# UDP Flood, disconnecting me



## toneeh (May 25, 2010)

Hi, recently I've got a lot of this in my security log in my router...

05/25/2010  10:13:32 192.168.2.2 login success 
05/25/2010  10:13:28 192.168.2.2 login success 
05/25/2010  10:09:22 **UDP Flood Stop**  (from WAN Inbound)
05/25/2010  10:09:22 **UDP flood** 78.115.194.27, 11219->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:21 **UDP flood** 61.57.132.19, 14381->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:21 **UDP flood** 91.117.120.216, 23049->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:20 **UDP flood** 79.16.97.206, 57763->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:19 **UDP flood** 208.103.71.10, 15040->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:19 **UDP flood** 95.189.129.247, 11500->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:19 **UDP flood** 118.232.157.46, 33871->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:19 **UDP flood** 173.211.149.210, 24076->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:18 **UDP flood** 222.123.4.166, 11030->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:17 **UDP flood** 75.135.215.119, 20072->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:17 **UDP flood** 71.177.149.84, 22634->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:16 **UDP flood** 68.82.55.240, 50372->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:15 **UDP flood** 183.178.74.147, 10651->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:15 **UDP flood** 58.246.69.150, 23076->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:12 **UDP flood** 192.168.2.3, 123->> 17.82.253.7, 123 (from WAN Outbound)
05/25/2010  10:09:12 **UDP flood** 91.122.136.97, 20499->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:11 **UDP flood** 112.238.70.132, 7691->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:11 **UDP flood** 213.199.198.39, 18202->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:11 **UDP flood** 114.32.229.76, 10006->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:09 **UDP flood** 114.44.145.156, 13783->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:09 **UDP flood** 115.132.164.31, 22703->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:09 **UDP flood** 192.168.2.2, 55320->> 201.222.205.26, 13628 (from WAN Outbound)
05/25/2010  10:09:08 **UDP flood** 78.157.75.183, 51662->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:08 **UDP flood** 99.242.161.184, 9124->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:08 **UDP flood** 82.249.250.39, 56432->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:07 **UDP flood** 192.168.2.2, 55320->> 109.185.91.240, 10018 (from WAN Outbound)
05/25/2010  10:09:07 **UDP flood** 124.177.169.89, 19640->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:07 **UDP flood** 59.164.0.194, 41840->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:07 **UDP flood** 124.148.231.212, 51413->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:07 **UDP flood** 192.168.2.2, 55320->> 85.241.247.123, 58565 (from WAN Outbound)
05/25/2010  10:09:07 **UDP flood** 192.168.2.2, 55320->> 75.121.137.21, 50014 (from WAN Outbound)
05/25/2010  10:09:07 **UDP flood** 192.168.2.2, 55320->> 212.59.228.226, 3325 (from WAN Outbound)
05/25/2010  10:09:07 **UDP flood** 192.168.2.2, 55320->> 187.140.166.89, 20066 (from WAN Outbound)
05/25/2010  10:09:07 **UDP flood** 192.168.2.2, 55320->> 187.43.108.167, 43823 (from WAN Outbound)
05/25/2010  10:09:07 **UDP flood** 201.51.124.83, 6881->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:06 **UDP flood** 192.168.2.2, 55320->> 93.48.167.150, 23201 (from WAN Outbound)
05/25/2010  10:09:06 **UDP flood** 192.168.2.2, 55320->> 60.63.219.229, 16881 (from WAN Outbound)
05/25/2010  10:09:06 **UDP flood** 192.168.2.2, 55320->> 94.195.210.246, 20041 (from WAN Outbound)
05/25/2010  10:09:05 **UDP flood** 189.63.134.199, 63061->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:05 **UDP flood** 217.9.92.6, 35406->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:05 **UDP flood** 84.2.87.72, 12073->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:05 **UDP flood** 192.168.2.2, 55320->> 222.75.167.99, 16001 (from WAN Outbound)
05/25/2010  10:09:05 **UDP flood** 192.168.2.2, 55320->> 85.26.241.206, 3627 (from WAN Outbound)
05/25/2010  10:09:04 **UDP flood** 89.110.192.237, 62547->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:04 **UDP flood** 192.168.2.2, 55320->> 85.155.239.66, 20410 (from WAN Outbound)
05/25/2010  10:09:04 **UDP flood** 192.168.2.2, 55320->> 207.6.115.218, 61565 (from WAN Outbound)
05/25/2010  10:09:04 **UDP flood** 192.168.2.2, 55320->> 79.79.105.29, 50244 (from WAN Outbound)
05/25/2010  10:09:03 **UDP flood** 192.168.2.2, 55320->> 76.103.222.39, 24400 (from WAN Outbound)
05/25/2010  10:09:03 **UDP flood** 74.12.30.112, 12034->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:03 **UDP flood** 192.168.2.2, 55320->> 213.106.36.36, 55387 (from WAN Outbound)
05/25/2010  10:09:03 **UDP flood** 192.168.2.2, 55320->> 91.124.228.197, 61036 (from WAN Outbound)
05/25/2010  10:09:03 **UDP flood** 219.246.57.88, 16001->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:03 **UDP flood** 24.229.139.85, 34360->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:03 **UDP flood** 192.168.2.2, 55320->> 190.58.190.143, 20738 (from WAN Outbound)
05/25/2010  10:09:03 **UDP flood** 192.168.2.2, 55320->> 93.167.165.44, 62580 (from WAN Outbound)
05/25/2010  10:09:03 **UDP flood** 192.168.2.2, 55320->> 201.40.57.187, 52543 (from WAN Outbound)
05/25/2010  10:09:03 **UDP flood** 192.168.2.2, 55320->> 75.63.144.166, 23197 (from WAN Outbound)
05/25/2010  10:09:02 **UDP flood** 192.168.2.2, 55320->> 12.229.76.145, 36652 (from WAN Outbound)
05/25/2010  10:09:02 **UDP flood** 192.168.2.2, 55320->> 24.165.44.153, 45682 (from WAN Outbound)
05/25/2010  10:09:02 **UDP flood** 201.102.131.128, 52762->> 210.49.69.207, 47170 (from WAN Inbound)
05/25/2010  10:09:02 **UDP flood** 192.168.2.2, 55320->> 62.182.66.57, 54649 (from WAN Outbound)
05/25/2010  10:09:02 **UDP flood** 192.168.2.2, 55320->> 68.209.216.26, 15510 (from WAN Outbound)
05/25/2010  10:09:02 **UDP flood** 192.168.2.2, 55320->> 96.36.70.225, 57906 (from WAN Outbound)
05/25/2010  10:09:02 **UDP flood** 192.168.2.2, 55320->> 162.84.55.47, 50622 (from WAN Outbound)
05/25/2010  10:09:02 **UDP flood** 192.168.2.2, 55320->> 122.173.252.38, 56991 (from WAN Outbound)
05/25/2010  10:09:02 **UDP flood** 192.168.2.2, 55320->> 86.12.99.194, 38584 (from WAN Outbound)
05/25/2010  10:09:02 **UDP flood** 192.168.2.2, 55320->> 99.189.14.207, 51957 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 78.153.43.204, 21373 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 189.58.212.21, 10208->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 174.106.4.68, 20500 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 94.1.82.143, 43200 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 122.121.18.118, 25018 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 94.65.137.65, 15069->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 118.100.178.251, 12935 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 95.176.209.124, 7936 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 95.84.242.43, 53471 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 82.242.115.23, 31841 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 123.128.166.198, 16001 (from WAN Outbound)
