047A5-733A-4440-BCBC-395C7883041E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: c:\windows\system32\gukejibu.dll rahobofo.dll c:\windows\system32\pagapobo.dll
O21 - SSODL: suketezut - {24cc08f2-4626-4207-a459-81d2a5447f0d} - c:\windows\system32\gukejibu.dll (file missing)
O21 - SSODL: kozehavur - {580abc58-31f4-4c66-8e17-75b16d2b6c30} - c:\windows\system32\pagapobo.dll
O22 - SharedTaskScheduler: kupuhivus - {24cc08f2-4626-4207-a459-81d2a5447f0d} - c:\windows\system32\gukejibu.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {580abc58-31f4-4c66-8e17-75b16d2b6c30} - c:\windows\system32\pagapobo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Comments

  • edited December 2009
    Hey there, welcome. :)

    A few things before we start....
    1. Please Read All Instructions Carefully.
    2. If you don't understand something, stop and ask! Don't keep going on.
    3. Please do not run any other tools or scans whilst I am helping you.
    4. If you have to go away for an extended period of time, let me know.
    5. Please continue to respond until I give you the "All Clear".
    (Just because you can't see a problem doesn't mean it isn't there)

    ===============

    Please download Malwarebytes' Anti-Malware by clicking the link below:
    http://www.besttechie.net/tools/mbam-setup.exe

    Double Click mbam-setup.exe to install the application.

    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * You'll be required to post the contents of this log later.

    Please Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



    Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

    Go here ======> A guide and tutorial on using ComboFix <====== Go here

    Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should get a prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    (2) Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.


    Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.


    Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
  • edited December 2009
    Malwarebyte's anti-malware doesn't run for me.

    ComboFix 09-12-29.06 - Owner -12-30 Wed 11:50:08.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.503.119 [GMT -5:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions)))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\windows\NDNuninstall6_38.exe
    c:\windows\NDNuninstall7_48.exe
    c:\windows\system32\asio4all.dll
    c:\windows\system32\dasakebe.dll
    c:\windows\system32\duvotihe.dll
    c:\windows\system32\duzemibe.dll
    c:\windows\system32\ninegagi.dll
    c:\windows\system32\notabage.dll
    c:\windows\system32\pivetupa.dll
    c:\windows\system32\sebiniha.dll
    c:\windows\system32\telonapi.dll
    c:\windows\system32\wegehove.dll
    c:\windows\system32\wigudozi.dll
    c:\windows\system32\zarebeba.dll
    c:\windows\Tasks\qcyktoou.job

    BITS: Possible infected sites

    hxxp://82.98.235.34
    .
    ((((((((((((((((((((((((( Files created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
    .

    2009-12-29 17:14 . 2009-12-29 17:14
    d
    w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2009-12-29 17:14 . 2009-12-29 17:14
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-12-19 00:02 . 2009-12-19 00:02
    d
    w- c:\documents and settings\Owner\Application Data\Blumentals

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-30 16:59 . 2007-02-04 18:19
    d
    w- c:\documents and settings\Owner\Application Data\DMCache
    2009-12-30 16:27 . 2009-12-29 17:14
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-30 01:29 . 2007-02-04 16:53
    d
    w- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
    2009-12-29 16:57 . 2009-12-29 16:57
    d
    w- c:\program files\Trend Micro
    2009-12-29 02:49 . 2007-03-05 00:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-12-21 14:43 . 2009-12-21 14:43
    d
    w- c:\program files\Veoh Networks
    2009-12-19 00:03 . 2009-12-19 00:02
    d
    w- c:\program files\WeBuilder 2010
    2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 06:00 265728
    w- c:\windows\system32\drivers\http.sys
    2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38 . 2003-07-16 20:42 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2003-07-16 20:42 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-09-26 17:24 . 2009-09-26 17:24 51712 -csha-w- c:\windows\system32\gelarijo.dll.tmp
    2009-09-26 17:23 . 2009-09-26 17:23 51712 --sha-w- c:\windows\system32\majubilu.dll
    2009-09-29 16:29 . 2009-09-29 16:29 92160 --sha-w- c:\windows\system32\pagapobo.dll
    2009-09-26 17:24 . 2009-09-26 17:24 51712 --sha-w- c:\windows\system32\rahobofo.dll.tmp
    2009-09-30 16:29 . 2009-09-30 16:29 51712 --sha-w- c:\windows\system32\raromozo.dll
    2009-09-26 17:24 . 2009-09-26 17:24 51712 --sha-w- c:\windows\system32\yujukumi.dll.tmp
    2009-09-29 02:18 . 2009-09-29 02:18 61952 --sha-w- c:\windows\system32\zumidiba.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07b49d33-ee99-4f38-8e0f-24771cd7c2f6}]
    2009-09-30 16:29 51712 --sha-w- c:\windows\system32\raromozo.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2007-10-11 802816]
    "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-11-20 2590456]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2003-07-16 59392]
    "PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-16 455168]
    "PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-16 455168]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-09 185632]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hpoddt01.exe.lnk - c:\program files\HP\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
    officejet 6100.lnk - c:\program files\HP\Digital Imaging\bin\hposol08.exe [2003-4-5 147456]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\WINDOWS\\system32\\conime.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposts08.exe"=

    R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2007-2-4 11:53 22360]
    R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2007-2-4 11:53 45400]
    .

    Supplementary Scan
    .
    uStart Page = hxxp://www.tudou.com/my/
    uInternet Settings,ProxyServer = 80.227.0.153:80
    IE: c:\program files\Tencent\QQ\SendMMS.htm
    IE: ???QQ?? - c:\program files\Tencent\QQ\AddEmotion.htm
    IE: ???QQ???? - c:\program files\Tencent\QQ\AddToNetDisk.htm
    IE: ???QQ????? - c:\program files\Tencent\QQ\AddPanel.htm
    IE: ??iTudou????
    IE: ?QQ??????? - c:\program files\Tencent\QQ\SendMMS.htm
    IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: ê1ó?iTudou?????ú??
    IE: ê1ó?iTudou?????ú?? - c:\program files\Tudou\iTudou\iTudou_Link.HTM
    IE: ìí?óμ?QQ±í?é
    IE: ìí?óμ?QQ×??¨ò???°?
    IE: ìí?óμ?QQ±í?é
    IE: ìí?óμ?QQ×??¨ò???°?
    IE: ìí?óμ?QQ±í?é - c:\program files\Tencent\QQ\AddEmotion.htm
    IE: ìí?óμ?QQ×??¨ò???°? - c:\program files\Tencent\QQ\AddPanel.htm
    IE: ó?QQ2êD?·??í??í???
    IE: ó?QQ2êD?·¢?í??í???
    IE: ó?QQ2êD?·¢?í??í??? - c:\program files\Tencent\QQ\SendMMS.htm
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
    TCP: {C39047A5-733A-4440-BCBC-395C7883041E} = 192.168.1.1
    DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - hxxp://www.clubbox.co.kr/neo.fld/NowStarter.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ttff66mv.default\
    FF - prefs.js: network.proxy.type - 2
    FF - component: c:\documents and settings\Owner\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Sonic RecordNow! - (no file)
    HKCU-Run-Free Download Manager - c:\program files\Free Download Manager\fdm.exe
    HKCU-Run-TudouVAStart - c:\program files\Tudou\飞速Tudou\TudouVa.exe
    HKLM-Run-ClubBox - c:\windows\System32\clubbox.exe
    HKLM-Run-ClientGW - (no file)
    HKLM-Run-eSnips - c:\progra~1\eSnips\ClientGW.exe
    HKLM-Run-hegijumoy - c:\windows\system32\wigudozi.dll
    HKLM-Run-vubazuwevi - dasakebe.dll
    SharedTaskScheduler-{24cc08f2-4626-4207-a459-81d2a5447f0d} - c:\windows\system32\gukejibu.dll
    SharedTaskScheduler-{d8744b30-314d-428f-9e8f-ebd297d9130a} - c:\windows\system32\wigudozi.dll
    SSODL-suketezut-{24cc08f2-4626-4207-a459-81d2a5447f0d} - c:\windows\system32\gukejibu.dll
    SSODL-yapebesev-{d8744b30-314d-428f-9e8f-ebd297d9130a} - c:\windows\system32\wigudozi.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-30 11:59
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5831d74d-1008-4f2a-9475-7e51c788205b}]
    @Denied: (Full) (Everyone)
    "Model"=dword:0000012f
    "Therad"=dword:0000002c
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5cebf972-a277-4313-958d-0edfb1397bb8}]
    @Denied: (Full) (Everyone)
    "Model"=dword:00000068
    "Therad"=dword:0000000f
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):8a,7a,ed,3a,ec,af,1c,d6,1c,a2,20,1f,85,0f,2b,84,d6,67,31,a4,3f,
    d0,7f,81,ac,54,84,14,ce,73,fb,bd,e6,03,ae,d1,36,78,a9,86,00,00,00,00,00,00,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):2f,63,cf,85,f9,8b,9a,de,0f,e6,93,c8,10,71,fa,67,97,b6,42,98,2c,
    f5,93,1c,01,1c,69,c3,76,9d,0d,61,eb,42,9c,d4,93,62,a6,b0,00,00,00,00,00,00,\

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\貢€|晙|鶗A~*]
    "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'explorer.exe'(3248)
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\OneX.DLL
    c:\windows\system32\eappprxy.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Other Running Processes
    .
    c:\windows\system32\conime.exe
    c:\program files\AntiVir PersonalEdition Classic\sched.exe
    c:\program files\AntiVir PersonalEdition Classic\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\windows\BCMSMMSG.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\HP\Digital Imaging\bin\hpoevm08.exe
    c:\program files\HP\Digital Imaging\Bin\hpoSTS08.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-12-30 12:15:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-12-30 17:15

    Pre-Run: 22,965,182,464 bytes free
    Post-Run: 23,836,176,384 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-CHS.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - 95E46D93935AC0170C71F4E2B8C82E34
  • edited December 2009
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:35:42, on 2009-12-30
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\conime.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Download Manager\IDMan.exe
    C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {07b49d33-ee99-4f38-8e0f-24771cd7c2f6} - raromozo.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
    O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: ???QQ?? - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: ???QQ???? - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: ???QQ????? - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: ?QQ??????? - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: ìú??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170604411623
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170612040234
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C39047A5-733A-4440-BCBC-395C7883041E}: NameServer = 192.168.1.1
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 7540 bytes
  • edited December 2009
    Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

    It's IMPORTANT to carry out the instructions in the sequence listed below.
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Open *notepad* and copy/paste the red text in the quotebox below into it:
    [COLOR="red"]File::
    c:\windows\system32\gelarijo.dll.tmp
    c:\windows\system32\majubilu.dll
    c:\windows\system32\pagapobo.dll
    c:\windows\system32\rahobofo.dll.tmp
    c:\windows\system32\raromozo.dll
    c:\windows\system32\yujukumi.dll.tmp
    c:\windows\system32\zumidiba.dll
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\conime.exe"=-
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07b49d33-ee99-4f38-8e0f-24771cd7c2f6}][/COLOR]
    

    Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


    CFScript.gif

    Refering to the picture above, drag CFScript.txt into ComboFix.exe


    When finished, it shall produce a log for you at C:\ComboFix.txt

    Please copy and paste the ComboFix.txt in your new reply.

    *Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
  • edited December 2009
    ComboFix 09-12-29.06 - Owner -12-31 Thursday 11:19:12.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.503.192 [GMT -5:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

    FILE ::
    "c:\windows\system32\gelarijo.dll.tmp"
    "c:\windows\system32\majubilu.dll"
    "c:\windows\system32\pagapobo.dll"
    "c:\windows\system32\rahobofo.dll.tmp"
    "c:\windows\system32\raromozo.dll"
    "c:\windows\system32\yujukumi.dll.tmp"
    "c:\windows\system32\zumidiba.dll"
    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\gelarijo.dll.tmp
    c:\windows\system32\majubilu.dll
    c:\windows\system32\pagapobo.dll
    c:\windows\system32\rahobofo.dll.tmp
    c:\windows\system32\raromozo.dll
    c:\windows\system32\telemize.dll
    c:\windows\system32\yujukumi.dll.tmp
    c:\windows\system32\zobumava.dll
    c:\windows\system32\zumidiba.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
    .

    2009-12-31 04:25 . 2009-12-31 04:25 56 ---ha-w- c:\windows\system32\ezsidmv.dat
    2009-12-31 04:25 . 2009-12-31 16:06
    d
    w- c:\documents and settings\Owner\Application Data\skypePM
    2009-12-31 04:15 . 2009-12-31 16:07
    d
    w- c:\documents and settings\Owner\Application Data\Skype
    2009-12-31 04:08 . 2008-04-14 01:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
    2009-12-31 04:08 . 2008-04-14 01:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
    2009-12-31 04:01 . 2009-12-31 04:01
    d
    w- c:\program files\Common Files\Skype
    2009-12-31 04:01 . 2009-12-31 16:15
    d
    r- c:\program files\Skype
    2009-12-31 04:01 . 2009-12-31 04:01
    d
    w- c:\documents and settings\All Users\Application Data\Skype
    2009-12-30 19:11 . 2009-12-30 19:19
    d
    w- c:\documents and settings\All Users\Application Data\Symantec
    2009-12-29 17:14 . 2009-12-29 17:14
    d
    w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2009-12-29 17:14 . 2009-12-29 17:14
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-12-29 17:14 . 2009-12-30 16:27
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-29 16:57 . 2009-12-29 16:57
    d
    w- c:\program files\Trend Micro
    2009-12-29 16:40 . 2009-12-29 16:40
    d-sh--w- c:\documents and settings\Owner\IECompatCache
    2009-12-29 16:31 . 2009-12-29 16:31
    d-sh--w- c:\documents and settings\Owner\PrivacIE
    2009-12-29 16:27 . 2009-12-29 16:27
    d-sh--w- c:\documents and settings\Owner\IETldCache
    2009-12-28 16:40 . 2009-12-28 17:01
    dc-h--w- c:\windows\ie8
    2009-12-21 14:43 . 2009-12-21 14:43
    d
    w- c:\program files\Veoh Networks
    2009-12-19 00:03 . 2009-12-19 00:03
    d-sh--w- c:\windows\ftpcache
    2009-12-19 00:02 . 2009-12-19 00:03
    d
    w- c:\program files\WeBuilder 2010
    2009-12-19 00:02 . 2009-12-19 00:02
    d
    w- c:\documents and settings\Owner\Application Data\Blumentals

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-31 16:31 . 2007-02-04 18:19
    d
    w- c:\documents and settings\Owner\Application Data\DMCache
    2009-12-29 02:49 . 2007-03-05 00:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 06:00 265728
    w- c:\windows\system32\drivers\http.sys
    2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38 . 2003-07-16 20:42 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2003-07-16 20:42 79872 ----a-w- c:\windows\system32\raschap.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2007-10-11 802816]
    "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-11-20 2590456]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2003-07-16 59392]
    "PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-16 455168]
    "PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-16 455168]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-09 185632]
    "hegijumoy"="c:\windows\system32\telemize.dll" [BU]
    "vubazuwevi"="dasakebe.dll" [BU]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hpoddt01.exe.lnk - c:\program files\HP\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
    officejet 6100.lnk - c:\program files\HP\Digital Imaging\bin\hposol08.exe [2003-4-5 147456]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposts08.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoevm08.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.tudou.com/my/
    uInternet Settings,ProxyServer = 80.227.0.153:80
    IE: c:\program files\Tencent\QQ\SendMMS.htm
    IE: ???QQ?? - c:\program files\Tencent\QQ\AddEmotion.htm
    IE: ???QQ???? - c:\program files\Tencent\QQ\AddToNetDisk.htm
    IE: ???QQ????? - c:\program files\Tencent\QQ\AddPanel.htm
    IE: ??iTudou????
    IE: ?QQ??????? - c:\program files\Tencent\QQ\SendMMS.htm
    IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: ê1ó?iTudou?????ú??
    IE: ê1ó?iTudou?????ú?? - c:\program files\Tudou\iTudou\iTudou_Link.HTM
    IE: ìí?óμ?QQ±í?é
    IE: ìí?óμ?QQ×??¨ò???°?
    IE: ìí?óμ?QQ±í?é
    IE: ìí?óμ?QQ×??¨ò???°?
    IE: ìí?óμ?QQ±í?é - c:\program files\Tencent\QQ\AddEmotion.htm
    IE: ìí?óμ?QQ×??¨ò???°? - c:\program files\Tencent\QQ\AddPanel.htm
    IE: ó?QQ2êD?·??í??í???
    IE: ó?QQ2êD?·¢?í??í???
    IE: ó?QQ2êD?·¢?í??í??? - c:\program files\Tencent\QQ\SendMMS.htm
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
    TCP: {C39047A5-733A-4440-BCBC-395C7883041E} = 192.168.1.1
    DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - hxxp://www.clubbox.co.kr/neo.fld/NowStarter.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ttff66mv.default\
    FF - prefs.js: network.proxy.type - 2
    FF - component: c:\documents and settings\Owner\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    SharedTaskScheduler-{f3a85b2a-45d8-408f-b77d-434d06d5367e} - c:\windows\system32\telemize.dll
    SSODL-lobaruzod-{f3a85b2a-45d8-408f-b77d-434d06d5367e} - c:\windows\system32\telemize.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-31 11:30
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5831d74d-1008-4f2a-9475-7e51c788205b}]
    @Denied: (Full) (Everyone)
    "Model"=dword:0000012f
    "Therad"=dword:0000002c
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5cebf972-a277-4313-958d-0edfb1397bb8}]
    @Denied: (Full) (Everyone)
    "Model"=dword:00000068
    "Therad"=dword:0000000f
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):8a,7a,ed,3a,ec,af,1c,d6,1c,a2,20,1f,85,0f,2b,84,d6,67,31,a4,3f,
    d0,7f,81,ac,54,84,14,ce,73,fb,bd,e6,03,ae,d1,36,78,a9,86,00,00,00,00,00,00,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):2f,63,cf,85,f9,8b,9a,de,0f,e6,93,c8,10,71,fa,67,97,b6,42,98,2c,
    f5,93,1c,01,1c,69,c3,76,9d,0d,61,eb,42,9c,d4,93,62,a6,b0,00,00,00,00,00,00,\

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\貢€|晙|鶗A~*]
    "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'explorer.exe'(2580)
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\OneX.DLL
    c:\windows\system32\eappprxy.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll

    .
    Other Running Processes
    .
    c:\windows\system32\conime.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\BCMSMMSG.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpoevm08.exe
    c:\program files\HP\Digital Imaging\Bin\hpoSTS08.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    .
    **************************************************************************
    .
    Completion time:: 2009-12-31 11:49:18
    ComboFix-quarantined-files.txt 2009-12-31 16:49
    ComboFix2.txt 2009-12-30 17:15

    Pre-Run: 23,763,398,656 bytes free
    Post-Run: 23,638,761,472 bytes free

    - - End Of File - - BE6EAC56E0C0EBF2DF36701C539D6C2F
  • edited December 2009
    Do this again:

    Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

    It's IMPORTANT to carry out the instructions in the sequence listed below.
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Open *notepad* and copy/paste the red text in the quotebox below into it:
    [COLOR="red"]
    File::
    c:\windows\system32\telemize.dll
    c:\windows\system32\dasakebe.dll
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hegijumoy"=-
    "vubazuwevi"=-
    [/COLOR]
    

    Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. Say Yes if asked to replace existing file during saving.


    CFScript.gif

    Refering to the picture above, drag CFScript.txt into ComboFix.exe


    When finished, it shall produce a log for you at C:\ComboFix.txt

    Please copy and paste the ComboFix.txt in your new reply, again.

    *Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
  • edited January 2010
    ComboFix 09-12-29.06 - Owner -12-31 Thursday 23:00:03.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.503.242 [GMT -5:00]
    Running From: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\system32\dasakebe.dll"
    "c:\windows\system32\telemize.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Start Menu\Programs\Startup\Logitech . 产品注册.lnk
    c:\windows\TEMP\logishrd\LVPrcInj01.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
    .

    2009-12-31 23:51 . 2009-12-31 23:51
    d
    w- c:\documents and settings\Owner\Local Settings\Application Data\LogiShrd
    2009-12-31 23:49 . 2009-04-30 23:02 539160 ----a-r- c:\windows\system32\LVUI2RC.dll
    2009-12-31 23:49 . 2009-04-30 23:03 6754712 ----a-r- c:\windows\system32\drivers\lvuvc.sys
    2009-12-31 23:49 . 2009-04-30 23:02 539160 ----a-r- c:\windows\system32\LVUI2.dll
    2009-12-31 23:49 . 2009-04-30 22:57 416280 ----a-r- c:\windows\system32\lvcodec2.dll
    2009-12-31 23:48 . 2009-04-30 23:01 265496 ----a-r- c:\windows\system32\drivers\lvrs.sys
    2009-12-31 23:48 . 2009-04-30 23:00 114712 ----a-r- c:\windows\system32\drivers\lvpopflt.sys
    2009-12-31 23:48 . 2009-04-30 22:57 199192 ----a-r- c:\windows\system32\lvci1201278.dll
    2009-12-31 23:48 . 2009-04-30 22:39 34068 ----a-r- c:\windows\system32\Repository.reg
    2009-12-31 23:47 . 2009-04-30 23:03 23832 ----a-r- c:\windows\system32\drivers\lvuvcflt.sys
    2009-12-31 23:47 . 2009-12-31 23:49
    d
    w- c:\windows\LastGood.Tmp
    2009-12-31 23:45 . 2009-12-31 23:49
    d
    w- c:\program files\Common Files\LogiShrd
    2009-12-31 23:45 . 2009-12-31 23:45
    d
    w- c:\documents and settings\All Users\Application Data\LogiShrd
    2009-12-31 23:44 . 2010-01-01 01:30
    d
    w- c:\program files\Logitech
    2009-12-31 19:34 . 2009-12-31 19:34
    d
    w- c:\documents and settings\Owner\Local Settings\Application Data\Symantec
    2009-12-31 19:27 . 2009-12-31 19:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2009-12-31 19:27 . 2009-12-31 19:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-12-31 19:20 . 2009-12-31 19:36
    d
    w- c:\program files\Common Files\Symantec Shared
    2009-12-31 19:20 . 2009-12-31 19:27
    d
    w- c:\program files\Symantec
    2009-12-31 16:41 . 2009-12-31 16:44
    d
    w- c:\windows\ie8updates
    2009-12-31 04:25 . 2009-12-31 04:25 56 ---ha-w- c:\windows\system32\ezsidmv.dat
    2009-12-31 04:25 . 2009-12-31 21:05
    d
    w- c:\documents and settings\Owner\Application Data\skypePM
    2009-12-31 04:15 . 2010-01-01 04:10
    d
    w- c:\documents and settings\Owner\Application Data\Skype
    2009-12-31 04:08 . 2008-04-14 01:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
    2009-12-31 04:08 . 2008-04-14 01:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
    2009-12-31 04:01 . 2009-12-31 04:01
    d
    w- c:\program files\Common Files\Skype
    2009-12-31 04:01 . 2009-12-31 16:15
    d
    r- c:\program files\Skype
    2009-12-31 04:01 . 2009-12-31 04:01
    d
    w- c:\documents and settings\All Users\Application Data\Skype
    2009-12-30 19:11 . 2009-12-31 19:33
    d
    w- c:\documents and settings\All Users\Application Data\Symantec
    2009-12-30 17:17 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2009-12-30 17:17 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2009-12-29 17:14 . 2009-12-29 17:14
    d
    w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2009-12-29 17:14 . 2009-12-29 17:14
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-12-29 17:14 . 2009-12-30 16:27
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-29 16:57 . 2009-12-29 16:57
    d
    w- c:\program files\Trend Micro
    2009-12-29 16:40 . 2009-12-29 16:40
    d-sh--w- c:\documents and settings\Owner\IECompatCache
    2009-12-29 16:31 . 2009-12-29 16:31
    d-sh--w- c:\documents and settings\Owner\PrivacIE
    2009-12-29 16:27 . 2009-12-29 16:27
    d-sh--w- c:\documents and settings\Owner\IETldCache
    2009-12-28 16:40 . 2009-12-28 17:01
    dc-h--w- c:\windows\ie8
    2009-12-21 14:43 . 2009-12-21 14:43
    d
    w- c:\program files\Veoh Networks
    2009-12-19 00:03 . 2009-12-19 00:03
    d-sh--w- c:\windows\ftpcache
    2009-12-19 00:02 . 2009-12-19 00:03
    d
    w- c:\program files\WeBuilder 2010
    2009-12-19 00:02 . 2009-12-19 00:02
    d
    w- c:\documents and settings\Owner\Application Data\Blumentals

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-01 03:53 . 2007-02-04 18:19
    d
    w- c:\documents and settings\Owner\Application Data\DMCache
    2009-12-31 23:49 . 2009-12-31 23:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
    2009-12-31 23:47 . 2009-12-31 23:47 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
    2009-12-31 19:41 . 2007-03-05 00:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-12-31 19:27 . 2009-12-31 19:27 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2009-12-31 19:27 . 2009-12-31 19:27 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2009-10-29 07:45 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 06:00 265728
    w- c:\windows\system32\drivers\http.sys
    2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38 . 2003-07-16 20:42 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2003-07-16 20:42 79872 ----a-w- c:\windows\system32\raschap.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2007-10-11 802816]
    "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-11-20 2590456]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2003-07-16 59392]
    "PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-16 455168]
    "PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-16 455168]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-09 185632]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hpoddt01.exe.lnk - c:\program files\HP\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
    officejet 6100.lnk - c:\program files\HP\Digital Imaging\bin\hposol08.exe [2003-4-5 147456]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposts08.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoevm08.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-12-31 102448]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 12:51 23888]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ERASERUTILREBOOTDRV
    .

    Supplementary Scan
    .
    uStart Page = hxxp://www.tudou.com/my/
    uInternet Settings,ProxyServer = 80.227.0.153:80
    IE: c:\program files\Tencent\QQ\SendMMS.htm
    IE: ???QQ?? - c:\program files\Tencent\QQ\AddEmotion.htm
    IE: ???QQ???? - c:\program files\Tencent\QQ\AddToNetDisk.htm
    IE: ???QQ????? - c:\program files\Tencent\QQ\AddPanel.htm
    IE: ??iTudou????
    IE: ?QQ??????? - c:\program files\Tencent\QQ\SendMMS.htm
    IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: ê1ó?iTudou?????ú??
    IE: ê1ó?iTudou?????ú?? - c:\program files\Tudou\iTudou\iTudou_Link.HTM
    IE: ìí?óμ?QQ±í?é
    IE: ìí?óμ?QQ×??¨ò???°?
    IE: ìí?óμ?QQ±í?é
    IE: ìí?óμ?QQ×??¨ò???°?
    IE: ìí?óμ?QQ±í?é - c:\program files\Tencent\QQ\AddEmotion.htm
    IE: ìí?óμ?QQ×??¨ò???°? - c:\program files\Tencent\QQ\AddPanel.htm
    IE: ó?QQ2êD?·??í??í???
    IE: ó?QQ2êD?·¢?í??í???
    IE: ó?QQ2êD?·¢?í??í??? - c:\program files\Tencent\QQ\SendMMS.htm
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
    TCP: {C39047A5-733A-4440-BCBC-395C7883041E} = 192.168.1.1
    DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - hxxp://www.clubbox.co.kr/neo.fld/NowStarter.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ttff66mv.default\
    FF - prefs.js: network.proxy.type - 2
    FF - component: c:\documents and settings\Owner\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-Symantec Antvirus



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-31 23:18
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5831d74d-1008-4f2a-9475-7e51c788205b}]
    @Denied: (Full) (Everyone)
    "Model"=dword:0000012f
    "Therad"=dword:0000002c
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5cebf972-a277-4313-958d-0edfb1397bb8}]
    @Denied: (Full) (Everyone)
    "Model"=dword:00000068
    "Therad"=dword:0000000f
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):8a,7a,ed,3a,ec,af,1c,d6,1c,a2,20,1f,85,0f,2b,84,d6,67,31,a4,3f,
    d0,7f,81,ac,54,84,14,ce,73,fb,bd,e6,03,ae,d1,36,78,a9,86,00,00,00,00,00,00,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):2f,63,cf,85,f9,8b,9a,de,0f,e6,93,c8,10,71,fa,67,97,b6,42,98,2c,
    f5,93,1c,01,1c,69,c3,76,9d,0d,61,eb,42,9c,d4,93,62,a6,b0,00,00,00,00,00,00,\

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\貢€|晙|鶗A~*]
    "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'explorer.exe'(3288)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Other Running Processes
    .
    c:\windows\system32\conime.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\BCMSMMSG.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\program files\HP\Digital Imaging\bin\hpoevm08.exe
    c:\program files\HP\Digital Imaging\Bin\hpoSTS08.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    .
    **************************************************************************
    .
    Completion time: 2009-12-31 23:35:27
    ComboFix-quarantined-files.txt 2010-01-01 04:35
    ComboFix2.txt 2009-12-31 16:49
    ComboFix3.txt 2009-12-30 17:15

    Pre-Run: 22,719,107,072 bytes free
    Post-Run: 22,692,405,248 bytes free

    - - End Of File - - D592196D7AFF5A1DD116DC217C5F4CBE
  • edited January 2010
    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


    Next....let's have you go HERE to run Panda ActiveScan 2.0
    • Click the big green Scan now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • Once the scan is completed, please hit the notepad icon next to the text Export to:
    • Save it to a convenient location such as your Desktop
    • Post the contents of the ActiveScan.txt in your next reply.
  • edited January 2010
    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2010-01-06 18:41:46
    PROTECTIONS: 1
    MALWARE: 8
    SUSPECTS: 17
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    Symantec Endpoint Protection 11.0.5002.290 Yes Yes
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00117819 Spyware/New.net Spyware No 1 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130411.exe
    00117819 Spyware/New.net Spyware No 1 Yes No c:\qoobox\quarantine\c\windows\ndnuninstall6_38.exe.vir
    00350959 Spyware/New.net Spyware No 1 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130412.exe
    00350959 Spyware/New.net Spyware No 1 Yes No c:\qoobox\quarantine\c\windows\ndnuninstall7_48.exe.vir
    02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130425.sys
    02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp936\a0130781.sys
    02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp939\a0131120.sys
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\telonapi.dll.vir
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\wigudozi.dll.vir
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\zarebeba.dll.vir
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2009-12-31_11.18.50.zip[pagapobo.dll]
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2009-12-31_11.18.50.zip[zumidiba.dll]
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\ninegagi.dll.vir
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp930\a0129888.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130419.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130417.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp930\a0129916.exe
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp930\a0129924.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp931\a0129989.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp931\a0129995.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130186.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130190.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130286.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130307.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130415.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130414.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\pivetupa.dll.vir
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\duvotihe.dll.vir
    05830716 Adware/SystemGuard2009 Adware No 0 Yes No c:\qoobox\quarantine\c\windows\system32\wegehove.dll.vir
    05830716 Adware/SystemGuard2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130418.dll
    05832673 Adware/SystemGuard2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp930\a0129894.dll
    05832673 Adware/SystemGuard2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp930\a0129896.dll
    05832673 Adware/SystemGuard2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp930\a0129895.dll
    05838559 Adware/SystemGuard2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130416.dll
    05838559 Adware/SystemGuard2009 Adware No 0 Yes No c:\qoobox\quarantine\c\windows\system32\sebiniha.dll.vir
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130329.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130330.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130331.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130332.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130333.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130328.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130321.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130336.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130337.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130338.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130339.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130340.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130334.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130320.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130319.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130327.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130318.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130325.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130324.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130335.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130322.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130326.exe
    05843278 Adware/AntiVirusXP2009 Adware No 0 Yes No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp932\a0130323.exe
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    No c:\documents and settings\owner\desktop\combofix.exe[32788r22fwjfw\pev.exe]
    No c:\program files\common files\supportsoft\bin\ssmail.dll
    No c:\qoobox\quarantine\c\windows\system32\telemize.dll.vir
    No c:\qoobox\quarantine\c\windows\system32\zobumava.dll.vir
    No c:\qoobox\quarantine\c\windows\system32\gelarijo.dll.tmp.vir
    No c:\qoobox\quarantine\[4]-submit_2009-12-31_11.18.50.zip[gelarijo.dll.tmp]
    No c:\qoobox\quarantine\[4]-submit_2009-12-31_11.18.50.zip[majubilu.dll]
    No c:\qoobox\quarantine\[4]-submit_2009-12-31_11.18.50.zip[rahobofo.dll.tmp]
    No c:\qoobox\quarantine\[4]-submit_2009-12-31_11.18.50.zip[yujukumi.dll.tmp]
    No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp933\a0130478.exe
    No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp936\a0130752.exe
    No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp936\a0130771.dll
    No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp936\a0130772.dll
    No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp937\a0130928.exe
    No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp939\a0131098.exe
    No c:\system volume information\_restore{37a0401a-3eed-4dea-88c5-2d83755ac34e}\rp939\a0131270.exe
    No c:\windows\pev.exe
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
  • edited January 2010
    I think our work is done here - your PC should be clean now.

    It's time to remove ComboFix. This command will also remove the remnants detected by Panda ActiveScan.

    Go to to Start > Run
    Type in box

    combofix /uninstall

    Note: the space between the X and the /u

    Press Enter.

    This command will:

    Delete the following:
    ComboFix and its associated files and folders.
    VundoFix backups, if present
    The C:\Deckard folder, if present
    The C:_OtMoveIt folder, if present

    Reset the clock settings.
    Hide file extensions, if required.
    Hide System/Hidden files, if required.
    Reset System Restore.


    Even if you have no more queries, I would appreciate if you can reply once more to this thread so that I will be able to have this archived. Thanks. :)
  • edited January 2010
    Thank you very much for your help. My computer is running fine now.
  • edited January 2010
    You're welcome.

    Moving this to the Resolved section now.
Sign In or Register to comment.