# High-End Adult/Porn Pop-up Adware/Virus, also affecting IE. Willing to Donate or Pay!



## regine (Jan 10, 2009)

URGENT: This is the first time I have ever seen this kind of adware/malware
I really need my PC fixed the soonest and so Please Kindly Help Me
*Im willing to Donate or Pay someone who can help me get rid of this very HighEnd adware/malware*

I downloaded an *infected file* and as soon as its starts unpacking, error messages begin to arise. I canceled installation and deleted it. But its too late, the demons has already been unleashed.

Everytime I open my machine I get the error: *Internet Explorer Encountered an Error and Needs to be Closed...blah..blah..blah*

The worst is the *high-end adware adult pop-up I am getting left and right every 10 minutes*, YES - this is the most annoying and embarrassing adware I have even encountered. I can never close or even move them. They are greatly wasting my time and causing me to stress more.

I call it high end because it actually looks like as if someone is chatting with you live via adult site like Adult Friend Finder and Alt. Here are the pics.

*This is what pops up on my left:*









*And this is what pops up on my right:*









I beg of you please help me get rid of these

*I have already scanned using Avast, AVG, Spybot, SuperAntiSpyWare and fixed/deleted all infected files - but still nothing happened*

I have also cleaned all cookies, cache, temporary files, almost everything

*Here is the hijackthislog:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:18 AM, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Invisible Browsing\servers\IBService.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
C:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\kazumi\LOCALS~1\Temp\RarSFX2\ntlogin.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\DOCUME~1\kazumi\LOCALS~1\Temp\RarSFX2\ntlogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\mchost.exe" "C:\burbuzzu.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\mchost.exe","C:\burbuzzu.exe",
O1 - Hosts: 216.195.32.130 botmaster.ru
O1 - Hosts: 216.195.32.130 www.botmaster.ru
O1 - Hosts: 216.195.32.131 botmaster.net
O1 - Hosts: 216.195.32.131 www.botmaster.net
O1 - Hosts: 216.195.32.131 www.botmasternet.com
O1 - Hosts: 216.195.32.131 botmasternet.com
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {72EE6B4E-2009-49DD-BC79-7A3BB6AD2CCF} - C:\WINDOWS\system32\byXQJDTN.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeFixer] C:\DOCUME~1\kazumi\LOCALS~1\Temp\RarSFX2\ntlogin.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.EXE "C:\Program Files\Alwil Software\Avast4\AhAScr.dll"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [settings] C:\WINDOWS\mchost.exe
O4 - HKCU\..\Run: [Ms-Scan] C:\DOCUME~1\kazumi\LOCALS~1\Temp\RarSFX1\svchost.exe
O4 - HKCU\..\Run: [AdobeFixer] C:\DOCUME~1\kazumi\LOCALS~1\Temp\RarSFX2\ntlogin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [UpdateManager] C:\Program Files\Common Files\Microsoft Shared\TextConv\avupdate.exe
O4 - HKCU\..\Policies\Explorer\Run: [settings] C:\WINDOWS\mchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqoopOh - ssqoopOh.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: IBService - Unknown owner - C:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9714 bytes


----------



## regine (Jan 10, 2009)

*here is the screenshot of IE error i receive everytime I reboot*










*
Im still waiting for an angel to help me*


----------



## regine (Jan 10, 2009)

anyone here care to help pls?


----------



## regine (Jan 10, 2009)

Here is the recent malware/pop up im getting, its an adult friend finder live chat, is there anyone who can help? Help me get rid of this


----------



## dvk01 (Dec 14, 2002)

Download ComboFix from *Here* to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns


----------



## regine (Jan 10, 2009)

THANKS SO MUCH FOR TAKING TIME TO HELP ME OUT

Here is the ComboFix LOG:

ComboFix 09-01-13.03 - kazumi 2009-01-14 6:53:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.956 [GMT 8:00]
Running from: c:\documents and settings\kazumi\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090113-1] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\kazumi\Application Data\inst.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\_000026_.tmp.dll
c:\windows\system32\avgeqocb.ini
c:\windows\system32\etyuglrq.ini
c:\windows\system32\fudejsfj.ini
c:\windows\system32\jlxlhydr.ini
c:\windows\system32\mefagvey.ini
c:\windows\system32\Memman.vxd
c:\windows\system32\setup.exe.tmp
c:\windows\system32\skinboxer43.dll
c:\windows\system32\tmp.reg

----- BITS: Possible infected sites -----

hxxp://dealsforfun.com
hxxp://au.download.windowsupdatej+|[email protected]:NGD_DQ{ztHG.XMK
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINSMSS

((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-13 03:13 . 2009-01-13 03:13 d-------- c:\documents and settings\Administrator.REBORN.000\Application Data\Malwarebytes
2009-01-12 02:07 . 2009-01-12 02:07 d-------- c:\documents and settings\Administrator.REBORN.000
2009-01-11 22:04 . 2009-01-11 22:04 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-11 22:04 . 2009-01-11 22:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-11 19:16 . 2009-01-11 19:16 d-------- c:\documents and settings\All Users.WINDOWS\CyberLink
2009-01-11 19:15 . 2009-01-11 19:15 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\CyberLink
2009-01-11 19:07 . 2009-01-11 19:08 d-------- c:\documents and settings\kazumi\Application Data\CyberLink
2009-01-11 19:00 . 2009-01-11 19:00 d-------- c:\program files\SmartSound Software
2009-01-11 19:00 . 2009-01-11 19:01 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SmartSound Software Inc
2009-01-11 18:51 . 2009-01-11 19:03 d-------- c:\program files\CyberLink
2009-01-11 09:10 . 2009-01-11 09:10 d-------- c:\program files\Trend Micro
2009-01-11 07:15 . 2009-01-13 06:31 d-------- c:\program files\Spybot - Search & Destroy
2009-01-11 05:46 . 2009-01-11 21:59 d-------- c:\documents and settings\kazumi\Application Data\SUPERAntiSpyware.com
2009-01-11 05:46 . 2009-01-11 05:46 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-01-11 04:17 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-11 01:00 . 2009-01-11 01:00 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avg8
2009-01-11 00:50 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 23:16 . 2009-01-10 23:16 90,244 --a------ c:\windows\%
2009-01-10 23:16 . 2009-01-10 23:16 90,242 --a------ c:\windows\pic0382.zip
2009-01-10 23:16 . 2009-01-10 23:16 90,242 --a------ c:\windows\DSC00137.zip
2009-01-10 23:16 . 2009-01-10 23:16 90,242 --a------ c:\windows\DSC00130.zip
2009-01-10 23:16 . 2009-01-10 23:16 90,242 --a------ c:\windows\DSC00124.zip
2009-01-10 23:16 . 2009-01-10 23:16 90,242 --a------ c:\windows\DSC00110.zip
2009-01-10 23:16 . 2009-01-10 23:16 90,242 --a------ c:\windows\DSC00106.zip
2009-01-10 23:16 . 2009-01-10 23:16 90,242 --a------ c:\windows\DSC00037.zip
2009-01-10 23:16 . 2009-01-10 23:16 90,242 --a------ c:\windows\DSC00013.zip
2009-01-10 23:16 . 2009-01-10 23:16 90,112 -r-hs---- c:\windows\windsvc.exe
2009-01-10 17:02 . 2009-01-10 16:56 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-10 15:23 . 2009-01-10 15:21 344,064 -rahs---- c:\windows\mchost.exe
2009-01-10 15:21 . 2009-01-10 15:21 344,064 --ah----- C:\windll_v354.exe
2009-01-10 15:18 . 2009-01-10 15:18 77,824 --ah----- C:\MsInstaller.exe
2008-12-31 13:02 . 2008-12-31 13:02 d-------- c:\program files\Total Video Converter
2008-12-30 19:31 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-30 19:31 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-30 19:30 . 2008-12-30 19:31 d-------- c:\program files\iTunes
2008-12-30 19:30 . 2008-12-30 19:30 d-------- c:\program files\iPod
2008-12-30 19:30 . 2009-01-13 06:18 d-------- c:\program files\Bonjour
2008-12-30 19:30 . 2008-12-30 19:31 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-30 19:29 . 2008-12-30 19:30 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-12-30 19:27 . 2008-12-30 19:27 d-------- c:\program files\Apple Software Update
2008-12-30 19:27 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-12-30 19:26 . 2008-12-30 19:30 d-------- c:\program files\Common Files\Apple
2008-12-30 18:42 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-30 18:42 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-30 18:42 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-30 18:42 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-23 21:06 . 2008-12-23 21:06 32,472 --a------ C:\Image1223-2106(CVBS).jpg
2008-12-21 13:23 . 2008-12-21 13:23 56,682 --a------ C:\Image1221-1323(CVBS).jpg
2008-12-19 16:53 . 2008-12-19 16:53 d-------- c:\windows\system32\XPSViewer
2008-12-19 16:53 . 2008-12-19 16:53 d-------- c:\program files\Reference Assemblies
2008-12-19 16:53 . 2008-12-19 16:53 d-------- c:\program files\MSBuild
2008-12-19 16:52 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-19 16:51 . 2008-12-19 16:51 d-------- c:\program files\MSXML 6.0
2008-12-13 03:56 . 2007-12-17 18:23 1,136,640 --a------ c:\program files\Common Files\ewutils2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 23:32 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-01-11 14:04 --------- d-----w c:\program files\Java
2009-01-11 11:04 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 16:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-10 13:15 --------- d-----w c:\program files\SENuke
2009-01-04 10:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-30 13:54 --------- d-----w c:\documents and settings\kazumi\Application Data\Apple Computer
2008-12-30 11:29 --------- d-----w c:\program files\QuickTime
2008-12-29 08:56 --------- d-----w c:\documents and settings\kazumi\Application Data\Vso
2008-12-27 08:39 --------- d-----w c:\documents and settings\kazumi\Application Data\dvdcss
2008-12-22 08:03 39,536 ----a-w c:\documents and settings\kazumi\Application Data\GDIPFONTCACHEV1.DAT
2008-12-16 19:34 --------- d-----w c:\program files\VideoPostRobot
2008-12-12 12:28 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-12-12 02:26 --------- d-----w c:\program files\MagicISO
2008-11-26 16:42 --------- d-----w c:\program files\Expired Domain Empire Software Full
2008-11-25 02:17 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2008-11-24 11:41 --------- d-----w c:\program files\Common Files\Adobe
2008-11-24 11:41 --------- d-----w c:\program files\Apple Software Update(2)
2008-11-24 11:41 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2008-05-23 10:31 47,360 ----a-w c:\documents and settings\kazumi\Application Data\pcouffin.sys
2008-03-04 23:02 1,554 ----a-w c:\documents and settings\kazumi\Application Data\SAS7_000.DAT
2001-07-19 23:38 781 --sh--w c:\windows\system32\ms165sql.bin
2008-09-03 10:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

