Travel Fans
Go Back   Computer Juice Computer Software Virus, Spyware & Security
Reload this Page

Vundo.trojan keep re-infecting after get deleted

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules

Register

 Default 

Vundo.trojan keep re-infecting after get deleted




Reply
 
Thread Tools
  #1  
Old 19th Jan 2009, 04:11
New Member
Posts: 4
 
Hello, I'm newbie here and I get serious problem with Vundo.trojan. It keeps infecting my computer after I delete the files that infected by Vundo in system32 folder and when this trojan is trying to attack again, my AntiMalwarebyte always prevent it to be active. My flashdrive also gets infected even if this infected file have been deleted by Antimalwarebyte or by Avenger.

Here's my log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:34 PM, on 1/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
D:\Master\PCMAV\PCMAV-RTP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\RTPSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\ACD Systems\ACDSee Pro\2.0\ACDSeePro2.exe
D:\Master\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: (no name) - {F666409F-ECF4-41A1-91AC-0F8FE631F975} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [PCMAV-RTP] "D:\Master\PCMAV\PCMAV-RTP.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B717D72-2FA7-46C8-A71C-7FC68F6E127F}: NameServer = 202.134.2.5,202.134.0.155
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B717D72-2FA7-46C8-A71C-7FC68F6E127F}: NameServer = 202.134.2.5,202.134.0.155
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B717D72-2FA7-46C8-A71C-7FC68F6E127F}: NameServer = 202.134.2.5,202.134.0.155
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: uepphu.dll,avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6541 bytes

I really need your help my data on my flashdrive have to be deleted if I tried to open in other comp. I can't print my document on my friend's computer anymore Please..

  #2  
Old 19th Jan 2009, 04:23
New Member
Posts: 4
 
the rundll32.exe properties viewed from Sysinternals Process Explorer

C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\ljJDvutR.dll",d

I can't delete that file because it don't exist and my Antimalwarebyte is only able to detect:
C://WINDOWS/system32/yxuiiiiuc.dll (Trojan Vundo)
  #3  
Old 19th Jan 2009, 12:54
Malware Fighter
Posts: 348
 
Hi and welcome to CJ.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.



Combofix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please read all the information carefully!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Please include the log C:\ComboFix.txt in your next reply for further review.
__________________
Iain - Defender of the Haggis
Member of ASAP : : Member of UNITE
__________________

My System: It's all mine...

Processor(s):
C2D E6750 2.66Ghz
Motherboard:
Gigabyte P35C-DS3R
RAM Memory:
2 x 1Gb Corsair DDR2 XMS2 PC26400
Graphics Card(s):
GeForce 8600GT
Sound Card:
Creative X-Fi
Hard Drive(s):
Maxtor 320Gb
Optical Drive(s):
Pioneer DVD-RW
Case / PSU:
Antec 900 / Antec TruPower Trio 650
Cooling:
Various Antec + Zalman 92mm
Network / Internet:
ASUS Router/VirginMedia
Monitor(s):
LGL226WQ 22" Widescreen
Operating System(s):
XP Pro SP3
  #4  
Old 19th Jan 2009, 20:39
New Member
Posts: 4
 
Hi, Iain. Here's my ComboFix Log:

ComboFix 09-01-19.03 - USER 2009-01-20 10:24:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1573 [GMT 7:00]
Running from: c:\documents and settings\USER\My Documents\Downloads\Programs\ComboFix.exe
AV: AVG *On-access scanning disabled* (Outdated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\feMmnnpo.ini2
c:\windows\Tasks\khaszxzz.job

