Popup telling to scan my computer

February 28, 2009 at 17:51:31
Specs: Windows XP
when my computer starts to running (at desktop),a popup will appear on screen each 30 sec or 1 minute,telling me to scan my computer which has been infected with virus,then an internet explorer will appear and ask to scan my pc. this things will appear back even ive already closed it...please help.

See More: Popup telling to scan my computer

Report •


#1
February 28, 2009 at 18:20:16
You have a trojan.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
February 28, 2009 at 18:55:14
Here the entire report after restart,

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/1/2009 10:47:50 AM
mbam-log-2009-03-01 (10-47-50).txt

Scan type: Quick Scan
Objects scanned: 79530
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\firewall.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows network firewall (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LH2m356P.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\firewall.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


Report •

#3
February 28, 2009 at 19:25:56
Jabuck. Do i need to install the HijackThis too? and do like you said?

Report •

Related Solutions

#4
February 28, 2009 at 19:38:38
Yes, we have several things to do yet to get your computer clean. That is one half of the first step and there are about five steps.

Report •

#5
February 28, 2009 at 19:50:51
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:25 AM, on 3/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://stat.flashget.com/clientacti...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Ringz Studio\Storm Codec\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O24 - Desktop Component 1: Ocean Aquarium Deluxe v1.0 Active Desktop - C:\Program Files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html
O24 - Desktop Component 2: WinThemes Active Desktop - http://www.winthemes.com/desktop/on...

--
End of file - 7885 bytes


Report •

#6
February 28, 2009 at 20:01:52
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Avira antivirus, and any realtime antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#7
February 28, 2009 at 23:11:29
jabuck,

i already disable my anti virus,and i dont have any anti spyware,do i need to disable anything on the anti malware that been used just now? and i already running the comboFix,but when it is running around 5 sec,one popup appear and told that DISCLAIMER OF WARRANTY ON SOFTWARE,there is a terms to agree,either yes or no?


Report •

#8
March 1, 2009 at 07:12:19
Choose yes to any prompts and install the recovery console.

Report •

#9
March 1, 2009 at 18:28:25
ComboFix 09-03-01.01 - SSB-Vaio 2009-03-02 10:08:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.211 [GMT 8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\init32.exe
c:\windows\system32\UTSCSI.EXE
D:\Autorun.inf

[color=blue]Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe[/COLOR]

.
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.

2009-03-01 10:33 . 2009-03-01 10:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-01 10:33 . 2009-03-01 10:33 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-03-01 10:33 . 2009-03-01 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-01 10:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-01 10:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-01 09:13 . 2009-03-01 09:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-03-01 09:10 . 2009-03-01 09:10 <DIR> d-------- c:\program files\Common Files\iS3
2009-03-01 09:10 . 2009-03-01 10:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-23 22:12 . 2009-02-23 22:12 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-02-08 04:13 . 2009-03-01 11:40 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-08 04:13 . 2009-02-08 04:13 1,409 --a------ c:\windows\QTFont.for
2009-02-07 16:22 . 2009-02-07 16:22 124 --a------ c:\documents and settings\User\ywppm.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 11:45 --------- d-----w c:\documents and settings\User\Application Data\LimeWire
2009-02-23 16:34 --------- d-s---w c:\program files\Warcraft
2009-02-23 14:59 --------- d-----w c:\program files\Garena
2009-02-22 17:58 --------- d-----w c:\program files\Director MX
2009-01-07 15:01 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-07 15:01 --------- d-----w c:\program files\Java
2009-01-07 14:55 --------- d-----w c:\program files\LimeWire
2009-01-07 14:54 --------- d-----w c:\program files\Sports Interactive
2008-12-21 22:57 29,249 ----a-w c:\documents and settings\User\vi32.exe
2004-08-06 19:00 161,980 --sha-r c:\windows\system32\dozprg.dll
.

------- Sigcheck -------

2007-01-13 16:23 359040 6a603809f598332dbedd535bdbce313e c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-07-30 5354792]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-18 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-07 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-07 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-07 455168]
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-30 96984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-15 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-15 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-15 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-20 163840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-08-12 380928]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\qttask.exe" [2006-09-01 282624]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-03 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-18 9117696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-07 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\program files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html
FriendlyName= Ocean Aquarium Deluxe v1.0 Active Desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ Partizan\[u]0[/u]autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Warcraft\\Frozen Throne.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1234:TCP"= 1234:TCP:lala
"5456:TCP"= 5456:TCP:bvslcr

R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Mouse Driver\KMWDSrv.exe [2007-04-05 208896]
S2 icykduu;Server Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2004-08-07 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
icykduu

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08469e21-6a95-11dd-80b9-0014a5ce61b9}]
\Shell\AutoPlay\command - wscript.exe \izwan.js
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \izwan.js
\Shell\Explore\command - wscript.exe \izwan.js -Clicked
\Shell\Open\command - wscript.exe \izwan.js
\Shell\Scan for Viruses\command - wscript.exe \izwan.js
\Shell\Scan with AVG\command - wscript.exe \izwan.js
\Shell\Scan with Norton AntiVirus\command - wscript.exe \izwan.js

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08469e26-6a95-11dd-80b9-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{179630f8-5ca4-11dd-8088-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24c648e3-6c05-11dd-80bd-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{351c2a87-5a24-11dd-807b-0014a5ce61b9}]
\Shell\AutoRun\command - h:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - h:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - h:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fc8453b-5701-11dd-8064-454e45544531}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e5a9c9d-57ee-11dd-806e-0014a5ce61b9}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fc79808-5a0f-11dd-8077-0014a5ce61b9}]
\Shell\AutoRun\command - G:\lyvs1bhu.com
\Shell\explore\Command - G:\lyvs1bhu.com
\Shell\open\Command - G:\lyvs1bhu.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e06cb54-693a-11dd-80b7-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92d20960-6786-11dd-80b3-0014a5ce61b9}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a767c5f5-02e6-11dd-bfd2-454e45544531}]
\Shell\Auto\command - H:\sxs.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf21014-637d-11dd-80a4-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6940c5-5c6c-11dd-8087-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6940c6-5c6c-11dd-8087-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6940c8-5c6c-11dd-8087-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6940c9-5c6c-11dd-8087-0014a5ce61b9}]
\Shell\AutoRun\command - h:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - h:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - h:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adbcf39a-9a3d-11da-8090-0014a5ce61b9}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf5fc1ac-a984-11db-a9c8-0014a5ce61b9}]
\Shell\AutoRun\command - photos.zip.exe %1
\Shell\Explore\command - photos.zip.exe %1
\Shell\Open\command - photos.zip.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e560e37d-613a-11dd-809a-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4e58978-757b-11dd-80d1-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f64101c3-b3cb-11db-a9ca-0014a5ce61b9}]
\Shell\AutoRun\command - G:\idstick.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f849dfe0-572d-11dd-8068-454e45544531}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc036fc3-567c-11dd-805e-454e45544531}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc036fc4-567c-11dd-805e-454e45544531}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

2009-03-01 c:\windows\Tasks\At1.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At10.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At11.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At12.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At13.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At14.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At15.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At16.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At17.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At18.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At19.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At2.job
- c:\windows\system32\LH2m356P.exe []

2009-02-27 c:\windows\Tasks\At20.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At21.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At22.job
- c:\windows\system32\LH2m356P.exe []

2009-02-27 c:\windows\Tasks\At23.job
- c:\windows\system32\LH2m356P.exe []

2009-02-27 c:\windows\Tasks\At24.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At3.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At4.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At5.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At6.job
- c:\windows\system32\LH2m356P.exe []

2009-02-23 c:\windows\Tasks\At7.job
- c:\windows\system32\LH2m356P.exe []

2009-02-23 c:\windows\Tasks\At8.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At9.job
- c:\windows\system32\LH2m356P.exe []
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-ares - c:\program files\Ares\Ares.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://stat.flashget.com/clientaction/install/flashget/flashget/1.80en/9C7A139A186D3448283D73D2B8A992E6/0/9C7A139A186D3448283D73D2B8A992E6
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qzxxnbut.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 10:13:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\icykduu]
"ServiceDll"="c:\windows\system32\dozprg.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ef,73,03,52,c2,0d,6a,a4,55,33,1d,1a,e7,09,9f,c8,29,da,39,04,fc,11,3f,
8d,2e,8c,02,93,db,ce,00,24,41,f5,05,da,17,a4,33,a8,ef,9e,e8,12,55,3c,ce,aa,\
"??"=hex:6c,dc,bf,f0,7f,5b,61,ef,17,18,d5,cf,fe,0b,45,e8
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HPQ\Shared\HpqToaster.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-03-02 10:17:30 - machine was rebooted [SSB-Vaio]
ComboFix-quarantined-files.txt 2009-03-02 02:17:27

Pre-Run: 9,208,381,440 bytes free
Post-Run: 10,128,629,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

302


Report •

#10
March 1, 2009 at 19:37:28
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\documents and settings\User\vi32.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
-c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08469e21-6a95-11dd-80b9-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08469e26-6a95-11dd-80b9-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{179630f8-5ca4-11dd-8088-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24c648e3-6c05-11dd-80bd-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{351c2a87-5a24-11dd-807b-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fc8453b-5701-11dd-8064-454e45544531}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e5a9c9d-57ee-11dd-806e-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fc79808-5a0f-11dd-8077-0014a5ce61b9}]
\[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e06cb54-693a-11dd-80b7-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92d20960-6786-11dd-80b3-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a767c5f5-02e6-11dd-bfd2-454e45544531}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf21014-637d-11dd-80a4-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6940c5-5c6c-11dd-8087-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6940c6-5c6c-11dd-8087-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6940c8-5c6c-11dd-8087-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6940c9-5c6c-11dd-8087-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adbcf39a-9a3d-11da-8090-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf5fc1ac-a984-11db-a9c8-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e560e37d-613a-11dd-809a-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4e58978-757b-11dd-80d1-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f849dfe0-572d-11dd-8068-454e45544531}]
\[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc036fc3-567c-11dd-805e-454e45544531}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc036fc4-567c-11dd-805e-454e45544531}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#11
March 1, 2009 at 19:47:21
simply, you have been infected by spywares or even adwares, these spywares do alert and show fake warning messages to scare user and ask you to scan ur pc, and when u try thier scan they would ask u to buy thier security program, thats a scam. you should run an anti spyware. i suggest:
Install Super Anti Spyware
it is a most populer and usefull spyware removal program that blockes and deletes spywares,adwares, malwares and other worms from your pc
http://darfuns.com/download-super-a...

Report •

#12
March 2, 2009 at 03:53:18
ComboFix 09-03-01.01 - SSB-Vaio 2009-03-02 19:42:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.137 [GMT 8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
-c:\windows\Tasks\At18.job
c:\documents and settings\User\vi32.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\vi32.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job

.
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.

2009-03-01 10:33 . 2009-03-01 10:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-01 10:33 . 2009-03-01 10:33 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-03-01 10:33 . 2009-03-01 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-01 10:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-01 10:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-01 09:13 . 2009-03-01 09:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-03-01 09:10 . 2009-03-01 09:10 <DIR> d-------- c:\program files\Common Files\iS3
2009-03-01 09:10 . 2009-03-01 10:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-23 22:12 . 2009-02-23 22:12 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-02-08 04:13 . 2009-03-01 11:40 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-08 04:13 . 2009-02-08 04:13 1,409 --a------ c:\windows\QTFont.for
2009-02-07 16:22 . 2009-02-07 16:22 124 --a------ c:\documents and settings\User\ywppm.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 05:21 --------- d-s---w c:\program files\Warcraft
2009-03-02 03:48 --------- d-----w c:\program files\Garena
2009-02-27 11:45 --------- d-----w c:\documents and settings\User\Application Data\LimeWire
2009-02-22 17:58 --------- d-----w c:\program files\Director MX
2009-01-07 15:01 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-07 15:01 --------- d-----w c:\program files\Java
2009-01-07 14:55 --------- d-----w c:\program files\LimeWire
2009-01-07 14:54 --------- d-----w c:\program files\Sports Interactive
2004-08-06 19:00 161,980 --sha-r c:\windows\system32\dozprg.dll
.

------- Sigcheck -------

2007-01-13 16:23 359040 6a603809f598332dbedd535bdbce313e c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-02_10.16.49.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-02 11:47:01 16,384 ----atw c:\windows\temp\Perflib_Perfdata_9a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-07-30 5354792]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-18 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-07 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-07 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-07 455168]
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-30 96984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-15 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-15 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-15 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-20 163840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-08-12 380928]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\qttask.exe" [2006-09-01 282624]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-03 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-18 9117696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-07 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\program files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html
FriendlyName= Ocean Aquarium Deluxe v1.0 Active Desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ Partizan\[u]0[/u]autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Warcraft\\Frozen Throne.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1234:TCP"= 1234:TCP:lala
"5456:TCP"= 5456:TCP:bvslcr

R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Mouse Driver\KMWDSrv.exe [2007-04-05 208896]
S2 icykduu;Server Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2004-08-07 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
icykduu

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e06cb54-693a-11dd-80b7-0014a5ce61b9}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f64101c3-b3cb-11db-a9ca-0014a5ce61b9}]
\Shell\AutoRun\command - G:\idstick.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc036fc3-567c-11dd-805e-454e45544531}]
\Shell\AutoRun\command - g:\system\Security\DriveGuard.exe -run
\Shell\Explore\Command - g:\system\Security\DriveGuard.exe -run
\Shell\Open\Command - g:\system\Security\DriveGuard.exe -run
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

2009-03-01 c:\windows\Tasks\At18.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At19.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At2.job
- c:\windows\system32\LH2m356P.exe []

2009-02-27 c:\windows\Tasks\At20.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At21.job
- c:\windows\system32\LH2m356P.exe []

2009-03-01 c:\windows\Tasks\At22.job
- c:\windows\system32\LH2m356P.exe []

2009-02-27 c:\windows\Tasks\At23.job
- c:\windows\system32\LH2m356P.exe []

2009-02-27 c:\windows\Tasks\At24.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At3.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At4.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At5.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At6.job
- c:\windows\system32\LH2m356P.exe []

2009-02-23 c:\windows\Tasks\At7.job
- c:\windows\system32\LH2m356P.exe []

2009-02-23 c:\windows\Tasks\At8.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At9.job
- c:\windows\system32\LH2m356P.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://stat.flashget.com/clientaction/install/flashget/flashget/1.80en/9C7A139A186D3448283D73D2B8A992E6/0/9C7A139A186D3448283D73D2B8A992E6
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qzxxnbut.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 19:47:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\icykduu]
"ServiceDll"="c:\windows\system32\dozprg.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ef,73,03,52,c2,0d,6a,a4,55,33,1d,1a,e7,09,9f,c8,29,da,39,04,fc,11,3f,
8d,2e,8c,02,93,db,ce,00,24,41,f5,05,da,17,a4,33,a8,ef,9e,e8,12,55,3c,ce,aa,\
"??"=hex:6c,dc,bf,f0,7f,5b,61,ef,17,18,d5,cf,fe,0b,45,e8
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HPQ\Shared\HpqToaster.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-03-02 19:50:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-02 11:50:27
ComboFix2.txt 2009-03-02 02:17:31

Pre-Run: 10,212,855,808 bytes free
Post-Run: 10,202,583,040 bytes free

217


Report •

#13
March 2, 2009 at 15:19:24
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\Tasks\At18.job
c:\windows\system32\dozprg.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job

Driver::
icykduu

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\icykduu]
"ServiceDll"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\icykduu]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e06cb54-693a-11dd-80b7-0014a5ce61b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc036fc3-567c-11dd-805e-454e45544531}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#14
March 3, 2009 at 02:09:15
ComboFix 09-03-02.01 - SSB-Vaio 2009-03-03 13:50:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.136 [GMT 8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\dozprg.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dozprg.dll
c:\windows\Tasks\At18.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICYKDUU
-------\Service_icykduu


((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-03-03 13:57 . 2009-03-03 13:58 <DIR> d-------- c:\windows\LastGood
2009-03-01 10:33 . 2009-03-01 10:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-01 10:33 . 2009-03-01 10:33 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-03-01 10:33 . 2009-03-01 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-01 10:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-01 10:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-01 09:13 . 2009-03-01 09:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-03-01 09:10 . 2009-03-01 09:10 <DIR> d-------- c:\program files\Common Files\iS3
2009-03-01 09:10 . 2009-03-01 10:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-23 22:12 . 2009-02-23 22:12 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-02-08 04:13 . 2009-03-01 11:40 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-08 04:13 . 2009-02-08 04:13 1,409 --a------ c:\windows\QTFont.for
2009-02-07 16:22 . 2009-02-07 16:22 124 --a------ c:\documents and settings\User\ywppm.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 05:31 --------- d-s---w c:\program files\Warcraft
2009-03-03 03:01 --------- d-----w c:\program files\Garena
2009-02-27 11:45 --------- d-----w c:\documents and settings\User\Application Data\LimeWire
2009-02-22 17:58 --------- d-----w c:\program files\Director MX
2009-01-07 15:01 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-07 15:01 --------- d-----w c:\program files\Java
2009-01-07 14:55 --------- d-----w c:\program files\LimeWire
2009-01-07 14:54 --------- d-----w c:\program files\Sports Interactive
.

------- Sigcheck -------

2007-01-13 16:23 359040 6a603809f598332dbedd535bdbce313e c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-02_10.16.49.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-10-16 06:09:44 92,696 ------w c:\windows\SoftwareDistribution\SelfUpdate\cdm.dll
+ 2008-10-16 06:12:20 561,688 ------w c:\windows\SoftwareDistribution\SelfUpdate\wuapi.dll
+ 2008-10-16 06:09:44 51,224 ------w c:\windows\SoftwareDistribution\SelfUpdate\wuauclt.exe
+ 2008-10-16 06:13:40 1,809,944 ------w c:\windows\SoftwareDistribution\SelfUpdate\wuaueng.dll
+ 2008-10-16 06:12:22 323,608 ------w c:\windows\SoftwareDistribution\SelfUpdate\wucltui.dll
+ 2008-10-16 06:08:58 34,328 ------w c:\windows\SoftwareDistribution\SelfUpdate\wups.dll
+ 2008-10-16 06:09:44 43,544 ------w c:\windows\SoftwareDistribution\SelfUpdate\wups2.dll
+ 2008-10-16 06:13:40 202,776 ------w c:\windows\SoftwareDistribution\SelfUpdate\wuweb.dll
- 2004-08-06 19:00:00 66,560 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 06:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2004-08-06 19:00:00 430,592 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 06:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-07-30 5354792]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-18 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-07 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-07 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-07 455168]
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-30 96984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-15 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-15 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-15 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-20 163840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-08-12 380928]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\qttask.exe" [2006-09-01 282624]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-03 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-18 9117696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-07 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\program files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html
FriendlyName= Ocean Aquarium Deluxe v1.0 Active Desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ Partizan\[u]0[/u]autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Warcraft\\Frozen Throne.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1234:TCP"= 1234:TCP:lala
"5456:TCP"= 5456:TCP:bvslcr

R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Mouse Driver\KMWDSrv.exe [2007-04-05 208896]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\User\LOCALS~1\Temp\WLT19.tmp --> c:\docume~1\User\LOCALS~1\Temp\WLT19.tmp [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f64101c3-b3cb-11db-a9ca-0014a5ce61b9}]
\Shell\AutoRun\command - G:\idstick.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

2009-03-01 c:\windows\Tasks\At19.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At2.job
- c:\windows\system32\LH2m356P.exe []

2009-02-27 c:\windows\Tasks\At20.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At21.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At22.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At23.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At24.job
- c:\windows\system32\LH2m356P.exe []

2009-03-02 c:\windows\Tasks\At3.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At4.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At5.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At6.job
- c:\windows\system32\LH2m356P.exe []

2009-02-23 c:\windows\Tasks\At7.job
- c:\windows\system32\LH2m356P.exe []

2009-02-23 c:\windows\Tasks\At8.job
- c:\windows\system32\LH2m356P.exe []

2009-02-26 c:\windows\Tasks\At9.job
- c:\windows\system32\LH2m356P.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://stat.flashget.com/clientaction/install/flashget/flashget/1.80en/9C7A139A186D3448283D73D2B8A992E6/0/9C7A139A186D3448283D73D2B8A992E6
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qzxxnbut.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 13:57:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\cdm.dll.wusetup.202640.bak 66560 bytes executable
c:\windows\system32\wups2.dll 43544 bytes executable
c:\windows\system32\SoftwareDistribution
c:\windows\system32\wuapi.dll.mui 23576 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.217281.bak 111104 bytes executable
c:\windows\system32\wuaucpl.cpl.mui 23576 bytes executable
c:\windows\system32\wuaucpl.cpl.wusetup.223031.bak 162304 bytes executable

scan completed successfully
hidden files: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\User\LOCALS~1\Temp\WLT19.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ef,73,03,52,c2,0d,6a,a4,55,33,1d,1a,e7,09,9f,c8,29,da,39,04,fc,11,3f,
8d,2e,8c,02,93,db,ce,00,24,41,f5,05,da,17,a4,33,a8,ef,9e,e8,12,55,3c,ce,aa,\
"??"=hex:6c,dc,bf,f0,7f,5b,61,ef,17,18,d5,cf,fe,0b,45,e8
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-03-03 14:01:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 06:01:04
ComboFix2.txt 2009-03-02 11:50:32
ComboFix3.txt 2009-03-02 02:17:31

Pre-Run: 10,151,661,568 bytes free
Post-Run: 10,068,246,528 bytes free

221


Report •

#15
March 3, 2009 at 03:36:56
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\system32\LH2m356P.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#16
March 4, 2009 at 07:28:37
jabuck,

i've already drag the note to combofix,then an update appear,i cclick yes for new update,then the update stop at 6.8%..more than 1 hour i wait.now,how to proceed?


Report •

#17
March 4, 2009 at 13:59:46
Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Now download the new version of Combofix and run the script in response #15 and post the results please.


Report •


Ask Question