------- Sigcheck -------

2007-06-13 18:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 18:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\$NtServicePackUninstall$\explorer.exe
2002-12-31 20:00 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 08:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
2007-06-13 18:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"settings"="c:\windows\mchost.exe" [2009-01-10 344064]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2005-03-02 278528]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"settings"="c:\windows\mchost.exe" [2009-01-10 344064]

c:\documents and settings\kazumi\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 630784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=interceptor.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\SpyCatcher Protector.lnk
backup=c:\windows\pss\SpyCatcher Protector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^RocketDock.lnk]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\RocketDock.lnk
backup=c:\windows\pss\RocketDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^TransBar.lnk]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\TransBar.lnk
backup=c:\windows\pss\TransBar.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^VistaMessage.exe]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\VistaMessage.exe
backup=c:\windows\pss\VistaMessage.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 20:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-15 21:02 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-02-13 21:05 7557120 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\settings]
-rahs---- 2009-01-10 15:21 344064 c:\windows\mchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-03-03 14:12 341488 c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2002-12-31 20:00 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-02-13 21:05 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-02-13 21:05 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windsvc]
-r-hs---- 2009-01-10 23:16 90112 c:\windows\windsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscape Browser\\netscape.exe"=
"c:\\Program Files\\Turbo Tube\\Tube Increaser\\Tube Increaser.exe"=
"c:\\xampplite\\apache\\bin\\apache.exe"=
"c:\\xampplite\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\Expired Domain Empire Software Full\\ExpiredDomainEmpireSoftwareFull.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-11 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-18 111184]
R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2008-03-18 9446]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-18 20560]
R4 IBService;IBService;c:\program files\Invisible Browsing\servers\IBService.exe [2008-05-20 45056]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S4 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys [2008-03-18 208851]
S4 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys [2008-03-18 10324]
S4 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\wf88tune.sys [2008-03-18 34789]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f416ece-2339-11dd-a106-0013d441621e}]
\Shell\AutoRun\command - pefbutr.exe
\Shell\explore\Command - pefbutr.exe
\Shell\open\Command - pefbutr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf742552-bdd9-11dd-a262-0013d441621e}]
\Shell\AutoRun\command - wscript.exe auto.vbs
\Shell\Open\Command - wscript.exe auto.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd7b5560-bad9-11dd-a25e-0013d441621e}]
\Shell\AutoRun\command - wscript.exe auto.vbs
\Shell\Open\Command - wscript.exe auto.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0355IH63-F7N5-8B0Y-75Y4-160E764T6PB4}]
"C:\burbuzzu.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{NQQ5L861-82LC-FV28-BC5R-EK164PT2UCAG}]
"c:\windows\mchost.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{72EE6B4E-2009-49DD-BC79-7A3BB6AD2CCF} - c:\windows\system32\byXQJDTN.dll
HKCU-Run-Ms-Scan - c:\docume~1\kazumi\LOCALS~1\Temp\RarSFX1\svchost.exe
HKCU-Run-AdobeFixer - c:\docume~1\kazumi\LOCALS~1\Temp\RarSFX2\ntlogin.exe
HKLM-Explorer_Run-UpdateManager - c:\program files\Common Files\Microsoft Shared\TextConv\avupdate.exe
Notify-ssqoopOh - ssqoopOh.dll
MSConfigStartUp-047b0e4d - c:\windows\system32\vxviuwhv.dll
MSConfigStartUp-AdobeFixer - c:\docume~1\kazumi\LOCALS~1\Temp\RarSFX2\ntlogin.exe
MSConfigStartUp-GhostSurf Reminder - c:\program files\GhostSurf 2007 Platinum\Privacy Control Center.exe
MSConfigStartUp-Hide-The-IP - c:\documents and settings\kazumi\Desktop\HideTheIP.exe
MSConfigStartUp-Ms-Scan - c:\docume~1\kazumi\LOCALS~1\Temp\RarSFX1\svchost.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe
MSConfigStartUp-WinUpdate - c:\docume~1\kazumi\LOCALS~1\Temp\RarSFX1\svchost.exe
MSConfigStartUp-Microsoft - test.exe
MSConfigStartUp-Windows Update Manager - service.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 127.0.0.1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\securenet.dll
FF - ProfilePath - c:\documents and settings\kazumi\Application Data\Mozilla\Firefox\Profiles\1we9d33u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 06:57:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\securenet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Invisible Browsing\servers\socks\IBSocksManager.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Invisible Browsing\servers\Http\ibhttp.exe
c:\program files\Invisible Browsing\servers\socks\IBSocks.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-14 7:06:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 23:06:21

Pre-Run: 53,795,872,768 bytes free
Post-Run: 53,739,540,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

327 --- E O F --- 2008-12-20 03:40:51


----------



## regine (Jan 10, 2009)

*Here is the NEW Hijackthis log*:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:04 AM, on 1/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Invisible Browsing\servers\IBService.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Netscape\Netscape\Netscape Browser\netscape.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [settings] C:\WINDOWS\mchost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [settings] C:\WINDOWS\mchost.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: IBService - Unknown owner - C:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8401 bytes


----------



## dvk01 (Dec 14, 2002)

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

This will create a zip file inside C:\QooBox\ named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]

Note: I need to examine quite a few files & it is very likely that the zip created will be too big to upload at Bleeping computer so if it gets rejected from there, make sure you upload at spykiller please


----------



## regine (Jan 10, 2009)

its done

i think it has been resolved, im not so sure though

I will monitor for a day and update

thanks so much


----------



## dvk01 (Dec 14, 2002)

still a lot of problems there

delete the existing cfscript.txt &

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

This will create a zip file inside C:\QooBox\ named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]


----------



## regine (Jan 10, 2009)

Done!

I dont see the "*Internet Explorer Encountered a Problem*..." everytime I reboot.

The Adult Friend Finder pop up seems to disappear already

I think it is resolved

What do you think sir?

Thanks so much!


----------



## dvk01 (Dec 14, 2002)

there is still a problem showing and the tools we use won't delete or collect files with wildcards in the name for safety reasons

I need you to do this

go to c:\windows look for a file called %

right click it & select send to compressed(zip) folders

that will make a backup copy called %.zip inside C:\windows

I need you to upload that zip file

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

the C:\windows\%.zip

once you have uploaded it and only after it is uploaded then go back to C;\windows & select the C:\windows\%.zip & right click it & select delete

then the file just called C:\windows\% and delete that as well

then

download gmer rootkit detector from http://gmer.net

unzip it & double click the gmer.exe file

select rootkit tab & press scan

when it has finished press copy & post back the log it makes


----------



## regine (Jan 10, 2009)

I have already uploaded it
You can find it here http://thespykiller.co.uk/index.php/topic,7634.0.html

I have uploaded the gmer log to mediafire (its too huge to paste)
http://www.mediafire.com/?t4zzyzonmtj

Let me know if there anything that still needs to be done

Thanks for the time


----------



## dvk01 (Dec 14, 2002)

make sure you delete the %.zip and the % file now please

they definitely are malware 

I am looking at the gmer report now


----------



## dvk01 (Dec 14, 2002)

gmer is fine

it is so big because it shows tenebril spycatcher linked to every fiel

have you still got it installed

is it the full version or only the trial


----------



## regine (Jan 10, 2009)

I have already deleted the % file and %.zip

I dont have spycatcher installed sir


----------



## dvk01 (Dec 14, 2002)

regine said:


> I don't have spycatcher installed sir


It did have at one time & bits have been left behind

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm
_ _ _ _

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

This will create a zip file inside C:\QooBox\ named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]

Hopefully this will finish off the clear up


----------



## regine (Jan 10, 2009)

I uploaded the zip file:
http://thespykiller.co.uk/index.php/topic,7635.0.html

Here is the combofix log:

