WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Vicious Malware Attack! Ahhhh!

2 posters

descriptionVicious Malware Attack! Ahhhh! - Page 1 EmptyRe: Vicious Malware Attack! Ahhhh!6th April 2010, 12:40 am

more_horiz
UPDATE!!!!

I am happy to report that I am typing this on the infected system. It is now connected to the internet! You are an absoƖute lifesaver, Belahzur! I will be sending GeekPolice a donation; thank you so much for helping me get this far!

As for the ComboFix log... Here it is...

ComboFix 10-04-04.01 - Randy Ongie 04/05/2010 18:47:42.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.758.358 [GMT -5:00]
Running from: F:\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat
c:\windows\system32\ralutelu.dll
c:\windows\system32\tmp.reg
c:\windows\system32\uninstall.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_ZESOFT
-------\Legacy__VOIDismqbdriwt
-------\Service__VOIDismqbdriwt


((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 10:20 . 2010-04-05 10:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-05 10:20 . 2010-04-05 10:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-05 10:03 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-05 10:03 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-05 10:03 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-31 01:41 . 2010-03-31 01:41 -------- d-----w- c:\program files\Alwil Software
2010-03-31 00:33 . 2010-03-31 00:33 699904 ----a-w- c:\windows\is-MJKGF.exe
2010-03-31 00:07 . 2010-03-31 00:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-31 00:07 . 2010-04-05 10:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 00:05 . 2010-03-31 00:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 22:43 . 2010-03-30 22:43 -------- d-----w- c:\program files\EA GAMES
2010-03-20 10:40 . 2010-03-21 06:19 38 ----a-w- c:\windows\popcinfot.dat
2010-03-19 21:16 . 2010-03-19 21:16 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\Activision
2010-03-19 18:25 . 2010-03-19 18:25 -------- d-----w- c:\program files\7-Zip
2010-03-10 10:27 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 00:04 . 2009-10-17 03:07 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\Skype
2010-04-06 00:04 . 2009-10-17 03:13 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\skypePM
2010-04-05 23:58 . 2006-10-10 20:23 12916 ----a-w- c:\windows\system32\tablet.dat
2010-04-05 14:55 . 2009-03-05 07:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 10:03 . 2010-03-31 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-05 06:30 . 2008-09-05 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 23:24 . 2006-12-16 01:09 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-04 23:21 . 2006-01-04 02:30 -------- d-----w- c:\program files\Plaxo
2010-04-04 22:53 . 2010-04-04 22:53 -------- d-----w- c:\program files\CCleaner
2010-04-04 22:52 . 2005-04-08 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-02 19:15 . 2010-04-02 19:15 -------- d-----w- c:\program files\Trend Micro
2010-03-30 22:30 . 2007-12-07 08:49 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\uTorrent
2010-03-30 18:58 . 2005-04-08 06:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 20:24 . 2010-03-31 12:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 20:24 . 2010-03-31 12:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 12:29 . 2010-02-23 11:39 -------- d-----w- c:\program files\EA SPORTS
2010-03-28 05:57 . 2008-12-29 22:42 -------- d-----w- c:\program files\Rockstar Games
2010-03-09 10:24 . 2010-04-05 10:03 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 10:24 . 2010-04-05 10:03 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 10:12 . 2010-04-05 10:03 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 10:08 . 2010-04-05 10:03 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 10:08 . 2010-04-05 10:03 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 10:08 . 2010-04-05 10:03 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-07 07:24 . 2009-11-08 04:30 -------- d-----w- c:\program files\LucasArts
2010-03-06 20:24 . 2010-03-06 20:24 -------- d-----w- c:\program files\booddanet
2010-03-05 21:21 . 2009-01-02 13:41 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-03-05 20:07 . 2010-03-05 19:48 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\DAEMON Tools Lite
2010-03-05 19:58 . 2010-03-05 19:48 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-05 19:49 . 2010-03-05 19:49 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-05 19:48 . 2010-03-05 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-03-05 04:42 . 2010-03-05 04:42 -------- d-----w- c:\program files\Activision
2010-03-04 04:28 . 2010-03-02 22:49 -------- d-----w- c:\program files\Diablo II
2010-03-02 23:06 . 2010-03-02 23:06 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2010-03-02 23:06 . 2010-03-02 23:06 17212 ----a-w- c:\windows\system32\SIntf32.dll
2010-03-02 23:06 . 2010-03-02 23:06 12067 ----a-w- c:\windows\system32\SIntf16.dll
2010-03-02 20:16 . 2010-03-02 20:16 -------- d-----w- c:\program files\Sega
2010-03-02 07:08 . 2010-03-02 06:47 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-03-02 05:51 . 2010-03-02 05:51 -------- d-----w- c:\program files\Bethesda Softworks
2010-03-01 22:35 . 2010-02-27 23:48 -------- d-----w- c:\program files\Infogrames
2010-02-27 23:48 . 2010-02-27 23:48 0 ----a-w- c:\windows\PowerReg.dat
2010-02-27 23:47 . 2005-04-08 06:43 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-27 06:46 . 2010-02-27 06:45 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-27 05:12 . 2010-02-24 22:45 -------- d-----w- c:\program files\Metal Gear Solid
2010-02-25 03:21 . 2005-05-20 23:40 76072 ----a-w- c:\documents and settings\Randy Ongie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 15:16 . 2009-10-02 17:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 12:57 . 2009-11-06 01:33 -------- d-----w- c:\program files\JEOPARDY! 2
2010-02-23 11:39 . 2010-02-23 11:39 478 ----a-w- c:\windows\eReg.dat
2010-02-11 00:54 . 2005-09-11 20:49 -------- d-----w- c:\program files\Google
2002-06-18 12:04 . 2002-06-18 12:04 1783 ----a-w- c:\program files\Enhancements_Import_1_0.dtd
2006-05-24 21:38 . 2006-11-16 18:23 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 22:00 . 2006-11-16 18:23 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 . 2006-11-16 18:23 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 21:59 . 2006-11-16 18:23 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 . 2006-11-16 18:22 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 . 2006-11-16 18:23 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 . 2006-11-16 18:22 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 . 2006-11-16 18:22 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 . 2006-11-16 18:22 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 . 2006-11-16 18:22 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
1601-01-01 00:03 . 1601-01-01 00:03 207360 --sha-w- c:\windows\SYSTEM32\kemehobe.exe
1601-01-01 00:03 . 1601-01-01 00:03 709 --sha-w- c:\windows\SYSTEM32\wunojuti.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-05 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"iRiver Updater"="c:\program files\iRiver\iRiver Manager\Updater\Updater.exe" [2004-03-10 204800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-25 180269]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"SnoopFreeUI"="SnoopFreeUI.exe" [2009-02-20 221184]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-05 2756488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-4-8 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-4-8 24576]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-11-12 1261568]
TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2006-10-10 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 02:30 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [4/5/2010 5:03 AM 162640]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/15/2009 9:30 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/15/2009 9:30 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [4/5/2010 5:03 AM 19024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/15/2009 9:29 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/15/2009 9:29 PM 297752]
R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [7/10/2006 8:45 AM 2368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 CLEDX;Team H2O CLEDX service;c:\windows\SYSTEM32\DRIVERS\cledx.sys [1/21/2009 5:57 AM 33792]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [11/12/2009 2:35 PM 194304]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S0 toseew;toseew; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 7:54 PM 135664]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [3/5/2010 2:49 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 00:54]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 00:54]

