|
|
|
Infected rirawapola - antivirus 2009
|
|
|
Chrisbro
Suspended due to non-functional email address
|
12. December 2008 @ 09:26 |
Link to this message
|
The following are scans that i have run after reading threads regarding same on this forum. Whilst my machine is running a lot faster now I still seem to have entries in the startup folder of msconfig that I cannot excise from the machine - I understand that you guys are probably sick and tired of hearing about this virus but I am having the devil's own time trying to rid myself of it. It arrived on the machine curtesy of my 12 year old son and any help to get rid of the damn thing would be greatly appreciated.
As you can see from the logs I have tried numerous antispyware and malware tools to get rid of this thing and these three are the closest I have come to erradicating it - thank you for that by the way.
Yours Christine
-------------------------Initial Scan ------------------------
Malwarebytes' Anti-Malware 1.31
Database version: 1491
Windows 5.1.2600 Service Pack 2
12/12/2008 6:01:52 PM
mbam-log-2008-12-12 (18-01-52).txt
Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|R:\|S:\|T:\|U:\|)
Objects scanned: 296891
Time elapsed: 2 hour(s), 8 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 14
Registry Values Infected: 5
Registry Data Items Infected: 9
Folders Infected: 3
Files Infected: 39
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\niwofuzu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sidikeyu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yukajifa.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\tipiyipo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\barumoju.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2c2e6d6e-4570-4436-b95b-c1f45b1d9c4e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2c2e6d6e-4570-4436-b95b-c1f45b1d9c4e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2c2e6d6e-4570-4436-b95b-c1f45b1d9c4e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\320d18a1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm313e2b3d (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rirawapola (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tipiyipo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tipiyipo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\barumoju.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\barumoju.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\barumoju.dll -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\suzezufu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ufuzezus.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuwasobu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ubosawut.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jowibote.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\etobiwoj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\keyineko.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\okeniyek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bafoline.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enilofab.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\niwofuzu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uzufowin.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\domafewe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ewefamod.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tipiyipo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sidikeyu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yukajifa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\barumoju.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fedozuta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ronuruso.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jofalasa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vihakawi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\begajetu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mupazube.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rasefaki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yobenavi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kutirata.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vigavifu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\notudara.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\walipevo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dobojobe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dohososa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\backups\backup-20081211-145955-894.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\backups\backup-20081211-150110-610.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
S:\More Michelles Stuff\Mr Driller zip\install.exe (Trojan.Unclassified) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysproc64\sysproc86.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
-----------------------------Fourth Scan------------------------------
Malwarebytes' Anti-Malware 1.31
Database version: 1491
Windows 5.1.2600 Service Pack 2
12/12/2008 10:07:38 PM
mbam-log-2008-12-12 (22-07-38).txt
Scan type: Full Scan (C:\|)
Objects scanned: 158747
Time elapsed: 16 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm313e2b3d (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
----------------------------Combofix Scan---------------------------
ComboFix 08-12-11.05 - Retravision 2008-12-13 0:04:34.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1477 [GMT 10:00]
Running from: c:\documents and settings\Retravision\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.
2008-12-12 11:54 . 2008-12-12 11:54 <DIR> d-------- c:\documents and settings\Retravision\Application Data\Malwarebytes
2008-12-12 11:54 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 11:54 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 11:53 . 2008-12-12 11:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 11:53 . 2008-12-12 11:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 11:53 . 2008-12-12 11:52 2,539,400 --a------ C:\mbam-setup.exe
2008-12-11 16:05 . 2008-12-11 16:05 <DIR> d-------- c:\program files\XoftSpySE
2008-12-11 14:59 . 2008-12-11 14:59 <DIR> d-------- C:\backups
2008-12-11 14:41 . 2008-12-11 14:40 401,720 --a------ C:\HiJackThis.exe
2008-12-10 22:15 . 2008-12-10 22:15 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner
2008-12-09 22:07 . 2008-12-09 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-09 22:07 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-09 22:07 . 2007-12-24 17:37 52,496 --a------ c:\windows\system32\drivers\tmactmon.sys
2008-12-09 22:07 . 2007-12-24 17:37 52,240 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2008-12-09 21:29 . 2008-12-09 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-09 21:21 . 2008-12-09 21:21 <DIR> d-------- c:\program files\Kaspersky Anti-Virus 2009
2008-12-09 20:40 . 2008-12-09 20:40 <DIR> d-------- c:\program files\RegTool
2008-12-09 20:40 . 2008-12-09 20:40 <DIR> d-------- c:\documents and settings\Retravision\Application Data\RegTool
2008-12-05 12:58 . 2008-12-05 12:58 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-12-05 12:58 . 2003-07-21 13:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-12-05 12:58 . 2005-01-05 04:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-12-05 11:49 . 2008-12-05 11:49 <DIR> d-------- c:\program files\Gpotato
2008-12-04 19:50 . 2008-12-04 19:50 <DIR> d-------- c:\program files\SweetIM
2008-12-04 19:50 . 2008-12-04 19:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SweetIM
2008-12-04 19:02 . 2008-12-04 19:02 <DIR> d-------- c:\windows\EHome
2008-12-03 10:11 . 2008-12-03 10:11 192,512 --a------ c:\windows\off-road-uninst.exe
2008-12-01 20:15 . 2008-12-01 20:15 <DIR> d-------- c:\program files\MSN Games
2008-11-18 18:05 . 2008-11-21 15:41 30 --a------ c:\documents and settings\Retravision\jagex_runescape_preferences.dat
2008-11-18 18:02 . 2008-11-18 18:02 <DIR> d-------- c:\windows\.mpr_file_store_32
2008-11-17 14:31 . 2008-11-17 14:31 <DIR> d-------- c:\documents and settings\Retravision\Application Data\Datalayer
2008-11-17 14:01 . 2008-11-17 14:01 <DIR> d-------- c:\windows\system32\XPSViewer
2008-11-17 14:01 . 2008-11-17 14:01 <DIR> d-------- c:\program files\Reference Assemblies
2008-11-17 14:01 . 2008-11-17 14:01 <DIR> d-------- c:\program files\MSBuild
2008-11-17 14:00 . 2008-07-06 22:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-11-17 14:00 . 2008-07-06 22:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2008-11-17 14:00 . 2008-07-06 20:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-11-17 14:00 . 2008-07-06 22:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-11-17 14:00 . 2008-07-06 22:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2008-11-17 14:00 . 2008-07-06 22:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-11-17 14:00 . 2008-07-06 22:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-11-17 13:54 . 2008-11-17 13:54 <DIR> d-------- c:\program files\MSXML 6.0
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-28 11:58 --------- d-----w c:\documents and settings\Retravision\Application Data\funkitron
2008-10-28 11:56 --------- d-----w c:\program files\Tagged Games
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-17 06:53 --------- d-----w c:\documents and settings\Retravision\Application Data\SecondLife
2008-10-16 04:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 04:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 04:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 04:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 04:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 04:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 04:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 04:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 04:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 04:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 04:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 04:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 04:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 04:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 04:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 05:41 --------- d-----w c:\program files\cfg
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 06:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2006-12-04 05:59 49 ----a-w c:\documents and settings\Retravision\Application Data\internaldb9169.dat
2006-12-04 05:29 382 ----a-w c:\documents and settings\Retravision\Application Data\internaldb1942.dat
2006-12-04 05:29 177,152 ----a-w c:\documents and settings\Retravision\Application Data\internaldb1901.dat
2006-12-04 02:41 151 ----a-w c:\documents and settings\Retravision\Application Data\internaldb6500.dat
2006-12-04 02:41 13,046 ----a-w c:\documents and settings\Retravision\Application Data\internaldb4788.dat
2006-12-04 02:41 0 ----a-w c:\documents and settings\Retravision\Application Data\internaldb1880.dat
2006-12-03 12:51 9,216 ----a-w c:\documents and settings\Retravision\Application Data\internaldb5724.dat
2006-12-03 12:51 0 ----a-w c:\documents and settings\Retravision\Application Data\internaldb9721.dat
2006-12-03 12:51 0 ----a-w c:\documents and settings\Retravision\Application Data\internaldb5101.dat
2006-12-03 12:51 0 ----a-w c:\documents and settings\Retravision\Application Data\internaldb4726.dat
2006-12-03 12:51 0 ----a-w c:\documents and settings\Retravision\Application Data\internaldb3175.dat
2006-12-03 12:51 0 ----a-w c:\documents and settings\Retravision\Application Data\internaldb1478.dat
2006-09-13 01:42 49 ----a-w c:\documents and settings\Retravision\Application Data\internaldb41.dat
2006-08-21 21:29 9,216 ----a-w c:\documents and settings\Retravision\Application Data\internaldb8467.dat
2006-08-21 21:29 0 ----a-w c:\documents and settings\Retravision\Application Data\internaldb6334.dat
2006-07-20 06:16 32 ----a-r c:\documents and settings\All Users\hash.dat
1998-12-08 18:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-08 18:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 18:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-08 18:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 18:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-08 18:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-06-23 01:31 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-06-23 01:31 125,848 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-06-23 01:32 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-10-08 173368]
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-10-08 12:22 1172792 --a------ c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"CPM313e2b3d"="c:\windows\system32\yinuyoni.dll" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPM313e2b3d]
c:\windows\system32\yinuyoni.dll [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
-ra------ 2008-11-17 11:32 111928 c:\program files\SweetIM\Messenger\SweetIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-07-29 14:57 1398024 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"\\\\Kids\\D\\PROGRAMS\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\BIN\\hpqnrs08.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-02-18 36368]
S0 jmpzxuns;jmpzxuns;c:\windows\system32\drivers\kbwwzdff.sys []
S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-12-09 52240]
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-06-11 16512]
S3 C4C_BSC2;C4C_BSC2;c:\windows\system32\DRIVERS\C4C_BSC2.sys [2005-08-04 84788]
S3 MODRC;Ultima Infrared Receiver;c:\windows\system32\DRIVERS\modrc.sys [2008-08-18 13440]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-08-01 742216]
S3 tmproxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-12-09 648456]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2007-08-26 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2008-12-08 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2008-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2008-12-12 c:\windows\Tasks\RegTool Scan.job
- c:\program files\RegTool\RegTool.exe []
2008-12-12 c:\windows\Tasks\RegTool Scan.job
- c:\program files\RegTool [2008-12-09 20:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - -
O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/games/babel/zylomplayer.cab
FF - ProfilePath - c:\documents and settings\Retravision\Application Data\Mozilla\Firefox\Profiles\8uxqe1z9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox?client=firefox-a&rls=org.mozilla:en-GB:official|http://www.malwarebytes.org/mbam.php
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - plugin: c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 00:05:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-13 0:06:40
ComboFix-quarantined-files.txt 2008-12-12 14:06:40
ComboFix3.txt 2008-12-12 12:31:04
ComboFix2.txt 2008-12-12 12:59:02
Pre-Run: 6,297,026,560 bytes free
Post-Run: 6,283,034,624 bytes free
245 --- E O F --- 2008-12-04 09:06:31
----------------------------hijackthis Scan---------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:28, on 13/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.optusnet.com.au/dsl/favorites/homepage
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [CPM313e2b3d] Rundll32.exe "c:\windows\system32\yinuyoni.dll",a
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/babel/zylomplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfishgames.com/en_cinemat...inematycoon.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-lo...856/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 7264 bytes
Thanks again for your tiem and effort.
|
|