ComboFix 09-01-13.04 - kazumi 2009-01-16 4:14:20.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.877 [GMT 8:00]
Running from: c:\documents and settings\kazumi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kazumi\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090115-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Tenebril
c:\documents and settings\All Users\Application Data\Tenebril\SpyCatcher\FileTracking.dat
c:\documents and settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt
c:\documents and settings\All Users\Application Data\Tenebril\SpyCatcher\InterceptLog.dat
c:\documents and settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt
c:\documents and settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt
c:\documents and settings\All Users\Application Data\Tenebril\SpyCatcher\RegTracking.dat
c:\windows\system32\InterceptHelper.dll
c:\windows\system32\interceptor.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-16 01:24 . 2009-01-16 01:24 250 --a------ c:\windows\gmer.ini
2009-01-15 10:46 . 2009-01-15 10:54 228,491,032 --a------ C:\Video0115-1046(CVBS).mpg
2009-01-13 03:13 . 2009-01-13 03:13 d-------- c:\documents and settings\Administrator.REBORN.000\Application Data\Malwarebytes
2009-01-12 02:07 . 2009-01-12 02:07 d-------- c:\documents and settings\Administrator.REBORN.000
2009-01-11 22:04 . 2009-01-11 22:04 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-11 22:04 . 2009-01-11 22:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-11 19:16 . 2009-01-11 19:16 d-------- c:\documents and settings\All Users.WINDOWS\CyberLink
2009-01-11 19:15 . 2009-01-11 19:15 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\CyberLink
2009-01-11 19:07 . 2009-01-11 19:08 d-------- c:\documents and settings\kazumi\Application Data\CyberLink
2009-01-11 19:00 . 2009-01-11 19:00 d-------- c:\program files\SmartSound Software
2009-01-11 19:00 . 2009-01-11 19:01 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SmartSound Software Inc
2009-01-11 18:51 . 2009-01-11 19:03 d-------- c:\program files\CyberLink
2009-01-11 09:10 . 2009-01-11 09:10 d-------- c:\program files\Trend Micro
2009-01-11 07:15 . 2009-01-14 22:55 d-------- c:\program files\Spybot - Search & Destroy
2009-01-11 05:46 . 2009-01-11 21:59 d-------- c:\documents and settings\kazumi\Application Data\SUPERAntiSpyware.com
2009-01-11 05:46 . 2009-01-11 05:46 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-01-11 04:17 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-11 01:00 . 2009-01-11 01:00 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avg8
2009-01-11 00:50 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 17:02 . 2009-01-10 16:56 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-10 15:18 . 2009-01-10 15:18 77,824 --ah----- C:\MsInstaller.exe
2008-12-31 13:02 . 2008-12-31 13:02 d-------- c:\program files\Total Video Converter
2008-12-30 19:31 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-30 19:31 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-30 19:30 . 2008-12-30 19:31 d-------- c:\program files\iTunes
2008-12-30 19:30 . 2008-12-30 19:30 d-------- c:\program files\iPod
2008-12-30 19:30 . 2009-01-13 06:18 d-------- c:\program files\Bonjour
2008-12-30 19:30 . 2008-12-30 19:31 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-30 19:29 . 2008-12-30 19:30 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-12-30 19:27 . 2008-12-30 19:27 d-------- c:\program files\Apple Software Update
2008-12-30 19:27 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-12-30 19:26 . 2008-12-30 19:30 d-------- c:\program files\Common Files\Apple
2008-12-30 18:42 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-30 18:42 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-30 18:42 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-30 18:42 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-23 21:06 . 2008-12-23 21:06 32,472 --a------ C:\Image1223-2106(CVBS).jpg
2008-12-21 13:23 . 2008-12-21 13:23 56,682 --a------ C:\Image1221-1323(CVBS).jpg
2008-12-19 16:53 . 2008-12-19 16:53 d-------- c:\windows\system32\XPSViewer
2008-12-19 16:53 . 2008-12-19 16:53 d-------- c:\program files\Reference Assemblies
2008-12-19 16:53 . 2008-12-19 16:53 d-------- c:\program files\MSBuild
2008-12-19 16:52 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-19 16:51 . 2008-12-19 16:51 d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 14:55 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-01-11 14:04 --------- d-----w c:\program files\Java
2009-01-11 11:04 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 16:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-10 13:15 --------- d-----w c:\program files\SENuke
2009-01-04 10:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-30 13:54 --------- d-----w c:\documents and settings\kazumi\Application Data\Apple Computer
2008-12-30 11:29 --------- d-----w c:\program files\QuickTime
2008-12-29 08:56 --------- d-----w c:\documents and settings\kazumi\Application Data\Vso
2008-12-27 08:39 --------- d-----w c:\documents and settings\kazumi\Application Data\dvdcss
2008-12-22 08:03 39,536 ----a-w c:\documents and settings\kazumi\Application Data\GDIPFONTCACHEV1.DAT
2008-12-16 19:34 --------- d-----w c:\program files\VideoPostRobot
2008-12-12 12:28 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-12-12 02:26 --------- d-----w c:\program files\MagicISO
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-26 16:42 --------- d-----w c:\program files\Expired Domain Empire Software Full
2008-11-25 02:17 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2008-11-24 11:41 --------- d-----w c:\program files\Common Files\Adobe
2008-11-24 11:41 --------- d-----w c:\program files\Apple Software Update(2)
2008-11-24 11:41 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2008-05-23 10:31 47,360 ----a-w c:\documents and settings\kazumi\Application Data\pcouffin.sys
2008-03-04 23:02 1,554 ----a-w c:\documents and settings\kazumi\Application Data\SAS7_000.DAT
2007-12-17 10:23 1,136,640 ----a-w c:\program files\Common Files\ewutils2.dll
2001-07-19 23:38 781 --sh--w c:\windows\system32\ms165sql.bin
2008-09-03 10:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

------- Sigcheck -------

2007-06-13 18:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 18:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\$NtServicePackUninstall$\explorer.exe
2002-12-31 20:00 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 08:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
2007-06-13 18:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( [email protected]_ 7.05.07.74 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-15 17:24:43 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 13:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-08-28 10:04:17 333,056 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2009-01-15 17:24:43 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2007-07-27 01:41:40 16,760 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2009-01-15 20:17:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_464.dat
+ 2009-01-15 20:17:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2005-03-02 278528]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]

c:\documents and settings\kazumi\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 630784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqoopOh]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=interceptor.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\SpyCatcher Protector.lnk
backup=c:\windows\pss\SpyCatcher Protector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^RocketDock.lnk]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\RocketDock.lnk
backup=c:\windows\pss\RocketDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^TransBar.lnk]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\TransBar.lnk
backup=c:\windows\pss\TransBar.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^VistaMessage.exe]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\VistaMessage.exe
backup=c:\windows\pss\VistaMessage.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 20:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-15 21:02 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-02-13 21:05 7557120 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-03-03 14:12 341488 c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2002-12-31 20:00 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-02-13 21:05 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-02-13 21:05 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscape Browser\\netscape.exe"=
"c:\\Program Files\\Turbo Tube\\Tube Increaser\\Tube Increaser.exe"=
"c:\\xampplite\\apache\\bin\\apache.exe"=
"c:\\xampplite\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\Expired Domain Empire Software Full\\ExpiredDomainEmpireSoftwareFull.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-11 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-18 111184]
R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2008-03-18 9446]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-18 20560]
R4 IBService;IBService;c:\program files\Invisible Browsing\servers\IBService.exe [2008-05-20 45056]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S4 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys [2008-03-18 208851]
S4 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys [2008-03-18 10324]
S4 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\wf88tune.sys [2008-03-18 34789]
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 127.0.0.1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\securenet.dll
FF - ProfilePath - c:\documents and settings\kazumi\Application Data\Mozilla\Firefox\Profiles\1we9d33u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 04:18:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\securenet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Invisible Browsing\servers\socks\IBSocksManager.exe
c:\program files\Invisible Browsing\servers\socks\IBSocks.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Invisible Browsing\servers\Http\ibhttp.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-16 4:29:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-15 20:29:46
ComboFix2.txt 2009-01-15 00:02:21
ComboFix3.txt 2009-01-14 14:51:17
ComboFix4.txt 2009-01-13 23:06:25

Pre-Run: 53,004,763,136 bytes free
Post-Run: 53,106,036,736 bytes free

278 --- E O F --- 2009-01-14 16:55:25


----------



## dvk01 (Dec 14, 2002)

this should finish the clear up

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## regine (Jan 10, 2009)

*Hijackthis log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:38 AM, on 1/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Invisible Browsing\servers\IBService.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Netscape\Netscape\Netscape Browser\netscape.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: IBService - Unknown owner - C:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7753 bytes