2010-04-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride =
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Randy Ongie\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
- - - - ORPHANS REMOVED - - - -

BHO-{be9ad57d-d6bb-498b-a6c5-7655bbf90b12} - zewunuda.dll
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKLM-Run-Star Wars - Jedi Knight - Jedi Academy no cd crack - c:\documents and settings\Jared Ongie\Shared\Star Wars - Jedi Knight - Jedi Academy no cd crack.exe
AddRemove-E3TV Player_is1 - c:\program files\NCTV\unins000.exe
AddRemove-HentaII3D-019.003 - c:\program files\thriXXX\HentaII 3D\Binaries\Uninstall-HentaII3D-019.003.exe
AddRemove-SLABCOMM - c:\windows\system32\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 18:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\MyWaySA\\SrchAsDe\\1.bin\\deSrcAs.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|ù•Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\RtlGina2.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\SnoopFreeSvc.exe
c:\windows\system32\Tablet.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\windows\SnoopFreeUI.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-05 19:18:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 00:18

Pre-Run: 11,543,961,600 bytes free
Post-Run: 11,647,463,424 bytes free

- - End Of File - - F9E0C3C6B18B4FCD261C51B7A110462D

Thank You! Thank You! Thank You! Thank You! Thank You!

descriptionVicious Malware Attack! Ahhhh! - Page 1 EmptyRe: Vicious Malware Attack! Ahhhh!6th April 2010, 12:46 am

more_horiz
Hello.