05/25/2010  10:09:01 **UDP flood** 192.168.2.2, 55320->> 79.167.16.36, 57982 (from WAN Outbound)
05/25/2010  10:09:00 **UDP flood** 192.168.2.2, 55320->> 77.38.224.92, 25499 (from WAN Outbound)
05/25/2010  10:09:00 **UDP flood** 192.168.2.2, 55320->> 79.183.28.242, 45236 (from WAN Outbound)
05/25/2010  10:09:00 **UDP flood** 192.168.2.2, 55320->> 78.61.53.243, 54097 (from WAN Outbound)
05/25/2010  10:09:00 **UDP flood** 192.168.2.2, 55320->> 71.231.39.38, 51413 (from WAN Outbound)
05/25/2010  10:09:00 **UDP flood** 192.168.2.2, 55320->> 95.24.201.82, 23618 (from WAN Outbound)
05/25/2010  10:09:00 **UDP flood** 192.168.2.2, 55320->> 78.155.34.212, 57288 (from WAN Outbound)
05/25/2010  10:09:00 **UDP flood** 192.168.2.2, 55320->> 95.18.240.226, 50102 (from WAN Outbound)
05/25/2010  10:09:00 **UDP flood** 192.168.2.2, 55320->> 86.25.196.225, 44639 (from WAN Outbound)
05/25/2010  10:08:59 **UDP flood** 192.168.2.2, 55320->> 77.49.75.240, 28409 (from WAN Outbound)
05/25/2010  10:08:59 **UDP flood** 192.168.2.2, 55320->> 85.198.235.42, 18072 (from WAN Outbound)
05/25/2010  10:08:59 **UDP flood** 192.168.2.2, 55320->> 117.199.99.129, 55931 (from WAN Outbound)
05/25/2010  10:08:59 **UDP flood** 192.168.2.2, 55320->> 74.194.67.180, 21631 (from WAN Outbound)
05/25/2010  10:08:59 **UDP flood** 192.168.2.2, 55320->> 95.65.34.104, 28768 (from WAN Outbound)
05/25/2010  10:08:59 **UDP flood** 192.168.2.2, 55320->> 95.65.64.193, 21214 (from WAN Outbound)
05/25/2010  10:08:59 **UDP flood** 192.168.2.2, 55320->> 78.90.182.101, 8870 (from WAN Outbound)
05/25/2010  10:08:58 **UDP flood** 192.168.2.2, 55320->> 216.197.134.87, 62954 (from WAN Outbound)
05/25/2010  10:08:58 **UDP flood** 192.168.2.2, 55320->> 24.26.110.194, 35321 (from WAN Outbound)
05/25/2010  10:08:58 **UDP flood** 192.168.2.2, 55320->> 82.228.8.214, 57319 (from WAN Outbound)
05/25/2010  10:08:58 **UDP flood** 192.168.2.2, 55320->> 60.30.224.143, 64539 (from WAN Outbound)
05/25/2010  10:08:58 **UDP flood** 192.168.2.2, 55320->> 24.191.77.238, 33076 (from WAN Outbound)
05/25/2010  10:08:58 **UDP flood** 192.168.2.2, 55320->> 189.55.74.172, 60657 (from WAN Outbound)
05/25/2010  10:08:58 **UDP flood** 192.168.2.2, 55320->> 195.241.103.220, 14110 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 99.97.82.24, 64892 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 187.60.75.117, 33095 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 209.213.227.204, 55530 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 95.42.250.142, 27185 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 60.242.139.165, 12531 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 83.226.238.197, 13608 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 99.191.68.109, 47810 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 69.231.56.174, 15140 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 62.176.68.60, 21310 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 114.42.62.48, 11512 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 88.164.81.155, 45961 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 67.171.116.180, 64577 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 79.155.205.61, 4103 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 79.91.201.94, 62415 (from WAN Outbound)
05/25/2010  10:08:57 **UDP flood** 192.168.2.2, 55320->> 89.179.216.51, 11691 (from WAN Outbound)