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-19 12:50 . 2009-01-19 12:50 3,309,350 --a------ C:\New Folder.rar
2009-01-16 23:33 . 2009-01-18 18:44 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-16 23:33 . 2009-01-18 18:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-15 20:16 . 2009-01-15 21:18 <DIR> d-------- c:\program files\ANSAV
2009-01-15 13:43 . 2009-01-15 13:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Agnitum
2009-01-14 06:45 . 2009-01-14 06:45 96,520 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-14 06:45 . 2009-01-14 06:45 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-12 00:50 . 2009-01-12 00:50 <DIR> d-------- c:\program files\Blender Foundation
2009-01-12 00:50 . 2009-01-12 00:50 <DIR> d-------- c:\documents and settings\USER\Application Data\Blender Foundation
2009-01-11 23:12 . 2009-01-11 23:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 23:12 . 2009-01-11 23:12 <DIR> d-------- c:\documents and settings\USER\Application Data\Malwarebytes
2009-01-11 23:12 . 2009-01-11 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-11 23:12 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 23:12 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 00:23 . 2002-03-19 07:18 120,832 --a------ c:\windows\system32\lame_enc.dll
2008-12-30 08:07 . 2008-12-30 08:07 <DIR> d-------- c:\program files\UltraISO
2008-12-30 08:07 . 2008-12-30 08:07 <DIR> d-------- c:\program files\Common Files\EZB Systems
2008-12-29 21:52 . 2009-01-08 02:00 <DIR> d-------- c:\documents and settings\USER\Application Data\uTorrent
2008-12-28 20:48 . 2008-12-28 21:10 <DIR> d-------- c:\program files\MagicISO
2008-12-27 20:46 . 2008-12-27 20:46 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-26 21:56 . 2008-12-26 21:56 <DIR> d-------- c:\documents and settings\USER\Application Data\fltk.org
2008-12-26 21:52 . 2008-12-26 21:52 <DIR> d-------- c:\program files\ePSXe
2008-12-26 21:26 . 2008-12-26 21:26 <DIR> d-------- c:\documents and settings\USER\WINDOWS
2008-12-26 13:14 . 2008-12-26 13:14 <DIR> d-------- c:\program files\IObit
2008-12-22 23:30 . 2008-12-22 23:30 <DIR> d-------- c:\windows\Sun
2008-12-21 02:11 . 2008-12-21 06:18 <DIR> d--h----- c:\windows\Icons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 03:26 153,600 ----a-w c:\windows\system32\RTPSvc.exe
2009-01-20 03:24 --------- d-----w c:\documents and settings\USER\Application Data\DMCache
2009-01-19 11:46 --------- d-----w c:\program files\mIRC
2009-01-18 18:05 --------- d-----w c:\documents and settings\USER\Application Data\mIRC
2009-01-18 11:48 --------- d-----w c:\program files\AIMP2
2009-01-15 13:29 --------- d-----w c:\program files\Real Alternative
2009-01-11 16:31 --------- d-----w c:\program files\Internet Download Manager
2009-01-11 16:31 --------- d-----w c:\program files\FlashGet
2009-01-06 18:06 --------- d-----w c:\documents and settings\USER\Application Data\IDM
2009-01-01 17:50 118,272 ----a-w c:\windows\system32\RTPScan.dll
2008-12-19 12:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-19 05:33 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-12-19 05:33 --------- d-----w c:\documents and settings\USER\Application Data\TuneUp Software
2008-12-10 14:49 --------- d-----w c:\program files\Counter-Strike 1.6
2008-12-10 12:24 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 12:02 --------- d-----w c:\program files\AVG
2008-12-06 14:52 27,904 ----a-w c:\windows\system32\drivers\Ndisprot.sys
2008-12-05 07:28 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-27 16:58 --------- d-----w c:\program files\4U Computing
2008-11-23 03:57 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-09 23:11 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-11-07 06:11 315,392 ----a-w c:\windows\HideWin.exe
2008-12-17 23:01 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 23:01 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 23:01 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 23:01 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 23:01 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2004-08-03 22:56 168,371 --sha-r c:\windows\system32\yxuiiiuc.dll
.

------- Sigcheck -------

2004-08-04 04:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\system32\dllcache\tcpip.sys
2004-08-04 04:14 359040 6a603809f598332dbedd535bdbce313e c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-04 399504]
"PCMAV-RTP"="d:\master\PCMAV\PCMAV-RTP.exe" [2008-11-25 2245632]

c:\documents and settings\USER\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-10-23 14:18 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-28 15:00 166424 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-02-28 15:00 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-12-05 22:55 54832 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-10-18 15:27 455968 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-02-28 15:00 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-10 06:11 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-10-16 18:30 16855552 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2007-10-11 11:04 1826816 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"g:\\MSOCache\\uTorrent.exe"=
"f:\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2906:TCP"= 2906:TCP:fkifkccp

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-11-07 13696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-01-11 15504]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-01-11 170640]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-14 96520]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-11 38496]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S4 dbhxiz;Center Update;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 ehrnfbhx;Update Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 fqwogmp;Network Task;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 ihxwm;System Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 jltrju;Boot Time;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 nrxxk;Network Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 PCMAVRTPService;PCMAV RealTime Protector Service;c:\windows\system32\RTPSvc.exe [2008-12-08 153600]
S4 qkjfbjkr;Update Installer;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 sfwct;Universal Update;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 ugdamhfjf;Driver Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 wixhb;Task System;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 xcnvj;Windows Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 xkldwxtdb;Config Network;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 yhmatyhjx;Shell Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S4 zcabs;Monitor Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SFWCT
*Deregistered* - Ndisprot.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
fqwogmp
ihxwm
nrxxk
dbhxiz
yhmatyhjx
wixhb
xcnvj
xkldwxtdb
zcabs
qkjfbjkr
ehrnfbhx
ugdamhfjf
jltrju
sfwct

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F666409F-ECF4-41A1-91AC-0F8FE631F975} - (no file)
Notify-NavLogon - (no file)
MSConfigStartUp-a0b7707e - c:\windows\system32\xnuyuxup.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4B717D72-2FA7-46C8-A71C-7FC68F6E127F} = 202.134.2.5,202.134.0.155
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\u3b5psoe.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 2
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: network.http.max-connections-per-server - 4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 10:28:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dbhxiz]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ehrnfbhx]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fqwogmp]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ihxwm]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jltrju]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nrxxk]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qkjfbjkr]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfwct]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ugdamhfjf]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wixhb]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xcnvj]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xkldwxtdb]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yhmatyhjx]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zcabs]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
@Denied: (Full) (Administrators)
@Denied: (Full) (S-1-5-21-1417001333-527237240-725345543-1003)
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{30c0989a-ccb2-11dd-b331-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f60183a-adf1-11dd-b29c-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
"_LabelFromReg"="Don-ToRes"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f60183b-adf1-11dd-b29c-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
"_LabelFromReg"="rIfqI's data"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f60183c-adf1-11dd-b29c-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
"_LabelFromReg"="MOH RIFAI"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7614e983-ada0-11dd-b29b-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{843edca7-c510-11dd-b2f9-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a523ec2-acca-11dd-b288-806d6172696f}]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a523ec3-acca-11dd-b288-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,df,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f3aaf58-bb7a-11dd-b2cf-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9a856bd0-d445-11dd-88a8-806d6172696f}]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a27a52f8-acc9-11dd-a9e0-806d6172696f}]
"BaseClass"="Drive"
"_LabelFromReg"="Local Disk"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a27a52f9-acc9-11dd-a9e0-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
"_LabelFromReg"="TeMp"
"_CommentFromDesktopINI"=""

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a27a52fa-acc9-11dd-a9e0-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
"_LabelFromReg"="TeMp_2"
"_CommentFromDesktopINI"=""

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a36341bb-ae6c-11dd-b2a0-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,00,\
"_LabelFromReg"="SuBaSeka"
"_CommentFromDesktopINI"=""

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb2ed5f1-b2b2-11dd-b2ae-00e04d95bc78}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d12bf845-ca4e-11dd-b324-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d5ff48df-bd43-11dd-b2d7-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7e93a89-c7f7-11dd-b316-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e7b30e04-b6f3-11dd-b2be-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f1be1bea-da1e-11dd-88c4-00e04d95bc78}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):17,93,ea,55,80,57,80,ff,e1,9b,8f,01,d7,8c,bf,72,00,eb,be,0f,08,
e0,82,33,e7,63,ec,13,98,f5,83,2b,42,5b,a5,bf,3b,0e,2f,c7,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c972a2ff-fe96-4986-af9e-ce8089221aed}]
@Denied: (Full) (Everyone)
"Model"=dword:00000010
"Therad"=dword:0000000f
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,9b,6d,8c,90,3f,64,7f,c7,ff,de,1b,59,3f,a3,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-01-20 10:31:23 - machine was rebooted [USER]
ComboFix-quarantined-files.txt 2009-01-20 03:31:10

Pre-Run: 7,024,607,232 bytes free
Post-Run: 7,081,234,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

414
  #5  
Old 20th Jan 2009, 14:14
Malware Fighter
Posts: 348
 
Hi again

One hell of a mess here – still some work to do.


Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

I want to have a closer look at several files.


Please go to: VirusTotal
  • In the middle of the page you'll find a "Browse" button.