I see that you are running Limewire and µTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

You are also running two antivirus', I see from the uninstall list you have Avast installed, along with AVG. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Avast to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    µTorrent
    Adobe Reader 9
    avast! Free Antivirus
    Java 2 Runtime Environment, SE v1.4.2_03
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 10
    Java(TM) 6 Update 3
    LimeWire 4.16.3
    My Way Search Assistant

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KILLALL::

    Driver::
    toseew

    File::
    c:\windows\SYSTEM32\kemehobe.exe
    c:\windows\SYSTEM32\wunojuti.exe
    c:\windows\is-MJKGF.exe

    DDS::
    uInternet Settings,ProxyOverride =

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\Programmable]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Vicious Malware Attack! Ahhhh! - Page 1 Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Vicious Malware Attack! Ahhhh! - Page 1 DXwU4
Vicious Malware Attack! Ahhhh! - Page 1 VvYDg

descriptionVicious Malware Attack! Ahhhh! - Page 1 EmptyRe: Vicious Malware Attack! Ahhhh!6th April 2010, 1:44 am

more_horiz
I followed the instructions. There were problems uninstalling "Adobe Reader 9" and "MyWay Search Assistant", but other than that it went off without a hitch. Here is the log per your request...

ComboFix 10-04-04.01 - Randy Ongie 04/05/2010 20:13:06.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.758.406 [GMT -5:00]
Running from: F:\Combo-Fix.exe
Command switches used :: F:\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\is-MJKGF.exe"
"c:\windows\SYSTEM32\kemehobe.exe"
"c:\windows\SYSTEM32\wunojuti.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\is-MJKGF.exe
c:\windows\SYSTEM32\kemehobe.exe
c:\windows\SYSTEM32\wunojuti.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_toseew


((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-05 10:20 . 2010-04-05 10:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-05 10:20 . 2010-04-05 10:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-04 22:53 . 2010-04-04 22:53 -------- d-----w- c:\program files\CCleaner
2010-04-02 19:15 . 2010-04-02 19:15 -------- d-----w- c:\program files\Trend Micro
2010-03-31 12:21 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 12:21 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 01:41 . 2010-04-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 01:41 . 2010-03-31 01:41 -------- d-----w- c:\program files\Alwil Software
2010-03-31 00:07 . 2010-03-31 00:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-31 00:07 . 2010-04-05 10:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 00:05 . 2010-03-31 00:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 22:43 . 2010-03-30 22:43 -------- d-----w- c:\program files\EA GAMES
2010-03-20 10:40 . 2010-03-21 06:19 38 ----a-w- c:\windows\popcinfot.dat
2010-03-19 21:16 . 2010-03-19 21:16 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\Activision
2010-03-19 18:25 . 2010-03-19 18:25 -------- d-----w- c:\program files\7-Zip
2010-03-10 10:27 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 01:29 . 2009-10-17 03:07 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\Skype
2010-04-06 01:25 . 2006-10-10 20:23 12916 ----a-w- c:\windows\system32\tablet.dat
2010-04-06 01:02 . 2005-10-26 18:47 -------- d-----w- c:\program files\LimeWire
2010-04-06 01:00 . 2005-04-08 06:42 -------- d-----w- c:\program files\Java
2010-04-06 00:04 . 2009-10-17 03:13 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\skypePM
2010-04-05 14:55 . 2009-03-05 07:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 06:30 . 2008-09-05 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 23:24 . 2006-12-16 01:09 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-04 23:21 . 2006-01-04 02:30 -------- d-----w- c:\program files\Plaxo
2010-04-04 22:52 . 2005-04-08 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-03-30 22:30 . 2007-12-07 08:49 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\uTorrent
2010-03-30 18:58 . 2005-04-08 06:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-28 12:29 . 2010-02-23 11:39 -------- d-----w- c:\program files\EA SPORTS
2010-03-28 05:57 . 2008-12-29 22:42 -------- d-----w- c:\program files\Rockstar Games
2010-03-11 12:38 . 2004-08-04 10:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-07 07:24 . 2009-11-08 04:30 -------- d-----w- c:\program files\LucasArts
2010-03-06 20:24 . 2010-03-06 20:24 -------- d-----w- c:\program files\booddanet
2010-03-05 21:21 . 2009-01-02 13:41 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-03-05 20:07 . 2010-03-05 19:48 -------- d-----w- c:\documents and settings\Randy Ongie\Application Data\DAEMON Tools Lite
2010-03-05 19:58 . 2010-03-05 19:48 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-05 19:49 . 2010-03-05 19:49 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-05 19:48 . 2010-03-05 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-03-05 04:42 . 2010-03-05 04:42 -------- d-----w- c:\program files\Activision
2010-03-04 04:28 . 2010-03-02 22:49 -------- d-----w- c:\program files\Diablo II
2010-03-02 23:06 . 2010-03-02 23:06 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2010-03-02 23:06 . 2010-03-02 23:06 17212 ----a-w- c:\windows\system32\SIntf32.dll
2010-03-02 23:06 . 2010-03-02 23:06 12067 ----a-w- c:\windows\system32\SIntf16.dll
2010-03-02 20:16 . 2010-03-02 20:16 -------- d-----w- c:\program files\Sega
2010-03-02 07:08 . 2010-03-02 06:47 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-03-02 05:51 . 2010-03-02 05:51 -------- d-----w- c:\program files\Bethesda Softworks
2010-03-01 22:35 . 2010-02-27 23:48 -------- d-----w- c:\program files\Infogrames
2010-02-27 23:48 . 2010-02-27 23:48 0 ----a-w- c:\windows\PowerReg.dat
2010-02-27 23:47 . 2005-04-08 06:43 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-27 06:46 . 2010-02-27 06:45 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-27 05:12 . 2010-02-24 22:45 -------- d-----w- c:\program files\Metal Gear Solid
2010-02-25 03:21 . 2005-05-20 23:40 76072 ----a-w- c:\documents and settings\Randy Ongie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 15:16 . 2009-10-02 17:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 12:57 . 2009-11-06 01:33 -------- d-----w- c:\program files\JEOPARDY! 2
2010-02-23 11:39 . 2010-02-23 11:39 478 ----a-w- c:\windows\eReg.dat
2010-02-11 00:54 . 2005-09-11 20:49 -------- d-----w- c:\program files\Google
2002-06-18 12:04 . 2002-06-18 12:04 1783 ----a-w- c:\program files\Enhancements_Import_1_0.dtd
2006-05-24 21:38 . 2006-11-16 18:23 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 22:00 . 2006-11-16 18:23 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 . 2006-11-16 18:23 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 21:59 . 2006-11-16 18:23 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 . 2006-11-16 18:22 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 . 2006-11-16 18:23 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 . 2006-11-16 18:22 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 . 2006-11-16 18:22 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 . 2006-11-16 18:22 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 . 2006-11-16 18:22 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-05 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"iRiver Updater"="c:\program files\iRiver\iRiver Manager\Updater\Updater.exe" [2004-03-10 204800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-25 180269]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"SnoopFreeUI"="SnoopFreeUI.exe" [2009-02-20 221184]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-4-8 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-4-8 24576]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-11-12 1261568]
TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2006-10-10 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 02:30 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/15/2009 9:30 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/15/2009 9:30 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/15/2009 9:29 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/15/2009 9:29 PM 297752]
R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [7/10/2006 8:45 AM 2368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 CLEDX;Team H2O CLEDX service;c:\windows\SYSTEM32\DRIVERS\cledx.sys [1/21/2009 5:57 AM 33792]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [11/12/2009 2:35 PM 194304]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 7:54 PM 135664]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [3/5/2010 2:49 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 00:54]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 00:54]

