System restore after a virus, am i still infected? [F]

[blue4paper]

Alright, i don't really feel like explaining the whole story on how i got the virus so I'll summarize it. I downloaded a faulty license-cing thing for music and well yeah.

http://www.techist.com/forums/f51/khfgxwqr-dll-179118/

That'll give some more information.

So the 2 weird files that had no query in Google were:

khfGxWqR.dll

lphclflj0e1cl.exe

they were in my system32 folder and they kept popping up by winpatrol asking if i should add them to the startup, and i hit NO...1 second after it asked again. So i took them out of my system32 folder and am just sorta "quarantining" them on my desktop ti'll i find out if they're supposed to be in there

Anyways heres a picture of the awesome virus attacking my innocent computer



Here are the steps i took to get rid of it (or so i hope)

As soon as my background started to change (changed twice actually 1 was a blue screen saying i have spyware then the red one came in ) and disconnected my internet.

the two icons that say "online p0rn and vista antivirus" appeared along with the background change. I put those in the recycling bin and gutman deleted it with Ccleaner along with temporary folder and the works.

After that my computer when into a blue screen saying my computer had errors and it kept restarting...so i hit the restart BUTTON, hehe, then it got me to the main page. Background was still red and i was MISSING 3 tabs in my Display properties including the 1 to change my background.

All this being said, i used System restore and it brought me back the my regular state..not sure if i'm still clean so heres my hijackthis log (quite short actually)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:55 PM, on 7/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Desktop Sidebar\dsidebar.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Yuki Nagahama\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [OpenDNS Update] "C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1208226889953
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6658 bytes

 

[KSoD]

Re: System restore after a virus, am i still infected?

Hello,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Logs needed in next post:

Deckard's System Scanner

The reson i am asking for this. Nothing came up with the HiJack Log. Need this to get a bit deeper and find out if you are still infected.

Cheers,
Mak

 

[blue4paper]

Re: System restore after a virus, am i still infected? [P]

Here are the DSS scans, i looked over it myself and found the suspicious files from before the system restore :

"2008-07-05 18:17:18 28288 --a------ C:\WINDOWS\system32\vtUoppmN.dll
2008-07-05 18:16:59 60928 --a------ C:\WINDOWS\system32\blphclflj0e1cl.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-05 18:16:33 0 d-------- C:\WINDOWS\privacy_danger
2008-07-05 18:16:07 155648 --a------ C:\WINDOWS\nqgpedlr.dll
2008-07-05 18:16:07 86016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-05 18:16:07 94208 --a------ C:\WINDOWS\efbd.exe
2008-07-05 18:16:07 180224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-05 18:15:48 0 d-------- C:\Program Files\VAV

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"

I'm guessing those are the ones i have to delete? ( i haven't yet though )

With regards the macrovision, thats the licensing program that windows media player led me to, to play my wmv format music. Is this just rogue software?

Main :

Deckard's System Scanner v20071014.68
Run by Yuki Nagahama on 2008-07-06 20:59:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
40: 2008-07-07 03:46:04 UTC - RP229 - Deckard's System Scanner Restore Point
39: 2008-07-06 01:36:57 UTC - RP228 - Restore Operation
38: 2008-07-05 22:45:51 UTC - RP227 - Removed Opera 9.51
37: 2008-07-05 22:45:39 UTC - RP226 - Revo Uninstaller's restore point - Opera 9.51
36: 2008-07-05 21:35:32 UTC - RP225 - Installed Opera 9.51


-- First Restore Point --
1: 2008-06-21 18:50:15 UTC - RP190 - Installed Opera 9.50


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Yuki Nagahama.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:00 PM, on 7/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Yuki Nagahama\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Yuki Nagahama.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [OpenDNS Update] "C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1208226889953
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6155 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 UsbSync - c:\windows\system32\drivers\usbsync.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 Ext2fs - c:\windows\system32\drivers\ext2fs.sys
R1 IfsDrives - c:\windows\system32\drivers\ifsdrives.sys
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys
R3 UsbButton - c:\windows\system32\drivers\usbbutton.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
S3 EpsonBidirectionalService - c:\program files\common files\epson\ebapi\eebsvc.exe
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
S4 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
S4 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>
S4 Tenable Nessus - "c:\program files\tenable\nessus\nessusd.exe" <Not Verified; Tenable Network Security; Nessus Security Scanner>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-05 18:28:40 0 dr-h----- C:\Documents and Settings\Yuki Nagahama\Recent
2008-07-05 18:17:18 28288 --a------ C:\WINDOWS\system32\vtUoppmN.dll
2008-07-05 18:16:59 60928 --a------ C:\WINDOWS\system32\blphclflj0e1cl.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-05 18:16:33 0 d-------- C:\WINDOWS\privacy_danger
2008-07-05 18:16:07 155648 --a------ C:\WINDOWS\nqgpedlr.dll
2008-07-05 18:16:07 86016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-05 18:16:07 94208 --a------ C:\WINDOWS\efbd.exe
2008-07-05 18:16:07 180224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-05 18:15:48 0 d-------- C:\Program Files\VAV
2008-07-05 18:15:47 30720 --a------ C:\WINDOWS\Sys1D3.exe
2008-07-05 18:15:47 30208 --a------ C:\WINDOWS\Sys1D2.exe
2008-07-05 18:15:46 32256 --a------ C:\WINDOWS\Sys1D1.exe
2008-07-05 18:15:32 0 d-------- C:\Program Files\PCHealthCenter
2008-07-05 17:55:10 0 d-------- C:\Program Files\PacBomber
2008-07-05 15:45:45 9437184 --a------ C:\Documents and Settings\Yuki Nagahama\ntuser.dat
2008-06-30 00:49:26 162793 --a------ C:\WINDOWS\Audio Converter Pro Uninstaller.exe
2008-06-30 00:34:22 0 d-------- C:\Temp
2008-06-30 00:33:11 0 d-------- C:\Program Files\Xilisoft
2008-06-29 15:31:51 0 d-------- C:\Program Files\Common Files\xing shared
2008-06-29 15:31:18 0 d-------- C:\Program Files\Real
2008-06-29 15:31:11 0 d-------- C:\Program Files\Common Files\Real
2008-06-29 15:31:10 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Real
2008-06-25 13:25:31 0 d-------- C:\Program Files\Steam
2008-06-22 15:38:59 65352 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-18 18:12:21 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Ventrilo
2008-06-18 18:12:08 0 d-------- C:\Program Files\Ventrilo
2008-06-14 14:46:07 0 d-------- C:\Program Files\Microsoft Games
2008-06-14 11:28:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-06-14 11:27:59 0 d-------- C:\Program Files\Diskeeper Corporation
2008-06-07 15:19:15 0 d-------- C:\Program Files\OpenDNS Updater


-- Find3M Report ---------------------------------------------------------------

2008-07-06 21:02:55 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Desktop Sidebar
2008-07-06 21:02:49 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\uTorrent
2008-07-05 18:28:57 0 d-------- C:\Program Files\ATnotes
2008-07-05 15:48:05 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Opera
2008-06-30 00:49:25 0 d-------- C:\Program Files\River Past
2008-06-30 00:49:25 0 d-------- C:\Program Files\Common Files\River Past
2008-06-30 00:49:25 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\River Past G5
2008-06-29 15:31:51 0 d-------- C:\Program Files\Common Files
2008-06-22 18:26:12 0 d-------- C:\Program Files\XoftSpySE
2008-06-21 15:41:19 0 d-------- C:\Program Files\SpywareBlaster
2008-06-18 18:11:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 12:05:00 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-09 20:47:53 4 --a------ C:\Program Files\Collateralsettings.set
2008-06-05 20:55:32 0 d-------- C:\Program Files\mIRC
2008-06-04 18:49:02 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\mIRC
2008-06-04 18:03:18 0 d-------- C:\Program Files\Look@LAN
2008-05-31 23:55:54 0 d-------- C:\Program Files\TubeSucker
2008-05-29 17:37:36 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Adobe
2008-05-29 17:37:35 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Macromedia
2008-05-25 22:06:46 237 --a------ C:\WINDOWS\system32\security3.dll
2008-05-25 22:06:46 237 --a------ C:\WINDOWS\security2.dll
2008-05-25 14:39:13 215 --a------ C:\WINDOWS\system32\security4.dll
2008-05-25 14:39:13 287 --a------ C:\WINDOWS\security.dll
2008-05-25 14:39:03 0 d-------- C:\Program Files\Poly Calcul Pro
2008-05-24 19:02:05 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Help
2008-05-24 16:46:18 0 d-------- C:\Program Files\WarRock
2008-05-22 21:00:39 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\dvdcss
2008-05-20 19:03:53 0 d-------- C:\Program Files\DVDFab HD Decrypter 3
2008-05-20 17:20:53 0 d-------- C:\Program Files\DVD Decrypter
2008-05-18 18:07:30 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Vidalia
2008-05-18 18:07:30 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\tor
2008-05-18 17:42:04 0 d-------- C:\Program Files\Vidalia Bundle
2008-05-16 17:59:52 0 d-------- C:\Program Files\Collateral
2008-05-14 22:17:07 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\OpenOffice.org2
2008-05-12 21:34:45 0 d-------- C:\Program Files\Microsoft Encarta
2008-05-11 12:44:32 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-10 17:02:08 0 d-------- C:\Program Files\Cain
2008-05-10 11:34:04 0 d-------- C:\Program Files\Zune
2008-05-10 00:52:42 0 d-------- C:\Program Files\NCH Swift Sound
2008-05-10 00:50:34 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\NCH Swift Sound
2008-05-10 00:48:01 0 d-------- C:\Program Files\GIMP-2.0
2008-05-09 20:02:05 0 d-------- C:\Program Files\Messenger
2008-05-09 19:57:37 0 d-------- C:\Program Files\Movie Maker
2008-05-09 19:56:19 0 d-------- C:\Program Files\Windows NT
2008-05-08 19:45:46 0 d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Google
2008-05-08 19:45:18 0 d-------- C:\Program Files\Google
2008-04-22 22:08:01 1 --a------ C:\WINDOWS\system32\FlashPaper2PrinterPort
2008-04-15 19:40:12 720896 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-04-14 21:13:30 164319 --a------ C:\WINDOWS\Crazi Video for Zune Uninstaller.exe
2008-04-14 18:49:33 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-13 23:22:41 0 -rahs---- C:\MSDOS.SYS
2008-04-13 23:22:41 0 -rahs---- C:\IO.SYS
2008-04-13 23:22:41 0 --a------ C:\CONFIG.SYS
2008-04-13 23:22:41 0 --a------ C:\AUTOEXEC.BAT
2008-04-13 23:20:03 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-13 16:12:23 62 --ahs---- C:\Documents and Settings\Yuki Nagahama\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [08/02/2007 09:59 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 03:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 04:19 PM]
"Cmaudio"="cmicnfg.cpl" []
"OpenDNS Update"="C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe" [07/05/2008 10:19 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/29/2008 03:31 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIDEBAR"="C:\Program Files\Desktop Sidebar\dsidebar.exe" [07/09/2006 09:58 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 12/20/2005 11:57 PM 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"SENS"=2 (0x2)
"ZuneBusEnum"=2 (0x2)
"SharedAccess"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Nero BackItUp Scheduler 3"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"RichVideo"=3 (0x3)
"rpcapd"=3 (0x3)
"NVSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-06 21:04:53 ------------



This post is too long so i gotta post it in 2 seperate post :O

 

[blue4paper]

Re: System restore after a virus, am i still infected? [P]

Alright since my last post was too big here's the extra. Also since using the DSS my computer has been acting up. I've had to force restart it 3 times My computer froze like 4 times and i had trouble using my thumb drive. So in other words it was just freezing.


So the extra was too long for 1 single post, i made an attachment sorry i'm making this in 2 post, i guess it would've been much easier to just make 2 attachment post. BAH

Edit : Ok so my attachement exceeds the attachment limit also...Here it is on rapidshare then

RapidShare: Easy Filehosting

Sorry about all this hassle for 1 small file lol

 

[KSoD]

Re: System restore after a virus, am i still infected? [P]

Hello,

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\vtUoppmN.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\nqgpedlr.dll
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\efbd.exe
C:\WINDOWS\axrfgvek.dll
C:\WINDOWS\system32\mlfcache.dat

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Logs needed in your next post:

ComboFix

A side note. The game PacBomber is a free game and is associated with many different Malware sites. I would advise removing it. If you did not install it let me know so i can write you a script to remove it with ComboFix.

Cheers,
Mak

 

[blue4paper]

Re: System restore after a virus, am i still infected? [P]

Before i post the ComboFix Log just wondering cause there are 2 files i have on my desktop that were originally in my system32 folder. I forgot to put them in the syste32 folder when i was running the combofix process, should i delete them?

Log:

ComboFix 08-07-05.1 - Yuki Nagahama 2008-07-07 12:01:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1067 [GMT -7:00]
Running from: C:\Documents and Settings\Yuki Nagahama\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yuki Nagahama\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\axrfgvek.dll
C:\WINDOWS\efbd.exe
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\nqgpedlr.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\vtUoppmN.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Yuki Nagahama\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\Program Files\VAV
C:\Program Files\VAV\vav.exe
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\WINDOWS\axrfgvek.dll
C:\WINDOWS\efbd.exe
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\nqgpedlr.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\images\Thumbs.db
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\security.dll
C:\WINDOWS\security2.dll
C:\WINDOWS\system32\blphclflj0e1cl.scr
C:\WINDOWS\system32\kmd.exe
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\phclflj0e1cl.bmp
C:\WINDOWS\system32\security3.dll
C:\WINDOWS\system32\security4.dll
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\verifpcp.exe
C:\WINDOWS\system32\vtUoppmN.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-07 11:54 . 2008-07-07 11:54 <DIR> d-------- C:\ComboFixx
2008-07-06 20:45 . 2008-07-06 20:45 <DIR> d-------- C:\Deckard
2008-07-05 18:15 . 2008-07-03 20:14 32,256 --a------ C:\WINDOWS\Sys1D1.exe
2008-07-05 18:15 . 2008-07-03 20:14 30,720 --a------ C:\WINDOWS\Sys1D3.exe
2008-07-05 18:15 . 2008-07-03 20:14 30,208 --a------ C:\WINDOWS\Sys1D2.exe
2008-06-30 00:49 . 2008-06-30 00:49 162,793 --a------ C:\WINDOWS\Audio Converter Pro Uninstaller.exe
2008-06-30 00:34 . 2008-06-30 00:34 <DIR> d-------- C:\Temp
2008-06-30 00:33 . 2008-06-30 00:33 <DIR> d-------- C:\Program Files\Xilisoft
2008-06-29 15:31 . 2008-06-29 15:31 <DIR> d-------- C:\Program Files\Real
2008-06-29 15:31 . 2008-06-29 15:31 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-29 15:31 . 2008-06-29 15:31 <DIR> d-------- C:\Program Files\Common Files\Real
2008-06-25 13:25 . 2008-07-05 19:23 <DIR> d-------- C:\Program Files\Steam
2008-06-18 18:12 . 2008-06-18 18:12 <DIR> d-------- C:\Program Files\Ventrilo
2008-06-18 18:12 . 2008-06-18 18:19 <DIR> d-------- C:\Documents and Settings\Yuki Nagahama\Application Data\Ventrilo
2008-06-14 14:46 . 2008-06-14 14:46 <DIR> d-------- C:\Program Files\Microsoft Games
2008-06-14 11:28 . 2008-06-14 11:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-06-14 11:27 . 2008-06-14 11:27 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-06-10 16:59 . 2008-06-10 17:05 51,404,434 --a------ C:\Partition Magic 8 Pro By Jack Docherty.zip
2008-06-10 16:55 . 2008-05-08 07:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 16:43 . 2008-06-13 04:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 15:19 . 2008-07-05 10:19 <DIR> d-------- C:\Program Files\OpenDNS Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 04:51 --------- d-----w C:\Documents and Settings\Yuki Nagahama\Application Data\Desktop Sidebar
2008-07-07 04:02 --------- d-----w C:\Documents and Settings\Yuki Nagahama\Application Data\uTorrent
2008-07-06 01:28 --------- d-----w C:\Program Files\ATnotes
2008-07-03 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 07:49 --------- d-----w C:\Program Files\River Past
2008-06-30 07:49 --------- d-----w C:\Program Files\Common Files\River Past
2008-06-30 07:49 --------- d-----w C:\Documents and Settings\Yuki Nagahama\Application Data\River Past G5
2008-06-30 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5
2008-06-23 01:26 --------- d-----w C:\Program Files\XoftSpySE
2008-06-21 22:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 22:41 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-19 01:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 02:28 710,064 ----a-w C:\WINDOWS\system32\ijjiSetup.exe
2008-06-17 19:05 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:08 58,800 ----a-w C:\WINDOWS\system32\ijjiPlugin2.dll
2008-06-10 03:47 4 ----a-w C:\Program Files\Collateralsettings.set
2008-06-06 03:55 --------- d-----w C:\Program Files\mIRC
2008-06-05 01:49 --------- d-----w C:\Documents and Settings\Yuki Nagahama\Application Data\mIRC
2008-06-05 01:03 --------- d-----w C:\Program Files\Look@LAN
2008-06-01 06:55 --------- d-----w C:\Program Files\TubeSucker
2008-05-25 21:39 --------- d-----w C:\Program Files\Poly Calcul Pro
2008-05-24 23:51 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-24 23:50 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-24 23:47 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-05-24 23:46 --------- d-----w C:\Program Files\WarRock
2008-05-23 04:00 --------- d-----w C:\Documents and Settings\Yuki Nagahama\Application Data\dvdcss
2008-05-21 02:03 --------- d-----w C:\Program Files\DVDFab HD Decrypter 3
2008-05-21 00:20 --------- d-----w C:\Program Files\DVD Decrypter
2008-05-19 01:07 --------- d-----w C:\Documents and Settings\Yuki Nagahama\Application Data\Vidalia
2008-05-19 01:07 --------- d-----w C:\Documents and Settings\Yuki Nagahama\Application Data\tor
2008-05-19 00:42 --------- d-----w C:\Program Files\Vidalia Bundle
2008-05-17 00:59 --------- d-----w C:\Program Files\Collateral
2008-05-15 05:17 --------- d-----w C:\Documents and Settings\Yuki Nagahama\Application Data\OpenOffice.org2
2008-05-14 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-13 04:34 --------- d-----w C:\Program Files\Microsoft Encarta
2008-05-11 19:44 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-11 00:02 --------- d-----w C:\Program Files\Cain
2008-05-10 18:34 --------- d-----w C:\Program Files\Zune
2008-05-10 18:16 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-05-10 18:16 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-05-10 07:52 --------- d-----w C:\Program Files\NCH Swift Sound
2008-05-10 07:50 --------- d-----w C:\Documents and Settings\Yuki Nagahama\Application Data\NCH Swift Sound
2008-05-10 07:48 --------- d-----w C:\Program Files\GIMP-2.0
2008-05-09 02:45 --------- d-----w C:\Program Files\Google
2008-05-09 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-30 02:56 61,856 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2008-04-30 02:56 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-04-30 02:39 70,144 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll
2008-04-30 02:39 62,464 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll
2008-04-30 02:39 35,328 ----a-w C:\WINDOWS\system32\ZuneUsbCOnnection.dll
2008-04-30 02:39 145,408 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll
2008-04-26 17:24 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-18 02:11 1,112,288 ----a-w C:\WINDOWS\system32\WdfCoInstaller01007.dll
2008-04-16 02:40 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-04-15 04:13 164,319 ----a-w C:\WINDOWS\Crazi Video for Zune Uninstaller.exe
2008-04-14 12:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 12:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 12:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ------w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIDEBAR"="C:\Program Files\Desktop Sidebar\dsidebar.exe" [2006-07-09 21:58 1777664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 09:59 292152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 16:19 79224]
"OpenDNS Update"="C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe" [2008-07-05 10:19 204288]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-29 15:31 185896]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-20 23:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"SENS"=2 (0x2)
"ZuneBusEnum"=2 (0x2)
"SharedAccess"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Nero BackItUp Scheduler 3"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"RichVideo"=3 (0x3)
"rpcapd"=3 (0x3)
"NVSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\ijji\\ENGLISH\\u_gunz.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 UsbSync;UsbSync;C:\WINDOWS\system32\drivers\UsbSync.sys [2005-06-29 14:19]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R1 Ext2fs;Ext2fs;C:\WINDOWS\system32\DRIVERS\ext2fs.sys [2006-10-23 18:20]
R1 IfsDrives;IfsDrives;C:\WINDOWS\system32\DRIVERS\IfsDrives.sys [2004-09-25 00:28]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-02 20:42]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-13 17:12]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2005-05-12 14:39]
R3 DCamUSB20GAB;AVerTV USB 2.0;C:\WINDOWS\system32\Drivers\AVTVCsMini20.sys [2004-09-06 14:32]
R3 GAB20Scan;USB 2.0 Still Image;C:\WINDOWS\system32\Drivers\GABscan.sys [2003-08-12 15:22]
R3 UsbButton;UsbButton;C:\WINDOWS\system32\drivers\UsbButton.sys [2005-07-15 14:29]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 13:22]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 08:58]
S4 Tenable Nessus;Tenable Nessus;C:\Program Files\Tenable\Nessus\nessusd.exe [2007-07-27 16:01]

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 12:05:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-07-07 12:09:00
ComboFix-quarantined-files.txt 2008-07-07 19:08:54

Pre-Run: 49,248,485,376 bytes free
Post-Run: 49,239,855,104 bytes free

268 --- E O F --- 2008-06-20 20:23:54

 

[KSoD]

Re: System restore after a virus, am i still infected? [P]

Hello Blue,

There are a couple more entries that need to be removed. So 1 more ComboFix script for you to run.

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ijjiSetup.exe
:\WINDOWS\system32\ijjiPlugin2.dll
C:\WINDOWS\iun6002.exe

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Logs needed in next post:

ComboFix

Cheers,
Mak

 

[blue4paper]

Re: System restore after a virus, am i still infected? [P]

Alright here it is

RapidShare: Easy Filehosting

 

[KSoD]

Re: System restore after a virus, am i still infected? [P]

Hello,

I do not see anything on there. It looks good to me. But if you do not wish to take my words for it you can head over to teh people at GeeksToGo.

Cheers,
Mak

 

[blue4paper]

Re: System restore after a virus, am i still infected? [P]

Alright thanks for the time and help Mak213