    Click the "Browse" button and browse to this file in RED:

    c:\windows\system32\RTPSvc.exe
  • Click "Open".
  • Then click the "Send File" button at the bottom of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.
Repeat the above for the following files:-
c:\windows\system32\RTPScan.dll
c:\windows\system32\drivers\Ndisprot.sys
c:\windows\HideWin.exe





Combofix
  • Close any open browsers.
  • Open notepad and copy/paste the text in the box below into it:
Code:
  File::
  c:\windows\system32\yxuiiiuc.dll
   
  DirLook::
  c:\windows\Icons
   
  Driver::
dbhxiz 
ehrnfbhx 
fqwogmp 
ihxwm
jltrju
nrxxk
qkjfbjkr
sfwct
ugdamhfjf
wixhb 
xcnvj
xkldwxtdb 
yhmatyhjx 
zcabs
Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review. Please also let me know how your system is running now.
__________________
Iain - Defender of the Haggis
Member of ASAP : : Member of UNITE
  #6  
Old 20th Jan 2009, 15:11
New Member
Posts: 4
 
RTPScan.dll: http://www.virustotal.com/analisis/1...be9890e6673dbb
Ndisprot.sys: http://www.virustotal.com/analisis/e...81be9bca62bad6
HideWin.exe: http://www.virustotal.com/analisis/1...79e91a539a3437

ComboFix's log:

ComboFix 09-01-19.03 - USER 2009-01-21 4:54:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1629 [GMT 7:00]
Running from: c:\documents and settings\USER\My Documents\Downloads\Programs\ComboFix.exe
Command switches used :: c:\documents and settings\USER\My Documents\Downloads\Programs\CFScript.txt
AV: AVG *On-access scanning disabled* (Outdated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\system32\yxuiiiuc.dll
.
/wow section - STAGE 8
The process cannot access the file because it is being used by another process.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\yxuiiiuc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DBHXIZ
-------\Legacy_EHRNFBHX
-------\Legacy_FQWOGMP
-------\Legacy_IHXWM
-------\Legacy_JLTRJU
-------\Legacy_NRXXK
-------\Legacy_QKJFBJKR
-------\Legacy_SFWCT
-------\Legacy_UGDAMHFJF
-------\Legacy_WIXHB
-------\Legacy_XCNVJ
-------\Legacy_XKLDWXTDB
-------\Legacy_YHMATYHJX
-------\Legacy_ZCABS
-------\Service_dbhxiz
-------\Service_ehrnfbhx
-------\Service_fqwogmp
-------\Service_ihxwm
-------\Service_jltrju
-------\Service_nrxxk
-------\Service_qkjfbjkr
-------\Service_sfwct
-------\Service_ugdamhfjf
-------\Service_wixhb
-------\Service_xcnvj
-------\Service_xkldwxtdb
-------\Service_yhmatyhjx
-------\Service_zcabs
-------\Legacy_dvszbsss
-------\Service_dvszbsss