05/25/2010  10:08:56 **UDP flood** 192.168.2.2, 55320->> 24.36.221.186, 60169 (from WAN Outbound)
05/25/2010  10:08:56 **UDP flood** 192.168.2.2, 55320->> 97.87.0.109, 52211 (from WAN Outbound)
05/25/2010  10:08:56 **UDP flood** 192.168.2.2, 55320->> 89.204.190.67, 51131 (from WAN Outbound)
05/25/2010  10:08:56 **UDP flood** 68.225.229.13, 20150->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:08:56 **UDP flood** 192.168.2.2, 55320->> 220.107.164.235, 60473 (from WAN Outbound)
05/25/2010  10:08:56 **UDP flood** 192.168.2.2, 55320->> 190.176.41.75, 62812 (from WAN Outbound)
05/25/2010  10:08:56 **UDP flood** 192.168.2.2, 55320->> 190.47.51.180, 46052 (from WAN Outbound)
05/25/2010  10:08:55 **UDP flood** 188.53.66.3, 39816->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:08:55 **UDP flood** 125.230.11.100, 22782->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:08:55 **UDP flood** 192.168.2.2, 55320->> 67.250.52.159, 56954 (from WAN Outbound)
05/25/2010  10:08:55 **UDP flood** 192.168.2.2, 55320->> 24.1.223.141, 37474 (from WAN Outbound)
05/25/2010  10:08:55 **UDP flood** 192.168.2.2, 55320->> 65.172.73.155, 41878 (from WAN Outbound)
05/25/2010  10:08:55 **UDP flood** 192.168.2.2, 55320->> 24.239.52.128, 48036 (from WAN Outbound)
05/25/2010  10:08:55 **UDP flood** 192.168.2.2, 55320->> 88.169.127.127, 22882 (from WAN Outbound)
05/25/2010  10:08:45 **UDP Flood Stop**  (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 212.117.160.215, 11719 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 201.24.12.96, 46631 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 76.111.219.111, 34050 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 67.171.136.54, 51413 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 24.147.249.2, 12724 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 82.76.22.26, 33393->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 188.133.243.230, 57090 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 122.116.30.173, 28888->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 174.36.237.96, 21012 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 95.58.107.144, 18825 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 88.118.22.180, 15897 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 65.60.221.242, 10452 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 92.227.40.169, 52959 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 89.189.176.43, 59503 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 93.150.2.224, 19089 (from WAN Outbound)
05/25/2010  10:08:45 **UDP flood** 192.168.2.2, 55320->> 118.101.50.110, 32658 (from WAN Outbound)
05/25/2010  10:08:44 **UDP flood** 203.186.18.218, 25060->> 192.168.2.2, 55320 (from WAN Inbound)
05/25/2010  10:08:44 **UDP flood** 192.168.2.2, 55320->> 217.118.95.104, 23994 (from WAN Outbound)
05/25/2010  10:08:44 **UDP flood** 192.168.2.2, 55320->> 94.158.182.82, 18445 (from WAN Outbound)
05/25/2010  10:08:43 **UDP flood** 192.168.2.2, 55320->> 82.171.65.206, 20298 (from WAN Outbound)
05/25/2010  10:08:43 **UDP flood** 192.168.2.2, 55320->> 128.54.33.32, 24859 (from WAN Outbound)
05/25/2010  10:08:43 **UDP flood** 192.168.2.2, 55320->> 88.241.54.89, 61104 (from WAN Outbound)
05/25/2010  10:08:43 **UDP flood** 192.168.2.2, 55320->> 117.201.21.178, 45682 (from WAN Outbound)
05/25/2010  10:08:43 **UDP flood** 192.168.2.2, 55320->> 193.111.255.250, 14639 (from WAN Outbound)
05/25/2010  10:08:43 **UDP flood** 192.168.2.2, 55320->> 124.125.201.55, 37773 (from WAN Outbound)
05/25/2010  10:08:43 **UDP flood** 192.168.2.2, 55320->> 41.140.9.65, 46973 (from WAN Outbound)


I was wondering what is causing this and how could i stop it?

Thanks
Tony


----------



## toneeh (May 25, 2010)

I have done a HJthis log
here it is:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:25:23 AM, on 25/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Thunder Network\Xmp\Xmp.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Warcraft III\war3.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comsec.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dt-updates.com/activate?quer...IQloEg7RKxgr+FVOXgUpC+iizlkPHk+2KhEx8Nv8s4co=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:9415/tudouva.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {042cd996-576a-4198-9ce4-3f204e97e7d4} - C:\WINDOWS\system32\gukejibu.dll (file missing)
O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flash player - {25864158-329E-434B-B24F-3DA6F300D30A} - C:\WINDOWS\system32\flashplay.dll (file missing)
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vekalurifo] Rundll32.exe "C:\WINDOWS\system32\gekogeyi.dll",s
O4 - HKLM\..\Run: [d02e171d] rundll32.exe "C:\WINDOWS\system32\zakanilu.dll",b
O4 - HKLM\..\Run: [CPMd31d2481] Rundll32.exe "c:\windows\system32\defisebe.dll",a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CPMd31d2481] Rundll32.exe "c:\windows\system32\defisebe.dll",a
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\toneeh\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [vekalurifo] Rundll32.exe "C:\WINDOWS\system32\gekogeyi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: My_AutoWarkey_Script.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} (POLi Pay Online) - https://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\lijuhidi.dll c:\windows\system32\defisebe.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\defisebe.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\defisebe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 11945 bytes


----------



## toneeh (May 25, 2010)

I have done a HJthis log
here it is:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:25:23 AM, on 25/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Thunder Network\Xmp\Xmp.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Warcraft III\war3.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comsec.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dt-updates.com/activate?quer...IQloEg7RKxgr+FVOXgUpC+iizlkPHk+2KhEx8Nv8s4co=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:9415/tudouva.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {042cd996-576a-4198-9ce4-3f204e97e7d4} - C:\WINDOWS\system32\gukejibu.dll (file missing)
O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flash player - {25864158-329E-434B-B24F-3DA6F300D30A} - C:\WINDOWS\system32\flashplay.dll (file missing)
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vekalurifo] Rundll32.exe "C:\WINDOWS\system32\gekogeyi.dll",s
O4 - HKLM\..\Run: [d02e171d] rundll32.exe "C:\WINDOWS\system32\zakanilu.dll",b
O4 - HKLM\..\Run: [CPMd31d2481] Rundll32.exe "c:\windows\system32\defisebe.dll",a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CPMd31d2481] Rundll32.exe "c:\windows\system32\defisebe.dll",a
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\toneeh\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [vekalurifo] Rundll32.exe "C:\WINDOWS\system32\gekogeyi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: My_AutoWarkey_Script.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} (POLi Pay Online) - https://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\lijuhidi.dll c:\windows\system32\defisebe.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\defisebe.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\defisebe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 11945 bytes


----------



## johnb35 (May 25, 2010)

You are severely infected.  Please start by doing this procedure.

Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If you continue to experience problems after doing this, please post a HijackThis log by doing the following:

Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## toneeh (May 25, 2010)

I'm still getting UDP floods after running the scan.

Here is my new HJT Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:39:25 PM, on 25/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Garena\Garena.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comsec.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dt-updates.com/activate?quer...IQloEg7RKxgr+FVOXgUpC+iizlkPHk+2KhEx8Nv8s4co=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:9415/tudouva.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flash player - {25864158-329E-434B-B24F-3DA6F300D30A} - C:\WINDOWS\system32\flashplay.dll (file missing)
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\toneeh\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [vekalurifo] Rundll32.exe "C:\WINDOWS\system32\gekogeyi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: My_AutoWarkey_Script.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} (POLi Pay Online) - https://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\lijuhidi.dll  
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 11069 bytes


----------



## johnb35 (May 25, 2010)

I need you to post the malwarebytes log so I know what it found. We have a lot more work to do but I can't post specific fixes from my blackberry. Once you post the malwarebytes log, I'll post more instructions this afternoon when I get home from work.


----------



## johnb35 (May 25, 2010)

i still need you to post the malwarebytes log but go ahead and perform the following procedure and post the malwarebytes log when you post the other 2 logs.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## toneeh (May 26, 2010)

Here is the ComboFix log:

ComboFix 10-05-25.02 - toneeh 26/05/2010   8:56.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.722 [GMT 10:00]
Running from: c:\documents and settings\toneeh\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
 * Resident AV is active

.

(((((((((((((((((((((((((   Files Created from 2010-04-25 to 2010-05-25  )))))))))))))))))))))))))))))))
.

2010-05-25 00:27 . 2010-05-25 00:27	--------	d-----w-	c:\documents and settings\toneeh\Application Data\Malwarebytes
2010-05-25 00:27 . 2010-04-29 05:39	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 00:27 . 2010-05-25 00:27	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-25 00:27 . 2010-04-29 05:39	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-05-25 00:27 . 2010-05-25 00:27	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-05-25 00:24 . 2010-05-25 00:24	388096	----a-r-	c:\documents and settings\toneeh\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-25 00:24 . 2010-05-25 00:24	--------	d-----w-	c:\program files\Trend Micro
2010-05-03 13:00 . 2010-05-03 13:01	--------	d-----w-	c:\program files\FileZilla FTP Client

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 23:00 . 2009-04-26 11:33	--------	d-----w-	c:\program files\DNA
2010-05-25 23:00 . 2009-04-26 11:33	--------	d-----w-	c:\documents and settings\toneeh\Application Data\DNA
2010-05-25 13:03 . 2008-05-09 07:40	--------	d-----w-	c:\program files\Warcraft III
2010-05-25 12:10 . 2008-11-25 05:36	--------	d-----w-	c:\documents and settings\toneeh\Application Data\mIRC
2010-05-25 11:03 . 2008-05-29 16:17	--------	d-----w-	c:\program files\Garena
2010-05-25 11:00 . 2008-11-25 05:36	--------	d-----w-	c:\program files\mIRC
2010-05-21 10:11 . 2008-10-24 04:54	--------	d-----w-	c:\program files\Steam
2010-05-21 04:30 . 2010-04-10 20:35	439816	----a-w-	c:\documents and settings\toneeh\Application Data\Real\Update\setup3.10\setup.exe
2010-05-17 22:31 . 2009-04-26 11:36	--------	d-----w-	c:\documents and settings\toneeh\Application Data\BitTorrent
2010-05-04 03:52 . 2009-03-10 09:06	--------	d-----w-	c:\documents and settings\toneeh\Application Data\U3
2010-05-03 13:04 . 2009-09-16 08:22	--------	d-----w-	c:\documents and settings\toneeh\Application Data\FileZilla
2010-05-03 09:32 . 2009-03-05 05:11	--------	d-----w-	c:\program files\PokerStars
2010-05-02 10:01 . 2008-07-21 15:14	103076	-c--a-w-	c:\windows\War3Unin.dat
2010-04-20 13:18 . 2008-10-10 13:10	--------	d-----w-	c:\documents and settings\toneeh\Application Data\Skype
2010-04-20 09:35 . 2008-10-10 13:11	--------	d-----w-	c:\documents and settings\toneeh\Application Data\skypePM
2008-07-04 02:33 . 2009-01-26 16:36	24576	----a-w-	c:\program files\mozilla firefox\components\CheckTudouVa.dll
2009-02-24 19:34 . 2009-02-24 19:34	1044480	-c--a-w-	c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34	200704	-c--a-w-	c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-04-26 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-28 . 95077F87B68FFDA0CD14559D12BA19C6 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 07:24	325000	----a-w-	c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-03-21 486856]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-04-22 323392]
"Octoshape Streaming Services"="c:\documents and settings\toneeh\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-03 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-05-09 949376]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-12 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-04-26 123904]

c:\documents and settings\toneeh\Start Menu\Programs\Startup\
My_AutoWarkey_Script.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2008-3-10 240640]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Warcraft III\\pickup.listchecker.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.34\\ThunderLiveUD.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.34\\XLBugReport.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.34\\ThunderService.exe"=
"c:\\Program Files\\Thunder Network\\Xmp\\xmp.exe"=
"c:\\Program Files\\Thunder Network\\Xmp\\ThunderLiveUD.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\DotA POD Client\\client.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\toneeh\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\toneeh\\Desktop\\asd\\GhostOneMini.exe"=
"c:\\Documents and Settings\\toneeh\\Desktop\\asd\\gproxy.exe"=
"c:\\Program Files\\Steam\\SteamApps\\chicky912@hotmail.com\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:6112
"6112:UDP"= 6112:UDP:6112
"6110:TCP"= 6110:TCP:6110
"6110:UDP"= 6110:UDP:6110
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/9/2008 4:12 PM 717296]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [5/9/2008 4:12 PM 15424]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 10:04 AM 135664]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\toneeh\LOCALS~1\Temp\UPZ14D4.tmp --> c:\docume~1\toneeh\LOCALS~1\Temp\UPZ14D4.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/7/2007 6:22 AM 34064]
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 01:34]

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 00:04]

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 00:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comsec.com.au/
uInternet Connection Wizard,ShellNext = hxxp://dt-updates.com/activate?query=ciWngjFUEESPzXVppacIbicEn3cIWVxxx0DvstJIJl0hQVx0riKPm3pmmmUrqpW80RRuquwcz1ljzIr%2fKwrr3einUgy7AfPR6a9SA1l3hJvVDHQrTmYD0Eo2sPsH1qyJzhTU5EI6F7FRgyYzhkLAi1S41B20%2bef%2bpRCEal7OvOpDXn6MUkMegrBMkBb0%2f2HzAyvXsw%2fCgEmQ13MXNlCzcTXCAsIq%2fZzkmCLxcyB2yNCIxSjtjMcTSZBn3rn3pnQIQloEg7RKxgr%2bFVOXgUpC%2biizlkPHk%2b2KhEx8Nv8s4co%3d
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\windows\system32\imon.dll
DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} - hxxps://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
FF - ProfilePath - c:\documents and settings\toneeh\Application Data\Mozilla\Firefox\Profiles\so2a3oxh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101849&gct=&gc=1&q=
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - plugin: c:\documents and settings\toneeh\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Common Files\Thunder Network\KanKan\npDapCtrlFirefox.2.0.5901.12.(849).dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\program files\Windows Media Player\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 09:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  


c:\windows\system32\wuapi.dll.wusetup.162500.bak 561688 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.164125.bak 51224 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.167562.bak 1809944 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spzg.sys >>UNKNOWN [0x86789938]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7664f28
\Driver\ACPI -> ACPI.sys @ 0xf73cfcb8
\Driver\atapi -> atapi.sys @ 0xf7364b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf726dbb0
 PacketIndicateHandler -> NDIS.sys @ 0xf725ca0d
 SendHandler -> NDIS.sys @ 0xf7270b40
user & kernel MBR OK 

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\toneeh\LOCALS~1\Temp\UPZ14D4.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1028)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-05-26  09:05:25 - machine was rebooted
ComboFix-quarantined-files.txt  2010-05-25 23:05

Pre-Run: 34,709,835,776 bytes free
Post-Run: 34,815,066,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CD66D19FCC45AA68AA4D060BF3B6BF8E










Fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:08:18 AM, on 26/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comsec.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dt-updates.com/activate?quer...IQloEg7RKxgr+FVOXgUpC+iizlkPHk+2KhEx8Nv8s4co=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\toneeh\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: My_AutoWarkey_Script.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} (POLi Pay Online) - https://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9997 bytes




Malware log for Full scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4140

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

25/05/2010 2:14:36 PM
mbam-log-2010-05-25 (14-14-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 188240
Time elapsed: 1 hour(s), 2 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\defisebe.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{042cd996-576a-4198-9ce4-3f204e97e7d4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{042cd996-576a-4198-9ce4-3f204e97e7d4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmd31d2481 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vekalurifo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d02e171d (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmd31d2481 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\defisebe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\defisebe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\defisebe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\CyberLink\PowerDVD8\cyberlink.powerdvd.8.0.1531.0-nope.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\toneeh\Desktop\programs\Cyberlink.PowerDVD.v8.0.1531.0-NoPe\NoPE\cyberlink.powerdvd.8.0.1531.0-nope.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\toneeh\Desktop\programs\Microsoft.Office.2007.Enterprise-WiNK\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Documents and Settings\toneeh\Desktop\programs\NERO BURNING ROM\Keygenerator.exe (Hacktool.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\toneeh\Desktop\programs\NERO BURNING ROM\Nero 8 Keygen.exe (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\toneeh\Desktop\programs\NERO BURNING ROM\Plug-ins Keygen.exe (Malware.Packer) -> Quarantined and deleted successfully.


----------



## toneeh (May 26, 2010)

Have just done everything, yet to experience any problems.

I used to have errors when i first booted up, now its gone.

Thanks!

I'll keep you updated John
Cheers
Tony


----------



## johnb35 (May 26, 2010)

We aren't done yet, still have a little bit to do.

Rerun hijackthis and place checks next to these entries.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dt-updates.com/activate?query...hEx8Nv8s4co=
O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll (file missing)
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\toneeh\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

Then click on fix checked.

You then need to go into add/remove programs and uninstall the following entries.

ASK software which includes the toolbar.
All entries of Java listed including any listed as J2SE runtime as you are running old software.


Then go here to download the latest version of Java.

http://www.java.com/en/download/index.jsp

You have torrent and file sharing programs installed and thats the reason why you were infected most likely.  I would highly suggest you uninstall all of them and not use them.

Please download Ccleaner and run it on your system, set the options how they are checked in the attached image and then click on run cleaner.  This will clean out all your old temp files and make your computer run faster.

http://www.filehippo.com/download_ccleaner/

Click where it says download latest version top right.


----------



## toneeh (May 27, 2010)

Thanks, I have followed these steps.

I will let you know if any problems occurs

Thanks!


----------



## toneeh (May 30, 2010)

I have done all that, and stopped getting UDP floods. Thanks!!

however I'm still getting disconnects ... and the log in my router is this:

05/25/2010  22:48:32 192.168.2.2 login success 
05/25/2010  22:45:20 sending ACK to 192.168.2.2
05/25/2010  22:45:17 sending ACK to 192.168.2.2
05/25/2010  22:43:18 DHCP Client: Receive Ack from 211.29.133.6, 'Lease time'=86400
05/25/2010  22:43:18 DHCP Client: Domain name = optusnet.com.au
05/25/2010  22:43:18 DHCP Client: Send Request, Request IP=210.49.69.207
05/25/2010  22:43:18 DHCP Client: Receive Offer from 211.29.133.6
05/25/2010  22:43:18 DHCP Client: Domain name = optusnet.com.au
05/25/2010  22:43:18 DHCP Client: Send Discover
05/30/2010  21:48:41 192.168.2.2 login success 
05/30/2010  21:47:01 192.168.2.2 login success 
05/30/2010  18:46:38 DHCP Client: Receive Ack from 211.29.133.6, 'Lease time'=86400
05/30/2010  18:46:38 DHCP Client: Domain name = optusnet.com.au
05/30/2010  18:46:38 DHCP Client: Send Request, Request IP=210.49.69.207
05/30/2010  18:23:16 192.168.2.2 login success 
05/30/2010  18:05:14 sending ACK to 192.168.2.3


Could you tell what is happening?

Tony


----------



## johnb35 (May 30, 2010)

Thats just logging into your isp.  If you are getting disconnects, it could be a bad router, modem or ISP problem.


----------