----------



## regine (Jan 10, 2009)

*combofix log*

ComboFix 09-01-13.04 - kazumi 2009-01-17 7:30:04.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1053 [GMT 8:00]
Running from: c:\documents and settings\kazumi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kazumi\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090116-1] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-16 01:24 . 2009-01-16 01:24 250 --a------ c:\windows\gmer.ini
2009-01-15 10:46 . 2009-01-15 10:54 228,491,032 --a------ C:\Video0115-1046(CVBS).mpg
2009-01-13 03:13 . 2009-01-13 03:13 d-------- c:\documents and settings\Administrator.REBORN.000\Application Data\Malwarebytes
2009-01-12 02:07 . 2009-01-12 02:07 d-------- c:\documents and settings\Administrator.REBORN.000
2009-01-11 22:04 . 2009-01-11 22:04 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-11 22:04 . 2009-01-11 22:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-11 19:16 . 2009-01-11 19:16 d-------- c:\documents and settings\All Users.WINDOWS\CyberLink
2009-01-11 19:15 . 2009-01-11 19:15 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\CyberLink
2009-01-11 19:07 . 2009-01-11 19:08 d-------- c:\documents and settings\kazumi\Application Data\CyberLink
2009-01-11 19:00 . 2009-01-11 19:00 d-------- c:\program files\SmartSound Software
2009-01-11 19:00 . 2009-01-11 19:01 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SmartSound Software Inc
2009-01-11 18:51 . 2009-01-11 19:03 d-------- c:\program files\CyberLink
2009-01-11 09:10 . 2009-01-11 09:10 d-------- c:\program files\Trend Micro
2009-01-11 07:15 . 2009-01-14 22:55 d-------- c:\program files\Spybot - Search & Destroy
2009-01-11 05:46 . 2009-01-11 21:59 d-------- c:\documents and settings\kazumi\Application Data\SUPERAntiSpyware.com
2009-01-11 05:46 . 2009-01-11 05:46 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-01-11 04:17 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-11 01:00 . 2009-01-11 01:00 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avg8
2009-01-11 00:50 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 17:02 . 2009-01-10 16:56 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-10 15:18 . 2009-01-10 15:18 77,824 --ah----- C:\MsInstaller.exe
2008-12-31 13:02 . 2008-12-31 13:02 d-------- c:\program files\Total Video Converter
2008-12-30 19:31 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-30 19:31 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-30 19:30 . 2008-12-30 19:31 d-------- c:\program files\iTunes
2008-12-30 19:30 . 2008-12-30 19:30 d-------- c:\program files\iPod
2008-12-30 19:30 . 2009-01-13 06:18 d-------- c:\program files\Bonjour
2008-12-30 19:30 . 2008-12-30 19:31 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-30 19:29 . 2008-12-30 19:30 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-12-30 19:27 . 2008-12-30 19:27 d-------- c:\program files\Apple Software Update
2008-12-30 19:27 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-12-30 19:26 . 2008-12-30 19:30 d-------- c:\program files\Common Files\Apple
2008-12-30 18:42 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-30 18:42 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-30 18:42 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-30 18:42 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-23 21:06 . 2008-12-23 21:06 32,472 --a------ C:\Image1223-2106(CVBS).jpg
2008-12-21 13:23 . 2008-12-21 13:23 56,682 --a------ C:\Image1221-1323(CVBS).jpg
2008-12-19 16:53 . 2008-12-19 16:53 d-------- c:\windows\system32\XPSViewer
2008-12-19 16:53 . 2008-12-19 16:53 d-------- c:\program files\Reference Assemblies
2008-12-19 16:53 . 2008-12-19 16:53 d-------- c:\program files\MSBuild
2008-12-19 16:52 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-19 16:51 . 2008-12-19 16:51 d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 14:55 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-01-11 14:04 --------- d-----w c:\program files\Java
2009-01-11 11:04 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 16:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-10 13:15 --------- d-----w c:\program files\SENuke
2009-01-04 10:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-30 13:54 --------- d-----w c:\documents and settings\kazumi\Application Data\Apple Computer
2008-12-30 11:29 --------- d-----w c:\program files\QuickTime
2008-12-29 08:56 --------- d-----w c:\documents and settings\kazumi\Application Data\Vso
2008-12-27 08:39 --------- d-----w c:\documents and settings\kazumi\Application Data\dvdcss
2008-12-22 08:03 39,536 ----a-w c:\documents and settings\kazumi\Application Data\GDIPFONTCACHEV1.DAT
2008-12-16 19:34 --------- d-----w c:\program files\VideoPostRobot
2008-12-12 12:28 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-12-12 02:26 --------- d-----w c:\program files\MagicISO
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-26 16:42 --------- d-----w c:\program files\Expired Domain Empire Software Full
2008-11-25 02:17 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2008-11-24 11:41 --------- d-----w c:\program files\Common Files\Adobe
2008-11-24 11:41 --------- d-----w c:\program files\Apple Software Update(2)
2008-11-24 11:41 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2(2).dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 06:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-05-23 10:31 47,360 ----a-w c:\documents and settings\kazumi\Application Data\pcouffin.sys
2008-03-04 23:02 1,554 ----a-w c:\documents and settings\kazumi\Application Data\SAS7_000.DAT
2007-12-17 10:23 1,136,640 ----a-w c:\program files\Common Files\ewutils2.dll
2001-07-19 23:38 781 --sh--w c:\windows\system32\ms165sql.bin
2008-09-03 10:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

------- Sigcheck -------

2007-06-13 18:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 18:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\$NtServicePackUninstall$\explorer.exe
2002-12-31 20:00 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 08:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
2007-06-13 18:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( [email protected]_ 7.05.07.74 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-15 17:24:43 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 13:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-08-28 10:04:17 333,056 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2009-01-15 17:24:43 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2007-07-27 01:41:40 16,760 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2009-01-16 23:14:11 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_43c.dat
+ 2009-01-16 23:13:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_52c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2005-03-02 278528]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]

c:\documents and settings\kazumi\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 630784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^RocketDock.lnk]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\RocketDock.lnk
backup=c:\windows\pss\RocketDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^TransBar.lnk]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\TransBar.lnk
backup=c:\windows\pss\TransBar.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kazumi^Start Menu^Programs^Startup^VistaMessage.exe]
path=c:\documents and settings\kazumi\Start Menu\Programs\Startup\VistaMessage.exe
backup=c:\windows\pss\VistaMessage.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 20:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-15 21:02 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-02-13 21:05 7557120 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-03-03 14:12 341488 c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2002-12-31 20:00 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-02-13 21:05 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-02-13 21:05 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscape Browser\\netscape.exe"=
"c:\\Program Files\\Turbo Tube\\Tube Increaser\\Tube Increaser.exe"=
"c:\\xampplite\\apache\\bin\\apache.exe"=
"c:\\xampplite\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\Expired Domain Empire Software Full\\ExpiredDomainEmpireSoftwareFull.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-11 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-18 111184]
R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2008-03-18 9446]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-18 20560]
R4 IBService;IBService;c:\program files\Invisible Browsing\servers\IBService.exe [2008-05-20 45056]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S4 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys [2008-03-18 208851]
S4 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys [2008-03-18 10324]
S4 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\wf88tune.sys [2008-03-18 34789]
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 127.0.0.1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\securenet.dll
FF - ProfilePath - c:\documents and settings\kazumi\Application Data\Mozilla\Firefox\Profiles\1we9d33u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 07:33:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(620)
c:\windows\system32\securenet.dll
.
Completion time: 2009-01-17 7:36:16
ComboFix-quarantined-files.txt 2009-01-16 23:36:02
ComboFix2.txt 2009-01-15 20:29:50
ComboFix3.txt 2009-01-15 00:02:21
ComboFix4.txt 2009-01-14 14:51:17
ComboFix5.txt 2009-01-16 23:29:02

Pre-Run: 51,533,643,776 bytes free
Post-Run: 51,520,131,072 bytes free

252 --- E O F --- 2009-01-14 16:55:25


----------



## dvk01 (Dec 14, 2002)

that looks fine now

Please download  ATF Cleaner by Atribune

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

*If you use Firefox browser as well as Internet Explorer or instead of it then also do this step*

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

*If you use Opera browser as well as Internet Explorer or instead of it then also do this step*

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

Notes for Windows Vista users:

On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As the author is not not sure the effects that emptying prefetch on Windows Vista will have, for the time being that function won't be enabled

*Follow these steps to uninstall Combofix and tools used in the removal of malware*
* Click *START* then *RUN*
* Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









then 
Turn off system restore by following instructions here 
for XP http://www.thespykiller.co.uk/index.php?page=8
or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place

and make sure Antivirus in enabled


----------



## regine (Jan 10, 2009)

DONE! But how come these files arent still deleted in my C:/? Can I just delete them? (Kindly visit this link for the screenshot, for some reason I cant embed images now) http://i43.tinypic.com/2625wyo.jpg Also, after I have done your final step, I cant access youtube properly, heres a screenshot: http://i44.tinypic.com/98stxz.jpg


----------



## dvk01 (Dec 14, 2002)

qoobox should have been deleted

you don't want to delete the others as they are system files 

cmdldr is the recovery console & should stay so it can be used in case of any future problems

boot.bak is a backup that is made every time the boot.ini is altered so it an essential windows file

I don't know what is happening on youtube

what browser were you using 

try emptying temp internet files, delete cookies, reboot & try you tube again


----------



## regine (Jan 10, 2009)

*All is Good Now - Thanks so much!*

So should I delete the qoobox folder manually?

How do I donate?

Thanks


----------



## dvk01 (Dec 14, 2002)

if you have already this 
*Follow these steps to uninstall Combofix and tools used in the removal of malware*
* Click *START* then *RUN*
* Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









then 
yes delete qoobox folder


----------



## regine (Jan 10, 2009)

it says *Windows Cannot Find ComboFix /u*

qoobox folder deleted


----------