((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-19 12:50 . 2009-01-19 12:50 3,309,350 --a------ C:\New Folder.rar
2009-01-16 23:33 . 2009-01-18 18:44 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-16 23:33 . 2009-01-18 18:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-15 20:16 . 2009-01-15 21:18 <DIR> d-------- c:\program files\ANSAV
2009-01-15 13:43 . 2009-01-15 13:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Agnitum
2009-01-14 06:45 . 2009-01-14 06:45 96,520 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-14 06:45 . 2009-01-14 06:45 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-12 00:50 . 2009-01-12 00:50 <DIR> d-------- c:\program files\Blender Foundation
2009-01-12 00:50 . 2009-01-12 00:50 <DIR> d-------- c:\documents and settings\USER\Application Data\Blender Foundation
2009-01-11 23:12 . 2009-01-11 23:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 23:12 . 2009-01-11 23:12 <DIR> d-------- c:\documents and settings\USER\Application Data\Malwarebytes
2009-01-11 23:12 . 2009-01-11 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-11 23:12 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 23:12 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 00:23 . 2002-03-19 07:18 120,832 --a------ c:\windows\system32\lame_enc.dll
2008-12-30 08:07 . 2008-12-30 08:07 <DIR> d-------- c:\program files\UltraISO
2008-12-30 08:07 . 2008-12-30 08:07 <DIR> d-------- c:\program files\Common Files\EZB Systems
2008-12-29 21:52 . 2009-01-08 02:00 <DIR> d-------- c:\documents and settings\USER\Application Data\uTorrent
2008-12-28 20:48 . 2008-12-28 21:10 <DIR> d-------- c:\program files\MagicISO
2008-12-27 20:46 . 2008-12-27 20:46 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-26 21:56 . 2008-12-26 21:56 <DIR> d-------- c:\documents and settings\USER\Application Data\fltk.org
2008-12-26 21:52 . 2008-12-26 21:52 <DIR> d-------- c:\program files\ePSXe
2008-12-26 21:26 . 2008-12-26 21:26 <DIR> d-------- c:\documents and settings\USER\WINDOWS
2008-12-26 13:14 . 2008-12-26 13:14 <DIR> d-------- c:\program files\IObit
2008-12-22 23:30 . 2008-12-22 23:30 <DIR> d-------- c:\windows\Sun
2008-12-21 02:11 . 2008-12-21 06:18 <DIR> d--h----- c:\windows\Icons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 21:56 153,600 ----a-w c:\windows\system32\RTPSvc.exe
2009-01-20 17:28 --------- d-----w c:\documents and settings\USER\Application Data\mIRC
2009-01-20 17:25 --------- d-----w c:\program files\mIRC
2009-01-20 14:02 --------- d-----w c:\documents and settings\USER\Application Data\DMCache
2009-01-18 11:48 --------- d-----w c:\program files\AIMP2
2009-01-15 13:29 --------- d-----w c:\program files\Real Alternative
2009-01-11 16:31 --------- d-----w c:\program files\Internet Download Manager
2009-01-11 16:31 --------- d-----w c:\program files\FlashGet
2009-01-06 18:06 --------- d-----w c:\documents and settings\USER\Application Data\IDM
2009-01-01 17:50 118,272 ----a-w c:\windows\system32\RTPScan.dll
2008-12-19 12:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-19 05:33 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-12-19 05:33 --------- d-----w c:\documents and settings\USER\Application Data\TuneUp Software
2008-12-10 14:49 --------- d-----w c:\program files\Counter-Strike 1.6
2008-12-10 12:24 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 12:02 --------- d-----w c:\program files\AVG
2008-12-06 14:52 27,904 ----a-w c:\windows\system32\drivers\Ndisprot.sys
2008-12-05 07:28 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-27 16:58 --------- d-----w c:\program files\4U Computing
2008-11-23 03:57 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-09 23:11 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-11-07 06:11 315,392 ----a-w c:\windows\HideWin.exe
2008-12-17 23:01 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 23:01 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 23:01 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 23:01 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 23:01 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\Icons ----

2005-05-17 17:10 4393474 --a------ c:\windows\Icons\WindowsBlack\Windows Black.icl
2005-04-25 18:07 10383106 --a------ c:\windows\Icons\3FX\3FX.icl


------- Sigcheck -------

2004-08-04 04:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\system32\dllcache\tcpip.sys
2004-08-04 04:14 359040 6a603809f598332dbedd535bdbce313e c:\windows\system32\drivers\tcpip.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-04 399504]
"PCMAV-RTP"="d:\master\PCMAV\PCMAV-RTP.exe" [2008-11-25 2245632]

c:\documents and settings\USER\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-10-23 14:18 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-28 15:00 166424 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-02-28 15:00 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-12-05 22:55 54832 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-10-18 15:27 455968 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-02-28 15:00 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-10 06:11 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-10-16 18:30 16855552 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2007-10-11 11:04 1826816 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"g:\\MSOCache\\uTorrent.exe"=
"f:\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2906:TCP"= 2906:TCP:fkifkccp

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-11-07 13696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-01-11 15504]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-01-11 170640]
R4 PCMAVRTPService;PCMAV RealTime Protector Service;c:\windows\system32\RTPSvc.exe [2008-12-08 153600]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-14 96520]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S4 dvszbsss;Microsoft Installer;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DVSZBSSS
*Deregistered* - Ndisprot.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
dvszbsss

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4B717D72-2FA7-46C8-A71C-7FC68F6E127F} = 202.134.2.5,202.134.0.155
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\u3b5psoe.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 2
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: network.http.max-connections-per-server - 4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 04:56:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dvszbsss]
"ServiceDll"="c:\windows\system32\yxuiiiuc.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
@Denied: (Full) (Administrators)
@Denied: (Full) (S-1-5-21-1417001333-527237240-725345543-1003)
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{30c0989a-ccb2-11dd-b331-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f60183a-adf1-11dd-b29c-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
"_LabelFromReg"="Don-ToRes"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f60183b-adf1-11dd-b29c-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
"_LabelFromReg"="rIfqI's data"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f60183c-adf1-11dd-b29c-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
"_LabelFromReg"="MOH RIFAI"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7614e983-ada0-11dd-b29b-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{843edca7-c510-11dd-b2f9-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a523ec2-acca-11dd-b288-806d6172696f}]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a523ec3-acca-11dd-b288-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,df,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f3aaf58-bb7a-11dd-b2cf-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9a856bd0-d445-11dd-88a8-806d6172696f}]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a27a52f8-acc9-11dd-a9e0-806d6172696f}]
"BaseClass"="Drive"
"_LabelFromReg"="Local Disk"

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a27a52f9-acc9-11dd-a9e0-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
"_LabelFromReg"="TeMp"
"_CommentFromDesktopINI"=""

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a27a52fa-acc9-11dd-a9e0-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
"_LabelFromReg"="TeMp_2"
"_CommentFromDesktopINI"=""

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a36341bb-ae6c-11dd-b2a0-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,00,\
"_LabelFromReg"="SuBaSeka"
"_CommentFromDesktopINI"=""

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb2ed5f1-b2b2-11dd-b2ae-00e04d95bc78}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d12bf845-ca4e-11dd-b324-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d5ff48df-bd43-11dd-b2d7-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7e93a89-c7f7-11dd-b316-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e7b30e04-b6f3-11dd-b2be-00e04d95bc78}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_USERS\S-1-5-21-1417001333-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f1be1bea-da1e-11dd-88c4-00e04d95bc78}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):17,93,ea,55,80,57,80,ff,e1,9b,8f,01,d7,8c,bf,72,00,eb,be,0f,08,
e0,82,33,e7,63,ec,13,98,f5,83,2b,42,5b,a5,bf,3b,0e,2f,c7,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c972a2ff-fe96-4986-af9e-ce8089221aed}]
@Denied: (Full) (Everyone)
"Model"=dword:00000010
"Therad"=dword:0000000f
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,9b,6d,8c,90,3f,64,7f,c7,ff,de,1b,59,3f,a3,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-01-21 4:59:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-20 21:59:47
ComboFix2.txt 2009-01-20 03:31:23

Pre-Run: 7,025,659,904 bytes free
Post-Run: 7,039,918,080 bytes free

379


Umm what does "how my computer is running now" mean? Is that asking for computer specification? Sorry for my bad english..

My computer is running in Pentium Core2Duo, my physical RAM is 2 Gigs, my VGA is still original from Intel (256), and what else? please let me know the things you need to know..

When I am writing this post, my computer taskbar gets error and I cannot access anything related with windows explorer (refreshing desktop, opening or exploring my computer, etc). It is totally stall.. Is this caused by virus?
  #7  
Old 21st Jan 2009, 14:12
Malware Fighter
Posts: 348
 
Hi again

Sorry for any confusion – I was just asking if your computer was working normally or if there were still problems.


Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.



Combofix
  • Close any open browsers.
  • Open notepad and copy/paste the text in the box below into it:
Code:
  Driver::
  UxTuneUp
dvszbsss
Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review.



Online Scan
Perform an online scan with Panda ActiveScan
  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on Register
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information". (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export To
  • Export the log and save it to your desktop.
  • Please attach the contents of that log to your reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan.
__________________
Iain - Defender of the Haggis
Member of ASAP : : Member of UNITE
Reply

Register

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trojan Vundo.H Will Not Go Away. jbrac25 Virus, Spyware & Security 6 15th May 2009 13:12
Need Help... Can't Get Rid of TROJAN.VUNDO.H. sukun Virus, Spyware & Security 1 2nd May 2009 16:27
Need Help w/ Trojan.Vundo H! Nicholas02 Virus, Spyware & Security 22 22nd Dec 2008 17:59
Trojan.vundo.h , trojan.agent , adware.mirar + MORE! :( sillyarfer Virus, Spyware & Security 1 14th Dec 2008 09:59
Whatever I do I can't get rid of TROJAN.VUNDO.H redsowwer Virus, Spyware & Security 25 3rd Nov 2008 18:10
Thread Tools



Translations Powered by Powered by Google
Arabic Bulgarian Chinese Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Taiwanese Thai Turkish Ukrainian

Copyright ©2006 - 2010 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2010 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.