2010-04-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = hxxp://www.comcast.net/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Randy Ongie\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Randy Ongie\Application Data\Mozilla\Firefox\Profiles\pr0td35c.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 20:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|ù•Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\RtlGina2.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\SnoopFreeSvc.exe
c:\windows\system32\Tablet.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\windows\SnoopFreeUI.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-05 20:34:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 01:34
ComboFix2.txt 2010-04-06 00:18

Pre-Run: 12,180,193,280 bytes free
Post-Run: 12,302,778,368 bytes free

- - End Of File - - CE6F71FE98F8FF2096BAF78B16D1E991

descriptionVicious Malware Attack! Ahhhh! - Page 1 EmptyRe: Vicious Malware Attack! Ahhhh!6th April 2010, 5:19 pm

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Vicious Malware Attack! Ahhhh! - Page 1 DXwU4
Vicious Malware Attack! Ahhhh! - Page 1 VvYDg

descriptionVicious Malware Attack! Ahhhh! - Page 1 EmptyRe: Vicious Malware Attack! Ahhhh!6th April 2010, 9:25 pm

more_horiz
The scan just finished. Here is the log.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cc4359170640e14da00e072b64004737
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-06 09:05:20
# local_time=2010-04-06 04:05:20 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 257091 257091 0 0
# compatibility_mode=1024 16777175 100 0 16589449 16589449 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=108855
# found=2
# cleaned=2
# scan_time=8714
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\EnsignGames\DreamStripper\DreamStripper-start.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

The computer seems to be performing normally now! Thank You! Thank You! Thank You!

If you have any other suggestions on safeguarding future attacks, I would appreciate it. Thank you so much for guiding me through this, Belahzur! You are a gentleman and a scholar!

descriptionVicious Malware Attack! Ahhhh! - Page 1 EmptyRe: Vicious Malware Attack! Ahhhh!7th April 2010, 12:56 am

more_horiz
We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck. Big Grin

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Vicious Malware Attack! Ahhhh! - Page 1 DXwU4
Vicious Malware Attack! Ahhhh! - Page 1 VvYDg

descriptionVicious Malware Attack! Ahhhh! - Page 1 EmptyRe: Vicious Malware Attack! Ahhhh!

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum