Need Help Please

here is my logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:36 AM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,;*.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {75db84e2-74d2-407d-83e9-7bd3ce70fc33} - C:\WINDOWS\system32\kimapuge.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [CPM084d3333] Rundll32.exe "c:\windows\system32\pusupuro.dll",a
O4 - HKLM\..\Run: [tuvorulivi] Rundll32.exe "C:\WINDOWS\system32\zetoyago.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKCU\..\Run: [WinFlip] C:\Program Files\WinFlip\WinFlip.exe
O4 - HKCU\..\Run: [DLD.EXE] C:\Program Files\Download Direct\DLD.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [tuvorulivi] Rundll32.exe "C:\WINDOWS\system32\zetoyago.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tuvorulivi] Rundll32.exe "C:\WINDOWS\system32\zetoyago.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\savohofu.dll c:\windows\system32\pusupuro.dll c:\windows\system32\gitadumi.dll
O20 - Winlogon Notify: svchost - svchost.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pusupuro.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pusupuro.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: XTrap Nag Service (HackerDefender) - Unknown owner - C:\Documents and Settings\Lam.WHITE\Desktop\ygb3520625Fixed\bypass\XTrapNag.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Server Monitor (servmon) - Unknown owner - C:\WINDOWS\regmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 14422 bytes

i'm rustic, i don't know how to find which one is adware or spyware
my problem is everytime i use iternet explorer or firefox , it automatically open a new tab which conduce to a webiste about antivirus protection (which i know it's fake). Ex: i recieved virus from a website named Gallimp.com
i don't know how to remove it so can u guy help me ?
thanks you for reading

 

Hi manhlam

Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required.

Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop.

Configuring Malwarebytes

• Click on the tab Settings.
• Make sure only these boxes are checked:

Code:

Terminate Internet Explorer
Automatically save and display logfile after removal
Always scan memory objects
Always scan registry objects
Always scan filesystem
Always scan extra and heuristics objects

Updating Malwarebytes

• Click on the tab Update.
• Press the button Check for Updates
• Wait for Malwarebytes to be fully updated.

Scanning Time

• Click on the tab Scanner.
• Check Perform full scan and click on Scan
• Wait for the scan to complete, and then click on Show Results.
• Make sure all items are checked, then click on Remove Selected.
**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.

Post A Log

• A text box will pop up after the removal process is over. Post the contents of the text here.
• If no text box pops up, launch Malwarebytes, and click on the tab Logs.
• The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
• Post the log here.

Best Regards

 

thank you for helping me, i'm very appreciate it
here is my log

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 2

11/23/2008 11:15:27 AM
mbam-log-2008-11-23 (11-15-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 206927
Time elapsed: 1 hour(s), 33 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bopedisu.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{831cbac0-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{831cbac3-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{86a44ef7-78fc-4e18-a564-b18f806f7f56} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{92860a02-4d69-48c1-82d7-ef6b2c609502} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c1de446a-8770-4621-9378-f1922c74a36c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuvorulivi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\bopedisu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\bopedisu.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hiyoluge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eguloyih.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\bopedisu.dll (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\Lam.WHITE.000\My Documents\Downloads\Compressed\Nero 8.3.6.0 Ultra Edition\Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lam.WHITE.000\My Documents\Downloads\Compressed\Nero 8.3.6.0 Ultra Edition\Nero_8_Ultra_Edition_8.3.6.0_Serial___Crack\Nero 8 Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F606EFB-6D29-4F08-945D-B7483F2D7890}\RP800\A0414802.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F606EFB-6D29-4F08-945D-B7483F2D7890}\RP800\A0414805.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F606EFB-6D29-4F08-945D-B7483F2D7890}\RP804\A0415724.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F606EFB-6D29-4F08-945D-B7483F2D7890}\RP804\A0415727.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zetoyago.dll (Trojan.Agent) -> Delete on reboot.

but then when i use internet explorer, it still pops up unwanted websites again
can u help me?
thanks again

 

thank you for helping me, i'm very appreciate it
here is my log

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 2

11/23/2008 11:15:27 AM
mbam-log-2008-11-23 (11-15-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 206927
Time elapsed: 1 hour(s), 33 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bopedisu.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{831cbac0-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{831cbac3-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{86a44ef7-78fc-4e18-a564-b18f806f7f56} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{92860a02-4d69-48c1-82d7-ef6b2c609502} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c1de446a-8770-4621-9378-f1922c74a36c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuvorulivi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\bopedisu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\bopedisu.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hiyoluge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eguloyih.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\bopedisu.dll (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\Lam.WHITE.000\My Documents\Downloads\Compressed\Nero 8.3.6.0 Ultra Edition\Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lam.WHITE.000\My Documents\Downloads\Compressed\Nero 8.3.6.0 Ultra Edition\Nero_8_Ultra_Edition_8.3.6.0_Serial___Crack\Nero 8 Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F606EFB-6D29-4F08-945D-B7483F2D7890}\RP800\A0414802.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F606EFB-6D29-4F08-945D-B7483F2D7890}\RP800\A0414805.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F606EFB-6D29-4F08-945D-B7483F2D7890}\RP804\A0415724.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F606EFB-6D29-4F08-945D-B7483F2D7890}\RP804\A0415727.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zetoyago.dll (Trojan.Agent) -> Delete on reboot.

but then when i use internet explorer, it still pops up unwanted websites again
can u help me?
thanks again

 

Hey manhlam

Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Run Combo-Fix.exe and follow the prompts.
• Accept the End-User License Agreement.
• Allow the Recovery Console to be installed.
• When you see the window below, click on Yes.

• When the Recovery Console has been installed, click on Yes to start the scan.


**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be fully completed.
• If it requires a reboot, please do so.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

Best Regards

 

it's working
i've not seen any pop up anymore
thanks you so much
here is my log

ComboFix 08-11-23.02 - Lam 2008-11-24 15:10:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.467 [GMT -5:00]
Running from: c:\documents and settings\Lam.WHITE.000\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lam.WHITE.000\Application Data\inst.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\AutoRun.inf
c:\windows\system32\bihelufe.dll
c:\windows\system32\BkavAuto.vxd
c:\windows\system32\components
c:\windows\system32\components\flx0.dll
c:\windows\system32\drivers\BkavAuto.sys
c:\windows\system32\drivers\SysLib.sys
c:\windows\system32\efulehib.ini
c:\windows\system32\inst.dat
c:\windows\system32\kogonubo.dll
c:\windows\system32\latavija.dll
c:\windows\system32\mivalivo.dll
c:\windows\system32\savohofu.dll
c:\windows\system32\totodova.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISODRIVE
-------\Legacy_OREANS32
-------\Service_ISODrive
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-23 09:34 . 2008-11-23 09:34 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Application Data\Malwarebytes
2008-11-23 09:34 . 2008-11-23 09:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-21 20:33 . 2008-11-23 11:21 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-21 20:33 . 2008-11-23 11:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-21 18:54 . 2008-11-21 18:54 <DIR> d-------- c:\program files\Lavasoft
2008-11-17 18:25 . 2008-11-20 19:47 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Application Data\Red Alert 3
2008-11-17 17:38 . 2008-11-17 17:38 <DIR> d-------- c:\program files\Electronic Arts
2008-11-17 17:37 . 2008-11-17 17:37 <DIR> d-------- c:\windows\Logs
2008-11-12 21:22 . 2004-08-04 03:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-12 21:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-11 17:21 . 2008-11-11 17:21 <DIR> d-------- c:\program files\UltraISO
2008-11-11 17:21 . 2008-11-11 17:21 <DIR> d-------- c:\program files\Common Files\EZB Systems
2008-11-11 17:04 . 2008-11-11 17:04 <DIR> d-------- c:\program files\MSXML 6.0
2008-11-11 17:01 . 2008-11-11 17:01 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-09 14:07 . 2008-11-09 14:07 <DIR> d-------- c:\documents and settings\Jerry\Application Data\Nero
2008-11-09 14:01 . 2008-11-09 14:01 <DIR> d-------- c:\documents and settings\Hai.WHITE.000\Application Data\Nero
2008-10-30 19:47 . 2008-11-13 17:31 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Shared
2008-10-30 19:47 . 2008-11-13 17:39 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Incomplete
2008-10-30 19:47 . 2008-10-30 20:46 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Application Data\MP3Rocket
2008-10-30 19:46 . 2007-03-14 01:04 69,632 --a------ c:\windows\system32\javacpl.cpl
2008-10-30 19:44 . 2008-10-30 19:47 <DIR> d-------- c:\program files\MP3 Rocket

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 20:16 --------- d-----w c:\program files\WinFlip
2008-11-24 20:16 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\DMCache
2008-11-22 21:16 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\BitTorrent
2008-11-21 23:20 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\Yahoo!
2008-11-21 00:48 --------- d-----w c:\program files\ArtMoney
2008-11-21 00:48 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\U3
2008-11-15 22:59 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\Vso
2008-11-11 22:08 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-31 00:46 --------- d-----w c:\program files\Java
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 03:07 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\Moyea
2008-10-15 20:08 --------- d-----w c:\program files\Tansee iPod Transfer
2008-10-15 20:04 --------- d-----w c:\program files\Tansee iPod Transfer Photo
2008-10-15 19:09 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\Apple Computer
2008-10-12 01:07 --------- d-----w c:\program files\iTunes
2008-10-12 01:07 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-12 01:06 --------- d-----w c:\program files\iPod
2008-10-12 01:05 --------- d-----w c:\program files\QuickTime
2008-10-12 01:05 --------- d-----w c:\program files\Bonjour
2008-10-12 01:04 --------- d-----w c:\program files\Common Files\Apple
2008-10-12 00:49 --------- d-----w c:\program files\Apple Software Update
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-28 16:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-08-26 18:13 47,360 -c--a-w c:\documents and settings\Lam.WHITE.000\Application Data\pcouffin.sys
2008-02-16 13:58 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-08-17 14:09 4,096 -csha-w c:\windows\system32\ITrac.dll
2007-12-17 00:48 49,152 -csh--w c:\windows\system32\dllcache\ctfmon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"WinFlip"="c:\program files\WinFlip\WinFlip.exe" [2007-10-25 462848]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-06-25 2594224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2005-04-22 397312]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-08-11 7630848]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-11 368640]
"PC Pitstop Optimize Scheduler"="c:\program files\PCPitstop\Optimize\PCPOptimize.exe" [2008-08-20 2577120]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 c:\windows\system32\nvmctray.dll]
"C-Media Mixer"="Mixer.exe" [2001-10-22 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HackerDefender]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Lam.WHITE.000\\My Documents\\Downloads\\command and conquer - red alert 2 (full game)\\GAME.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18409:TCP"= 18409:TCP:BitComet 18409 TCP
"18409:UDP"= 18409:UDP:BitComet 18409 UDP
"3541:TCP"= 3541:TCPpLive
"2548:UDP"= 2548:UDPpLive
"9420:TCP"= 9420:TCP:Akamai Network Manager
"5000:UDP"= 5000:UDP:Akamai Network Manager

R1 Pivot;Pivot;c:\windows\system32\drivers\pivot.sys [2007-11-30 17465]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2008-01-25 86792]
R3 pivotmou;Pivot Mouse/Pointers Filter Driver;\??\c:\windows\system32\drivers\pivotmou.sys [2007-11-30 11323]
R3 vcddev;VCD VNC Virtual Network Adapter;c:\windows\system32\DRIVERS\vcdvnic.sys [2006-03-09 13312]
S2 HackerDefender;XTrap Nag Service;c:\documents and settings\Lam.WHITE\Desktop\ygb3520625Fixed\bypass\XTrapNag.exe []
S2 servmon;Server Monitor;c:\windows\regmon.exe [2005-06-30 15360]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []
S3 CEDRIVER52;CEDRIVER52;\??\c:\program files\Cheat Engine\dbk32.sys []
S3 HackerDefenderDrv;HackerDefenderDrv;\??\c:\documents and settings\Lam.WHITE\Desktop\ygb3520625Fixed\bypass\xtrapnag.sys []
S3 msloop;Microsoft Loopback Adapter Driver;c:\windows\system32\DRIVERS\loop.sys [2008-06-28 4992]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 XDva016;XDva016;\??\c:\windows\system32\XDva016.sys []
S3 XDva025;XDva025;\??\c:\windows\system32\XDva025.sys []
S3 XDva030;XDva030;\??\c:\windows\system32\XDva030.sys []
S3 XDva036;XDva036;\??\c:\windows\system32\XDva036.sys []
S4 hpt3xx;hpt3xx; []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d1b2b38-206d-11dd-9c9b-00402b336f98}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6d6fc01-5f0b-11dc-9b0e-00402b336f98}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4c0ab62-6eec-11dd-93db-00402b336f98}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc611942-638e-11dc-9b14-00402b336f98}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-24 c:\windows\Tasks\806492C0889B3B38.job
- c:\docume~1\lam~1.whi\applic~1\firsto~1\castamokanti.exe []

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-24 c:\windows\Tasks\WebReg Deskjet F2100 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-03-11 21:27]
.
- - - - ORPHANS REMOVED - - - -

BHO-{75db84e2-74d2-407d-83e9-7bd3ce70fc33} - c:\windows\system32\kimapuge.dll
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-LClock - c:\program files\LClock\LClock.exe
HKCU-Run-Vista Sidebar - c:\program files\Vista Sidebar\sidebar.exe
HKCU-Run-ViStart - c:\program files\ViStart\ViStart.exe
HKCU-Run-ViOrb - c:\program files\ViOrb\ViOrb.exe
HKCU-Run-VisualTooltip - c:\program files\VisualTooltip\VisualToolTip.exe
HKCU-Run-DLD.EXE - c:\program files\Download Direct\DLD.exe
HKLM-Run-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
HKLM-Run-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
HKLM-Run-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
HKLM-Run-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
HKLM-Run-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
HKLM-Run-eSnips - c:\program files\eSnips\ClientGW.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-tuvorulivi - c:\windows\system32\zetoyago.dll
HKLM-Run-Zing Chat - (no file)
HKLM-Run-ClientGW - (no file)
Notify-svchost - svchost.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Lam.WHITE.000\Application Data\Mozilla\Firefox\Profiles\mye7q9fe.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1610864&SearchSource=3&q=
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 15:15:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\windows\system32\WgaLogon.dll
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(1196)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
c:\program files\BitDefender\BitDefender 2008\vsserv.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\Yahoo!\browser\ybrwicon.exe
c:\program files\Yahoo!\YOP\yop.exe
c:\program files\Yahoo!\browser\ycommon.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Portrait Displays\Pivot Software\Floater.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-11-24 15:21:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-24 20:21:06

Pre-Run: 6,615,609,344 bytes free
Post-Run: 6,502,539,264 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

274 --- E O F --- 2008-11-11 22:08:49

Again thank you
now i can sleep well

 

Hey manhlam

Woah... I do not like what we're dealing with here. You are still not clean.... and instead I suspect that your computer is infected with rootkits.

Before I can jump to any conclusions, please do the following:

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Find these files:

Code:

c:\windows\system32\XDva036.sys 
c:\documents and settings\Lam.WHITE\Desktop\ygb3520625Fixed\bypass\XTrapNag.exe
c:\program files\Cheat Engine\dbk32.sys
c:\documents and settings\lam~1.whi\application data\firsto~1\castamokanti.exe 

Upload them each to http://www.virustotal.com/ , and then to http://www.uploadmalware.com/

I'll need the results from Virustotal for each sample.

Best Regards

 

i got a problem
i couldn't find any of those files u told me
even i checked every single step
is there anything i need to check on
if not then thanks you for taking ur time to help me out
You have a nice Thanksgiving

 

Hey manhlam

Hmmm... that's odd. Perhaps ComboFix is displaying them wrongly.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

Open Notepad and copy/paste the text in the code box below into it:

Code:

FileLook::
c:\windows\system32\XDva036.sys 
c:\documents and settings\Lam.WHITE\Desktop\ygb3520625Fixed\bypass\XTrapNag.exe
c:\program files\Cheat Engine\dbk32.sys
c:\documents and settings\lam~1.whi\application data\firsto~1\castamokanti.exe

• Save this as CFScript.txt in the same folder as ComboFix.
• Then drag the CFScript.txt into Combo-Fix.exe.
• This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).

Do not click on the ComoboFix window, as it may cause it to stall.

Best Regards

 

here is my log

ComboFix 08-11-23.02 - Lam 2008-11-26 8:16:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.372 [GMT -5:00]
Running from: c:\documents and settings\Lam.WHITE.000\Desktop\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\Lam.WHITE.000\Desktop\ComboFix\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 17:54 . 2008-11-25 17:55 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Application Data\CyberLink
2008-11-25 17:50 . 2008-10-23 01:22 95,232 --a------ c:\windows\system32\oCLWatson.exe
2008-11-25 17:50 . 2008-10-23 01:22 44,544 --a------ c:\windows\system32\msxml4a.dll
2008-11-25 17:50 . 2008-10-23 01:22 917 --a------ c:\windows\system32\CLWatson.ini
2008-11-25 17:44 . 2008-11-25 17:54 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Application Data\PowerCinema
2008-11-25 17:41 . 2008-11-25 17:52 <DIR> d-------- c:\program files\CyberLink
2008-11-25 17:41 . 2008-11-25 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-11-23 09:34 . 2008-11-23 09:34 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Application Data\Malwarebytes
2008-11-23 09:34 . 2008-11-23 09:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-21 20:33 . 2008-11-23 11:21 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-21 20:33 . 2008-11-23 11:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-21 18:54 . 2008-11-21 18:54 <DIR> d-------- c:\program files\Lavasoft
2008-11-17 18:25 . 2008-11-20 19:47 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Application Data\Red Alert 3
2008-11-17 17:38 . 2008-11-17 17:38 <DIR> d-------- c:\program files\Electronic Arts
2008-11-17 17:37 . 2008-11-17 17:37 <DIR> d-------- c:\windows\Logs
2008-11-12 21:22 . 2004-08-04 03:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-12 21:22 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-11 17:21 . 2008-11-11 17:21 <DIR> d-------- c:\program files\UltraISO
2008-11-11 17:21 . 2008-11-11 17:21 <DIR> d-------- c:\program files\Common Files\EZB Systems
2008-11-11 17:04 . 2008-11-11 17:04 <DIR> d-------- c:\program files\MSXML 6.0
2008-11-11 17:01 . 2008-11-11 17:01 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-09 14:07 . 2008-11-09 14:07 <DIR> d-------- c:\documents and settings\Jerry\Application Data\Nero
2008-11-09 14:01 . 2008-11-09 14:01 <DIR> d-------- c:\documents and settings\Hai.WHITE.000\Application Data\Nero
2008-10-30 19:47 . 2008-11-13 17:31 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Shared
2008-10-30 19:47 . 2008-11-13 17:39 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Incomplete
2008-10-30 19:47 . 2008-10-30 20:46 <DIR> d-------- c:\documents and settings\Lam.WHITE.000\Application Data\MP3Rocket
2008-10-30 19:46 . 2007-03-14 01:04 69,632 --a------ c:\windows\system32\javacpl.cpl
2008-10-30 19:44 . 2008-10-30 19:47 <DIR> d-------- c:\program files\MP3 Rocket

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 13:21 81,984 -c--a-w c:\windows\system32\bdod.bin
2008-11-26 13:21 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\DMCache
2008-11-25 22:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-25 22:41 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-25 19:59 --------- d-----w c:\program files\WinFlip
2008-11-24 23:34 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\BitTorrent
2008-11-21 23:20 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\Yahoo!
2008-11-21 00:48 --------- d-----w c:\program files\ArtMoney
2008-11-21 00:48 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\U3
2008-11-15 22:59 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\Vso
2008-11-11 22:08 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-31 00:46 --------- d-----w c:\program files\Java
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 03:07 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\Moyea
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 -c--a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 20:08 --------- d-----w c:\program files\Tansee iPod Transfer
2008-10-15 20:04 --------- d-----w c:\program files\Tansee iPod Transfer Photo
2008-10-15 19:09 --------- d-----w c:\documents and settings\Lam.WHITE.000\Application Data\Apple Computer
2008-10-12 01:07 --------- d-----w c:\program files\iTunes
2008-10-12 01:07 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-12 01:06 --------- d-----w c:\program files\iPod
2008-10-12 01:05 --------- d-----w c:\program files\QuickTime
2008-10-12 01:05 --------- d-----w c:\program files\Bonjour
2008-10-12 01:04 --------- d-----w c:\program files\Common Files\Apple
2008-10-12 00:49 --------- d-----w c:\program files\Apple Software Update
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-30 01:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-28 08:00 74,752 -c--a-w c:\windows\system32\msw3prt.dll
2008-08-28 08:00 104,448 ----a-w c:\windows\system32\win32spl.dll
2008-08-26 18:13 47,360 -c--a-w c:\documents and settings\Lam.WHITE.000\Application Data\pcouffin.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-02-16 13:58 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-08-17 14:09 4,096 -csha-w c:\windows\system32\ITrac.dll
2007-12-17 00:48 49,152 -csh--w c:\windows\system32\dllcache\ctfmon.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lam.WHITE\Desktop\ygb3520625Fixed\bypass\XTrapNag.exe -- Invalid filepath or file no longer exist

c:\documents and settings\lam~1.whi\application data\firsto~1\castamokanti.exe -- Invalid filepath or file no longer exist

c:\program files\Cheat Engine\dbk32.sys -- Invalid filepath or file no longer exist

c:\windows\system32\XDva036.sys -- Invalid filepath or file no longer exist


((((((((((((((((((((((((((((( snapshot@2008-11-24_15.20.20.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-25 22:43:56 297,086 ----a-r c:\windows\Installer\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\ARPPRODUCTICON.exe
- 2008-11-24 20:01:30 83,540 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-25 20:02:45 83,540 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-24 20:01:30 454,284 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-25 20:02:45 454,284 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"WinFlip"="c:\program files\WinFlip\WinFlip.exe" [2007-10-25 462848]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-06-25 2594224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2005-04-22 397312]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-08-11 7630848]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-11 368640]
"PC Pitstop Optimize Scheduler"="c:\program files\PCPitstop\Optimize\PCPOptimize.exe" [2008-08-20 2577120]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"PCMAgent"="c:\program files\CyberLink\PowerCinema\PCMAgent.exe" [2008-10-21 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema\Kernel\CLML\CLMLSvc.exe" [2008-10-21 196608]
"PlayMovie"="c:\program files\CyberLink\PlayMovie\PMVService.exe" [2008-09-24 172032]
"TVEService"="c:\program files\CyberLink\TV Enhance\TVEService.exe" [2008-10-23 180224]
"nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 c:\windows\system32\nvmctray.dll]
"C-Media Mixer"="Mixer.exe" [2001-10-22 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HackerDefender]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Lam.WHITE.000\\My Documents\\Downloads\\command and conquer - red alert 2 (full game)\\GAME.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\CyberLink\\PlayMovie\\PlayMovie.exe"=
"c:\\Program Files\\CyberLink\\PlayMovie\\PMVService.exe"=
"c:\\Program Files\\CyberLink\\TV Enhance\\TVEnhance.exe"=
"c:\\Program Files\\CyberLink\\TV Enhance\\TVEService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18409:TCP"= 18409:TCP:BitComet 18409 TCP
"18409:UDP"= 18409:UDP:BitComet 18409 UDP
"3541:TCP"= 3541:TCPpLive
"2548:UDP"= 2548:UDPpLive
"9420:TCP"= 9420:TCP:Akamai Network Manager
"5000:UDP"= 5000:UDP:Akamai Network Manager

R1 Pivot;Pivot;c:\windows\system32\drivers\pivot.sys [2007-11-30 17465]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};\??\c:\program files\CyberLink\PlayMovie\000.fcl [2008-11-25 17:44:37 61424]
R2 TVECapSvc;TVEnhance Background Capture Service (TBCS);"c:\program files\CyberLink\TV Enhance\Kernel\TV\TVECapSvc.exe" [2008-11-25 364635]
R2 TVESched;TVEnhance Task Scheduler (TTS));"c:\program files\CyberLink\TV Enhance\Kernel\TV\TVESched.exe" [2008-11-25 172121]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2008-01-25 86792]
R3 pivotmou;Pivot Mouse/Pointers Filter Driver;\??\c:\windows\system32\drivers\pivotmou.sys [2007-11-30 11323]
R3 vcddev;VCD VNC Virtual Network Adapter;c:\windows\system32\DRIVERS\vcdvnic.sys [2006-03-09 13312]
S2 HackerDefender;XTrap Nag Service;c:\documents and settings\Lam.WHITE\Desktop\ygb3520625Fixed\bypass\XTrapNag.exe []
S2 servmon;Server Monitor;c:\windows\regmon.exe [2005-06-30 15360]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []
S3 CEDRIVER52;CEDRIVER52;\??\c:\program files\Cheat Engine\dbk32.sys []
S3 HackerDefenderDrv;HackerDefenderDrv;\??\c:\documents and settings\Lam.WHITE\Desktop\ygb3520625Fixed\bypass\xtrapnag.sys []
S3 msloop;Microsoft Loopback Adapter Driver;c:\windows\system32\DRIVERS\loop.sys [2008-06-28 4992]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 XDva016;XDva016;\??\c:\windows\system32\XDva016.sys []
S3 XDva025;XDva025;\??\c:\windows\system32\XDva025.sys []
S3 XDva030;XDva030;\??\c:\windows\system32\XDva030.sys []
S3 XDva036;XDva036;\??\c:\windows\system32\XDva036.sys []
S4 hpt3xx;hpt3xx; []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d1b2b38-206d-11dd-9c9b-00402b336f98}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4c0ab62-6eec-11dd-93db-00402b336f98}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc611942-638e-11dc-9b14-00402b336f98}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - BC330D03
*Newly Created Service* - RICHVIDEO
*Newly Created Service* - TVECAPSVC
*Newly Created Service* - TVESCHED
*Newly Created Service* - {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}
.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\windows\Tasks\806492C0889B3B38.job
- c:\docume~1\lam~1.whi\applic~1\firsto~1\castamokanti.exe []

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-24 c:\windows\Tasks\WebReg Deskjet F2100 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-03-11 21:27]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 08:21:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\CyberLink\PlayMovie\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\WgaLogon.dll
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(1200)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
Completion time: 2008-11-26 8:23:23
ComboFix-quarantined-files.txt 2008-11-26 13:23:09
ComboFix2.txt 2008-11-24 20:21:15

Pre-Run: 8,483,397,632 bytes free
Post-Run: 8,474,742,784 bytes free

248 --- E O F --- 2008-11-11 22:08:49

did i do anything wrong ? Please tell me
Thank you

 

Hey manhlam

You did everything right. Good job! Few more steps to follow though...

• Please open Notepad.
• Ensure that Format>Word Wrap is unchecked.
• Copy and paste the following into Notepad:

Code:

@echo off 
(
sc stop HackerDefender
sc delete HackerDefender
sc stop CEDRIVER52
sc delete CEDRIVER52
sc stop HackerDefenderDrv 
sc delete HackerDefenderDrv
sc stop XDva016
sc delete XDva016
sc stop XDva025
sc delete XDva025
sc stop XDva030
sc delete XDva030
sc stop XDva036
sc delete XDva036
del fix.bat
) > log.txt
exit

• Save this as fix.bat onto your Desktop.
• Double click on fix.bat.
• A Command Prompt window will open and close quickly. This is normal.
• Post the contents of log.txt which will appear on your Desktop.


After that, find and delete C:\windows\Tasks\806492C0889B3B38.job

Best Regards

 

here is my log
it may be nothing u expected

[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS