WiredWX Hobby Weather ToolsLog in

 


Malware doctor

3 posters

descriptionMalware doctor EmptyMalware doctor

more_horiz
Hey, all. Uh, well I have the kind of malware doctor that this person has. THIS GUY . I have malware bytes anti-malware and it did not work. I tried full and quick scan. Well I hope you guys can help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:26 PM, on 6/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\HiYo\bin\HiYo.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Documents and Settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NVT Malware Remover Tool\NVT Malware Remover Tool.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Chrome copyright - {AFF01325-0FC2-4749-8914-FBF0565AD9CC} - jbnmck.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: LiveInfoPro - {3E9D340B-D614-4854-AE06-4218201F6AAE} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [HiYo] C:\Program Files\HiYo\bin\HiYo.exe /RunFromStartup
O4 - HKLM\..\Run: [zzz_ImInstaller_HiYo] "C:\Documents and Settings\David's\Local Settings\Temp\ImInstaller\HiYo\HiYo_Install.exe" -startup -product HiYo -skip_dialog info -skip_dialog language -report -cluster 4
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\ma3ltaj8xv .exe
O4 - HKCU\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ma3ltaj8xv .exe
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\827269390.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-1074470393-2632276350-390648040-7770\service.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WeGame.lnk = C:\Program Files\WeGame\wegame.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222717864515
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: avast!AVSControlService - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 14468 bytes

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz

  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Chrome copyright - {AFF01325-0FC2-4749-8914-FBF0565AD9CC} - jbnmck.dll (file missing)
    O4 - HKLM\..\Run: [HiYo] C:\Program Files\HiYo\bin\HiYo.exe /RunFromStartup
    O4 - HKLM\..\Run: [zzz_ImInstaller_HiYo] "C:\Documents and Settings\David's\Local Settings\Temp\ImInstaller\HiYo\HiYo_Install.exe" -startup -product HiYo -skip_dialog info -skip_dialog language -report -cluster 4
    O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
    O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
    O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\ma3ltaj8xv .exe
    O4 - HKCU\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ma3ltaj8xv .exe
    O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
    O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
    O4 - HKUS\.DEFAULT\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-1074470393-2632276350-390648040-7770\service.exe (User 'Default user')
    O4 - Global Startup: WeGame.lnk = C:\Program Files\WeGame\wegame.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



  • Press "Fix Checked"
  • Close Hijack This.






  • Download combofix from here
    Link 1
    Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

Malware doctor CF_download_FF

Malware doctor CF_download_rename

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
The Malware is still here.

Code:

ComboFix 09-06-09.06 - David's 06/09/2009 22:05.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.466 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David's\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\LocalService\Application Data\1301700638.exe
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\755020800.exe
C:\install.exe
c:\program files\Internet Explorer\setupapi.dll
c:\program files\Mozilla Firefox\setupapi.dll
c:\windows\admintxt.txt
c:\windows\system\oeminfo.ini
c:\windows\system32\ak1.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\bszip.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\175de1d7.sys
c:\windows\system32\drivers\286cf3af.sys
c:\windows\system32\drivers\4f2007a5.sys
c:\windows\system32\drivers\qmvha.sys
c:\windows\system32\inqby.sr
c:\windows\system32\jbnmcd.dll
c:\windows\system32\jbnmck.dll
c:\windows\system32\loader49.exe
c:\windows\system32\obipewak.ini
c:\windows\system32\ofuyibuy.ini
c:\windows\system32\sft.res
c:\windows\system32\uniq.tll
C:\xcrashdump.dat

.
(((((((((((((((((((((((((((((((((((((((  Drivers/Services  )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


(((((((((((((((((((((((((  Files Created from 2009-05-10 to 2009-06-10  )))))))))))))))))))))))))))))))
.

2009-06-10 02:16 . 2009-06-10 02:17   99422   ----a-w-   c:\windows\system32\drivers\52106874.sys
2009-06-10 01:23 . 2009-06-10 02:17   99422   ----a-w-   c:\windows\system32\drivers\b30c2fcc.sys
2009-06-10 00:33 . 2009-06-10 00:33   --------   d-----w-   c:\program files\NVT Malware Remover Tool
2009-06-09 22:25 . 2009-06-10 02:17   99422   ----a-w-   c:\windows\system32\drivers\94ddfa21.sys
2009-06-09 22:22 . 2009-06-09 22:22   --------   d-----w-   c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21   --------   d-----w-   c:\windows\system32\796525
2009-06-09 22:21 . 2009-06-09 22:21   --------   d-----w-   c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21   --------   d-----w-   c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-09 02:46 . 2009-06-09 02:46   --------   d-----w-   c:\program files\GlobalInfection
2009-06-06 16:37 . 2009-06-06 16:37   56   ---ha-w-   c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-09 22:15   --------   d-----w-   c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-10 02:17   --------   d-----w-   c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33   --------   d-----w-   c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33   --------   d-----r-   c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-10 01:52   --------   d-----w-   c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17   --------   d-----w-   c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14   --------   d-----w-   c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14   --------   d-----w-   c:\program files\TortoiseSVN
2009-06-04 18:40 . 2009-06-04 18:40   1332528   ----a-w-   c:\documents and settings\David's\Application Data\WSS.exe
2009-06-04 01:34 . 2009-06-04 02:03   --------   d-----w-   c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55   --------   d-----w-   c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46   779720   ----a-w-   c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31   58800   ----a-w-   c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48   710064   ----a-w-   c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39   --------   d-----w-   c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56   --------   d-----w-   c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28   --------   d-s---w-   c:\windows\system32\config\systemprofile\UserData
2009-05-21 01:39 . 2009-03-22 01:39   32   ----a-r-   c:\documents and settings\All Users\hash.dat

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 22:21 . 2006-04-07 21:59   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58   --------   d-----w-   c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43   --------   d-----w-   c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45   --------   d-----w-   c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07   --------   d-----w-   c:\documents and settings\David's\Application Data\LimeWire
2009-05-25 15:35 . 2008-09-23 19:07   --------   d-----w-   c:\program files\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20   599560   ----a-w-   c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08   --------   d-----w-   c:\program files\MSN Messenger
2009-04-20 01:33 . 2009-04-20 01:33   --------   d-----w-   c:\program files\Trend Micro
2009-04-20 01:17 . 2009-04-20 01:17   118784   ----a-w-   c:\windows\system32\sgc315j0e19g.dll
2009-04-20 01:17 . 2009-04-20 01:17   80191   ----a-w-   c:\windows\system32\qgc715j0e19g .exe
2009-04-20 00:57 . 2009-04-20 00:56   --------   d-----w-   c:\program files\iTunes
2009-04-20 00:57 . 2009-04-20 00:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-20 00:57 . 2009-04-20 00:57   --------   d-----w-   c:\program files\iPod
2009-04-20 00:57 . 2009-03-17 23:03   --------   d-----w-   c:\program files\Common Files\Apple
2009-04-20 00:51 . 2009-04-20 00:51   --------   d-----w-   c:\documents and settings\David's\Application Data\AVS4YOU
2009-04-20 00:51 . 2009-04-20 00:51   75048   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-20 00:50 . 2009-04-20 00:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:46   --------   d-----w-   c:\program files\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:48   --------   d-----w-   c:\program files\Common Files\AVSMedia
2009-04-06 19:32 . 2006-04-07 21:59   38496   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59   15504   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31   34   ----a-w-   c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54   45056   ----a-r-   c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54   45056   ----a-r-   c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54   10134   ----a-r-   c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-03-19 20:32 . 2009-03-19 20:32   23400   ----a-w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 20:24 . 2009-03-17 20:24   966808   ----a-w-   c:\documents and settings\David's\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2006-04-07 23:28 . 2006-04-07 23:28   308   ----a-w-   c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55   8   --sh--r-   c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54   80   --sh--r-   c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12   56   --sh--r-   c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34   86528   --sha-w-   c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55   4184   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12   51712   --sha-w-   c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47   51712   --sha-w-   c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47   86528   --sha-w-   c:\windows\system32\vuhodoji.dll
.

------- Sigcheck -------

[7] 2008-04-13 19:20   182656   1DF7F42665C94B825322FAE71721130D   c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2006-04-01 16:00   212224   D100A615E6F577B399061320A682A037   c:\windows\system32\dllcache\ndis.sys
[-] 2006-04-01 16:00   212224   D100A615E6F577B399061320A682A037   c:\windows\system32\drivers\ndis.sys
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll


Last edited by Pokerking98 on 10th June 2009, 2:29 am; edited 1 time in total

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz

Code:


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\[u]0[/u]sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz

Code:


R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avast!AVSControlService;avast!AVSControlService;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - avast!antivirus
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-10 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll
HKCU-Run-Malware Doctor - c:\documents and settings\LocalService\Application Data\1361538659.exe
HKLM-Run-Malware Doctor - c:\documents and settings\LocalService\Application Data\1361538659.exe


.
------- Supplementary Scan -------
.
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\
FF - prefs.js: browser.search.selectedEngine - TheSearchButler
FF - prefs.js: browser.startup.homepage - hxxp://www.thesearchbutler.com/
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 22:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\windows\system32\jbnmck.dll 29184 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\52106874]
"ImagePath"="\SystemRoot\System32\drivers\52106874.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
"ImagePath"="\SystemRoot\System32\drivers\94ddfa21.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]
"ImagePath"="\SystemRoot\System32\drivers\b30c2fcc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mvju.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(5772)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\AIM6\aolsoftware.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\1361538659.exe.virID
.
**************************************************************************
.
Completion time: 2009-06-10 22:23 - machine was rebooted
ComboFix-quarantined-files.txt  2009-06-10 02:23

Pre-Run: 28,072,583,168 bytes free
Post-Run: 30,407,159,808 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
383   --- E O F ---   2009-04-08 07:00

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
Hello.

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
52106874
b30c2fcc
94ddfa21
avast!AVSControlService
npggsvc
Viewpoint Manager Service

File::
c:\windows\system32\drivers\52106874.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\drivers\94ddfa21.sys
c:\windows\system32\sgc315j0e19g.dll
c:\windows\system32\qgc715j0e19g .exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe

Folder::
c:\windows\system32\796525
c:\documents and settings\David's\Application Data\LimeWire
c:\program files\LimeWire

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\52106874]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]

Rootkit::
c:\windows\system32\jbnmck.dll

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Malware doctor Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
Before I go ahead with the procedure you gave me above, would a system restore fix my computer?

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
No, system restore points would likely be infected.

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
I am talking about a, restore to factory settings. They have it built in on all dell's.

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
Factory restore and system restore are two different things. Smile...

A factory restore would work if you know how to do that.

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
Ight, well I guess I will just do that then, I don't feel like dealing with malware and such. Is there anything that I should not save?

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
Exe files mainly, who knows if they are infected.

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
Aight. well thanks a bundle guys!

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
Eh sorry for the bump and everything but uh, After restarting my computer for a second time I found no trace of the malware. I haven't restored it yet. Do you think its just running in the back round? All symptoms are gone, I have access over the task manager again. All seems to be well.

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
The above ComboFix log should have removed most of the malware, can you post teh ComboFix log please.

descriptionMalware doctor EmptyRe: Malware doctor

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum