Help! First time with all this.. I'm infected

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Help! First time with all this.. I'm infected, Not sure how to remove it

Options

Scheme2009 View Member Profile	Jan 9 2009, 05:01 PM Post #1
New Member Group: Members Posts: 5 Joined: 9-January 09 Member No.: 280,511	I am getting popups from <http://sagipsul.com> and <http://my.internetgiftpromotions.com> and random ones with what seem to be IP addresses like.... <http://77.93.75.150/dot.gif/?ver=112&cmp=profiling4&uid=F21114D2DDDA11DDB998166350CFFFFF&guid=1D86E5D8E9F34AB6820B97BC5420F0F7&affid=166350&rid=zdez&m=irq4&revid=9879&lid=clients1.google.com%2Fcomplete%2Fsearch%3Fhl=en%26gl=us%26q=c&uqs=2&s=0&c1=2&c2=0&uid_track=1f71667d-d04a-4a18-862e-468ee7938961&br=firefox> Also this morning prior to doing the following scanning i had a SCRSS.DLL in my startup and such... I've run CCleaner - Malwareremover - AVG - Trendmicro- and Spydoctor Help.. it was at the point where whenever i'd open my IE it would clsoe immediately and when i would type any msg on AIM it'd close immediately... some of the scanning i've done has helped that out as that doesnt seem to be working but am gettin annoying popups which I can usually get rid of... here's my log DDS (Ver_09-01-07.01) - NTFSx86 Run by SAL at 16:54:07.07 on Fri 01/09/2009 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1791.1264 [GMT -5:00] AV: AVG Anti-Virus Free On-access scanning enabled (Updated) AV: ESET NOD32 antivirus system 2.70 On-access scanning enabled (Updated) ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\system32\MsPMSPSv.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe C:\Documents and Settings\SAL\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://gmail.com/ uInternet Settings,ProxyOverride = .local BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: c:\windows\system32\rakmdlkd83indfgnbu.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\rakmdlkd83indfgnbu.dll TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [cogad] "c:\documents and settings\sal\application data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML LSP: c:\windows\system32\imon.dll Trusted Zone: aol.com\free TCP: {7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2} = 24.29.103.15,24.29.103.16 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: WRNotifier - WRLogonNTF.dll AppInit_DLLs: oykppo.dll,avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll STS: c:\windows\system32\rakmdlkd83indfgnbu.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\rakmdlkd83indfgnbu.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\sal\applic~1\mozilla\firefox\profiles\u09gxoft.sal\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - gmail.com FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service ============= SERVICES / DRIVERS =============== R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-2-10 15872] R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-10-13 11264] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 97928] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 26824] R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-26 15424] R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-10-13 33792] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328] R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096] R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168] R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784] R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [2006-8-18 35107] R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-8 875288] R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 231704] R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 76040] S1 IpIock2;IpIock2;\??\c:\windows\system32\drivers\uagfdisk.sys --> c:\windows\system32\drivers\uagfdisk.sys [?] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328] S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920] S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352] S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352] S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096] S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168] S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352] S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056] S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040] S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2005-5-25 74752] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-1-6 17149] S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-10-20 41288] S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-10-20 62280] S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-10-20 79688] S3 MPD16USB;AKAIpro MPD16 Driver;c:\windows\system32\drivers\MPD16USB.sys [2005-11-20 19712] S3 RDID1045;Roland FANTOM-X;c:\windows\system32\drivers\RDWM1045.SYS [2005-7-11 59642] S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys --> c:\windows\system32\drivers\wg121nd5.sys [?] S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664] S4 AdLib FMR;AdLib FMR;c:\progra~1\adlib\adlibe~1\AdLibFMR.exe [2006-12-14 266240] S4 Neepderasaa;Neepderasaa; [x] S4 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2008-12-26 552064] S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-10-20 742216] S4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\swdsvc.exe [2007-10-20 1415496] S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\smith micro\stuffit11\ArcNameService.exe [2007-10-8 157000] =============== Created Last 30 ================ 2009-01-08 22:13 <DIR> --d-h--- C:\$AVG8.VAULT$ 2009-01-08 22:05 10,520 a------- c:\windows\system32\avgrsstx.dll 2009-01-08 22:05 76,040 a------- c:\windows\system32\drivers\avgtdix.sys 2009-01-08 22:05 97,928 a------- c:\windows\system32\drivers\avgldx86.sys 2009-01-08 22:05 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-01-08 22:04 <DIR> --d----- c:\program files\AVG 2009-01-08 22:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8 2009-01-08 20:52 <DIR> --d----- c:\program files\AIM 2009-01-08 18:30 <DIR> --d----- c:\docume~1\sal\applic~1\cogad 2009-01-08 18:27 139,264 a------- c:\windows\system32\oykppo.dll 2009-01-08 18:27 139,264 a------- c:\windows\system32\hwdnqfpw.dll 2009-01-07 18:12 4,958,588 a------- c:\windows\{00000000-00000000-00000005-00001102-00000008-40021102}.CDF 2009-01-07 18:11 11,564 a------- c:\windows\system32\DVCState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:11 924 a------- c:\windows\system32\BMXCtrlState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:11 924 a------- c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:11 64 a------- c:\windows\system32\BMXStateBkp-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:11 64 a------- c:\windows\system32\BMXState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:10 86,016 a------- c:\windows\system32\cttele.dll 2009-01-07 18:09 114,688 a------- c:\windows\system32\OpenAL32.dll 2009-01-07 18:09 10,240 a------- c:\windows\CTDCRES.DLL 2009-01-07 18:09 2,560 a------- c:\windows\CTXFIRES.DLL 2009-01-05 22:05 1,764,864 a------- c:\windows\system32\Lexicon PSP42.dll 2009-01-05 22:05 <DIR> --d----- c:\program files\PSP 608 MultiDelay 2009-01-05 22:05 8,396,800 a------- c:\windows\system32\PSP 608.dll 2009-01-05 22:03 <DIR> --d----- c:\program files\PSP VintageWarmer 1.6.5 2009-01-05 22:03 6,533,120 a------- c:\windows\system32\PSP VintageWarmer.dll 2009-01-05 22:03 2,568,192 a------- c:\windows\system32\PSP VintageMeter.dll 2009-01-05 22:03 <DIR> --d----- c:\windows\PSP StereoPack 2009-01-05 22:03 <DIR> --d----- c:\program files\PSP StereoPack 1.8 2009-01-05 22:02 2,990,592 a------- c:\windows\system32\PSP 84.dll 2009-01-05 22:02 <DIR> --d----- c:\program files\PSP 2009-01-05 22:02 <DIR> --d----- c:\program files\PSP Nitro 2009-01-05 22:01 <DIR> --d----- c:\program files\PSPaudioware.com 2009-01-05 22:01 475,136 a------- c:\windows\system32\PSP MixBass.dll 2009-01-05 22:01 856,064 a------- c:\windows\system32\PSP MixTreble.dll 2009-01-05 22:01 708,608 a------- c:\windows\system32\PSP MixPressor.dll 2009-01-05 22:01 643,072 a------- c:\windows\system32\PSP MixSaturator.dll 2009-01-05 22:01 <DIR> --d----- c:\program files\PSP MixPack 1.8 2009-01-05 22:00 286,720 a------- c:\windows\iun506.exe 2009-01-05 22:00 <DIR> --d----- c:\program files\PSP MasterQ 1.0 2009-01-05 21:59 <DIR> --d----- c:\windows\PSP MasterComp 2009-01-05 21:59 <DIR> --d----- c:\program files\PSP MasterComp 1.0.0 2009-01-05 18:38 <DIR> --d----- c:\program files\Psicraft 2009-01-05 18:38 <DIR> --d----- c:\docume~1\sal\applic~1\Psicraft 2008-12-28 21:19 32,000 a------- c:\windows\system32\drivers\usbaapl.sys 2008-12-26 23:07 512,096 a------- c:\windows\system32\drivers\amon.sys 2008-12-26 23:07 298,104 a------- c:\windows\system32\imon.dll 2008-12-26 23:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys 2008-12-26 23:06 <DIR> --d----- c:\program files\ESET 2008-12-21 09:58 <DIR> --d----- c:\docume~1\sal\applic~1\Malwarebytes 2008-12-21 09:57 15,504 a------- c:\windows\system32\drivers\mbam.sys 2008-12-21 09:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-21 09:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2008-12-21 09:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2008-12-20 15:24 <DIR> --d----- c:\documents and settings\sal\.housecall6.6 2008-12-19 21:40 129,784 a------- c:\windows\system32\pxafs.dll 2008-12-19 21:40 120,056 a------- c:\windows\system32\pxcpyi64.exe 2008-12-19 21:40 118,520 a------- c:\windows\system32\pxinsi64.exe 2008-12-19 21:40 9,464 a------- c:\windows\system32\drivers\cdralw2k.sys 2008-12-19 21:40 9,336 a------- c:\windows\system32\drivers\cdr4_xp.sys 2008-12-19 21:39 <DIR> --d----- c:\program files\DivX ==================== Find3M ==================== 2009-01-07 18:09 409,600 a------- c:\windows\system32\wrap_oal.dll 2009-01-05 22:05 659,456 a------- c:\windows\iun6002.exe 2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe 2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll 2008-11-21 16:47 43,528 a------- c:\windows\system32\drivers\pxhelp20.sys 2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll 2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll 2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe 2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll 2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll 2008-10-16 05:37 659,456 a------- c:\windows\system32\wininet.dll 2007-07-08 08:23 87,608 a------- c:\docume~1\sal\applic~1\inst.exe 2007-07-08 08:23 47,360 a------- c:\docume~1\sal\applic~1\pcouffin.sys 2006-08-05 20:52 81,920 a------- c:\docume~1\sal\applic~1\ezpinst.exe 2014-06-13 14:36 1,537 a--sh--- c:\windows\page files\maxmeg.sys ============= FINISH: 16:54:53.59 =============== This post has been edited by Orange Blossom: Jan 9 2009, 06:59 PM Reason for edit: Deactivate links. ~ OB Attached File(s)* Attach.txt ( 18.56k ) Number of downloads: 1

teacup61 View Member Profile	Jan 22 2009, 10:15 PM Post #2
Bleepin' Texan! Group: HJT Team Coach Posts: 11,729 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hello Scheme2009, Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you. Please do this: 1. Download HijackThis™ here: http://www.trendsecure.com/portal/en-US/th.../hijackthis.php 2. Click 'Do a System Scan and Save log'. The HJT log will open in notepad. Thanks, tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3

Scheme2009 View Member Profile	Jan 23 2009, 04:41 PM Post #3
New Member Group: Members Posts: 5 Joined: 9-January 09 Member No.: 280,511	Not gettin same popups as then but system is still a bit sluggish ... would appreciate u overlooking it Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:41:22 PM, on 1/23/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AIM\aim.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing) O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\SAL\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116973915758 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2}: NameServer = 24.29.103.15,24.29.103.16 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: oykppo.dll,avgrsstx.dll O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing) O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe -- End of file - 3708 bytes

teacup61 View Member Profile	Jan 23 2009, 06:41 PM Post #4
Bleepin' Texan! Group: HJT Team Coach Posts: 11,729 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hello, I see Viewpoint installed. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we knew in 2006; read this article: http://www.clickz.com/news/article.php/3561546 I suggest you remove the program now, if you did not install it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present. * Viewpoint * Viewpoint Manager * Viewpoint Media Player Please run HijackThis! and click "Scan." Place checks next to the following entries, if present: O2 - BHO: C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\SAL\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing) Close all browsers and other windows except for HijackThis!, and click "Fix checked". Navigate to and delete the following folder(s) (if they exist): C:\Program Files\Viewpoint C:\Documents and Settings\SAL\Application Data\cogad Reboot your computer. Please download Malwarebytes' Anti-Malware from one of these places: http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html http://www.besttechie.net/mbam/mbam-setup.exe Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy&Paste the entire report in your next reply along with a fresh HijackThis log. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. Let me know also how it's running now, please. Thanks, tea This post has been edited by teacup61: Jan 23 2009, 06:42 PM -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3

Scheme2009 View Member Profile	Jan 23 2009, 09:00 PM Post #5
New Member Group: Members Posts: 5 Joined: 9-January 09 Member No.: 280,511	Here's the MBAM Log Malwarebytes' Anti-Malware 1.33 Database version: 1685 Windows 5.1.2600 Service Pack 2 1/23/2009 8:58:37 PM mbam-log-2009-01-23 (20-58-37).txt Scan type: Quick Scan Objects scanned: 56673 Time elapsed: 14 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Heres HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:59:33 PM, on 1/23/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe C:\Program Files\AIM\aim.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116973915758 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2}: NameServer = 24.29.103.15,24.29.103.16 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: oykppo.dll,avgrsstx.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe -- End of file - 2948 bytes Seems to be running better? Not exactly sure cause I havent been doin much yet let me know if you spot anything... Yea... just as I was typing this I got a sound outa no where.. usually the default beep or "orchestra hit" (sorry im a music producer.. thats how i'd describe it) ... the same windows sound that usally is like when a window is open and u click behind it and it wont let u ... so it makes that beep i've been gettin them periodically

teacup61 View Member Profile	Jan 23 2009, 11:03 PM Post #6
Bleepin' Texan! Group: HJT Team Coach Posts: 11,729 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	HHmmmmm....in that case I think we should use something a lot stronger. This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix. 1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. Thanks, tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3

Scheme2009 View Member Profile	Jan 24 2009, 08:45 AM Post #7
New Member Group: Members Posts: 5 Joined: 9-January 09 Member No.: 280,511	Combo Fix Log: ComboFix 09-01-21.04 - SAL 2009-01-24 8:30:37.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1791.1226 [GMT -5:00] Running from: c:\documents and settings\SAL\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning enabled (Updated) AV: ESET NOD32 antivirus system 2.70 On-access scanning enabled (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\SAL\Application Data\inst.exe c:\documents and settings\SAL\Local Settings\Temporary Internet Files\fbk.sts C:\Documents C:\smp.bat c:\windows\system32\open.ico c:\windows\system32\tb.dr c:\windows\Tasks\tbqpmvwu.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Service_seneka -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 ))))))))))))))))))))))))))))))) . 2009-01-23 16:40 . 2009-01-23 16:40 <DIR> d-------- c:\program files\Trend Micro 2009-01-09 17:03 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll 2009-01-08 22:13 . 2009-01-09 00:16 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-01-08 22:05 . 2009-01-23 16:33 <DIR> d-------- c:\windows\system32\drivers\Avg 2009-01-08 22:05 . 2009-01-08 22:05 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2009-01-08 22:05 . 2009-01-08 22:05 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys 2009-01-08 22:05 . 2009-01-08 22:05 10,520 --a------ c:\windows\system32\avgrsstx.dll 2009-01-08 22:04 . 2009-01-08 22:04 <DIR> d-------- c:\program files\AVG 2009-01-08 22:04 . 2009-01-08 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-01-08 20:54 . 2009-01-08 20:54 <DIR> d-------- c:\documents and settings\SAL\Application Data\Aim 2009-01-08 20:52 . 2009-01-15 22:44 <DIR> d-------- c:\program files\AIM 2009-01-07 18:12 . 2009-01-07 18:12 4,958,588 --a------ c:\windows\{00000000-00000000-00000005-00001102-00000008-40021102}.CDF 2009-01-07 18:11 . 2009-01-24 08:34 11,564 --a------ c:\windows\system32\DVCState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:11 . 2009-01-24 08:34 1,104 --a------ c:\windows\system32\BMXCtrlState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:11 . 2009-01-24 08:34 1,104 --a------ c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:11 . 2009-01-24 08:34 64 --a------ c:\windows\system32\BMXStateBkp-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:11 . 2009-01-24 08:34 64 --a------ c:\windows\system32\BMXState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx 2009-01-07 18:10 . 2006-11-14 15:28 86,016 --a------ c:\windows\system32\cttele.dll 2009-01-07 18:09 . 2009-01-07 18:09 114,688 --a------ c:\windows\system32\OpenAL32.dll 2009-01-07 18:09 . 2008-03-20 15:34 10,240 --a------ c:\windows\CTDCRES.DLL 2009-01-07 18:09 . 2008-03-20 15:35 2,560 --a------ c:\windows\CTXFIRES.DLL 2009-01-05 22:05 . 2009-01-05 22:05 <DIR> d-------- c:\program files\PSP 608 MultiDelay 2009-01-05 22:05 . 2009-01-05 22:05 8,396,800 --a------ c:\windows\system32\PSP 608.dll 2009-01-05 22:05 . 2009-01-05 22:05 1,764,864 --a------ c:\windows\system32\Lexicon PSP42.dll 2009-01-05 22:03 . 2009-01-05 22:03 <DIR> d-------- c:\windows\PSP StereoPack 2009-01-05 22:03 . 2009-01-05 22:05 <DIR> d-------- c:\program files\PSP VintageWarmer 1.6.5 2009-01-05 22:03 . 2009-01-05 22:03 <DIR> d-------- c:\program files\PSP StereoPack 1.8 2009-01-05 22:03 . 2009-01-05 22:03 6,533,120 --a------ c:\windows\system32\PSP VintageWarmer.dll 2009-01-05 22:03 . 2009-01-05 22:03 2,568,192 --a------ c:\windows\system32\PSP VintageMeter.dll 2009-01-05 22:02 . 2009-01-05 22:02 <DIR> d-------- c:\program files\PSP Nitro 2009-01-05 22:02 . 2009-01-05 22:02 <DIR> d-------- c:\program files\PSP 2009-01-05 22:02 . 2009-01-05 22:02 2,990,592 --a------ c:\windows\system32\PSP 84.dll 2009-01-05 22:01 . 2009-01-05 22:01 <DIR> d-------- c:\program files\PSPaudioware.com 2009-01-05 22:01 . 2009-01-05 22:01 <DIR> d-------- c:\program files\PSP MixPack 1.8 2009-01-05 22:01 . 2004-08-05 00:34 856,064 --a------ c:\windows\system32\PSP MixTreble.dll 2009-01-05 22:01 . 2004-08-05 00:34 708,608 --a------ c:\windows\system32\PSP MixPressor.dll 2009-01-05 22:01 . 2004-08-05 00:34 643,072 --a------ c:\windows\system32\PSP MixSaturator.dll 2009-01-05 22:01 . 2004-08-05 00:34 475,136 --a------ c:\windows\system32\PSP MixBass.dll 2009-01-05 22:00 . 2009-01-05 22:00 <DIR> d-------- c:\program files\PSP MasterQ 1.0 2009-01-05 22:00 . 2009-01-05 22:00 286,720 --a------ c:\windows\iun506.exe 2009-01-05 21:59 . 2009-01-05 21:59 <DIR> d-------- c:\windows\PSP MasterComp 2009-01-05 21:59 . 2009-01-05 22:00 <DIR> d-------- c:\program files\PSP MasterComp 1.0.0 2009-01-05 18:38 . 2009-01-05 18:38 <DIR> d-------- c:\program files\Psicraft 2009-01-05 18:38 . 2009-01-05 18:38 <DIR> d-------- c:\documents and settings\SAL\Application Data\Psicraft 2008-12-28 21:21 . 2008-12-28 21:22 <DIR> d-------- c:\program files\QuickTime 2008-12-28 21:20 . 2008-12-28 21:20 <DIR> d-------- c:\program files\Apple Software Update 2008-12-28 21:19 . 2008-12-28 21:19 <DIR> d----c--- c:\windows\system32\DRVSTORE 2008-12-28 21:19 . 2008-12-28 21:40 <DIR> d-------- c:\program files\Common Files\Apple 2008-12-28 21:19 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys 2008-12-26 23:07 . 2008-12-26 23:06 512,096 --a------ c:\windows\system32\drivers\amon.sys 2008-12-26 23:07 . 2008-12-26 23:06 298,104 --a------ c:\windows\system32\imon.dll 2008-12-26 23:07 . 2008-12-26 23:06 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys 2008-12-26 23:06 . 2008-12-27 10:30 <DIR> d-------- c:\program files\ESET . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-24 01:42 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-01-24 01:31 --------- d-----w c:\documents and settings\SAL\Application Data\Viewpoint 2009-01-24 01:31 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-01-17 01:27 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-01-09 04:27 --------- d-----w c:\program files\DVDFab Gold 3 2009-01-08 01:37 --------- d-----w c:\documents and settings\SAL\Application Data\Digidesign 2009-01-06 03:05 659,456 ----a-w c:\windows\iun6002.exe 2009-01-06 03:05 --------- d-----w c:\program files\PSPaudioware 2008-12-29 02:40 --------- d-----w c:\program files\iPod 2008-12-29 02:32 --------- d-----w c:\documents and settings\SAL\Application Data\Apple Computer 2008-12-29 02:22 --------- d-----w c:\program files\Bonjour 2008-12-29 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2008-12-27 16:51 --------- d-----w c:\program files\CCleaner 2008-12-23 03:05 --------- d-----w c:\program files\Starcraft 2008-12-21 14:58 --------- d-----w c:\documents and settings\SAL\Application Data\Malwarebytes 2008-12-21 14:57 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-20 18:25 --------- d-----w c:\program files\Visicom Media 2008-12-20 02:47 --------- d-----w c:\documents and settings\SAL\Application Data\DivX 2008-12-20 02:40 --------- d-----w c:\program files\DivX 2008-12-05 02:14 --------- d-----w c:\program files\M-Audio USB Keyboard Device 2007-07-08 13:23 47,360 ----a-w c:\documents and settings\SAL\Application Data\pcouffin.sys 2006-08-06 01:52 81,920 ----a-w c:\documents and settings\SAL\Application Data\ezpinst.exe 2009-01-13 12:06 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2009-01-13 12:06 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2009-01-13 12:06 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2009-01-13 12:07 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2009-01-13 12:07 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-08 1261336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave2"= Digi32.dll "SENTINEL"= snti386.dll "midi2"= RDDV1045.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0SsiEfr.e\0lsdelete [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111T Smart Wizard.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk backup=c:\windows\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^SAL^Start Menu^Programs^Startup^MagicDisc.lnk] path=c:\documents and settings\SAL\Start Menu\Programs\Startup\MagicDisc.lnk backup=c:\windows\pss\MagicDisc.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2005-08-03 11:28 67160 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920] --a------ 2003-05-12 14:02 270336 c:\program files\Dell AIO Printer A920\dlbkbmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh] --a------ 2005-04-12 01:28 49152 c:\program files\Digidesign\Drivers\MMERefresh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O] --a------ 2005-10-22 23:00 385024 c:\program files\Syncrosoft\POS\H2O\cledx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBKEYBOARD] --a------ 2004-05-26 21:37 392704 c:\program files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE] --a------ 2001-11-09 01:47 356352 c:\program files\NASDAK\OmniMouse Driver\4.06\Mouse32A.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware] --a------ 2009-01-14 16:11 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui] --a------ 2008-12-26 23:06 949376 c:\program files\ESET\nod32kui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] -ra------ 2001-12-31 11:04 3756032 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] -ra------ 2001-12-31 11:04 46080 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SClock Plus] --a------ 2006-11-13 23:52 143360 c:\program files\Shelltoys\SClock Plus\sclock.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray] --a------ 2007-10-02 15:27 1065288 c:\program files\Spyware Doctor\SDTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-03-04 02:36 36975 c:\program files\Java\jre1.5.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoraiPodConverter] --a------ 2005-11-11 13:32 483328 c:\program files\VideoraiPodConverter\VideoraiPodConverter.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2006-03-10 12:45 35328 c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg] --a------ 2008-03-20 15:22 50688 c:\windows\system32\ctasio.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] --a------ 2008-03-20 15:35 23040 c:\windows\system32\CtHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] --a------ 2008-03-20 15:35 23552 c:\windows\system32\Ctxfihlp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] -ra------ 2001-12-31 11:04 831488 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI] --a------ 2008-03-20 15:19 31232 c:\windows\system32\MIDIDEF.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "sdCoreService"=3 (0x3) "sdAuxService"=3 (0x3) "ose"=3 (0x3) "NVSvc"=2 (0x2) "Lsdiorw"=2 (0x2) "LexBceS"=2 (0x2) "iPodService"=3 (0x3) "IDriverT"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) "C-DillaCdaC11BA"=2 (0x2) "Bonjour Service"=2 (0x2) "Adobe LM Service"=3 (0x3) "AdLib FMR"=2 (0x2) "MBAMService"=2 (0x2) "Stuffit Archive Name Service"=2 (0x2) "GEARSecurity"=2 (0x2) "DigiRefresh"=2 (0x2) "aawservice"=2 (0x2) "NOD32krn"=2 (0x2) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\totalcmd\\TOTALCMD.EXE"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\\Program Files\\Winternals\\Remote Recover\\RemoteRecover.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-02-10 15872] R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-10-13 11264] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-08 97928] R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-26 15424] R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-10-13 33792] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-03-20 98328] R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [2006-08-18 35107] R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-08 875288] R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-08 231704] R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-08 76040] S1 IpIock2;IpIock2;\??\c:\windows\system32\drivers\uagfdisk.sys --> c:\windows\system32\drivers\uagfdisk.sys [?] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-03-20 98328] S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-03-20 171032] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-03-20 171032] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-03-20 528920] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-03-20 528920] S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [2008-03-20 163352] S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [2008-03-20 163352] S3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [2008-03-20 259096] S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [2008-03-20 259096] S3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [2008-03-20 134168] S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [2008-03-20 134168] S3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [2008-03-20 309784] S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [2008-03-20 309784] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-03-20 99352] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-03-20 99352] S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-03-20 1324056] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-03-20 1324056] S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-03-20 72728] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-03-20 72728] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-03-20 534040] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-03-20 534040] S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2005-05-25 74752] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-01-06 17149] S3 MPD16USB;AKAIpro MPD16 Driver;c:\windows\system32\drivers\MPD16USB.sys [2005-11-20 19712] S3 RDID1045;Roland FANTOM-X;c:\windows\system32\drivers\RDWM1045.SYS [2005-07-11 59642] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-10-20 742216] S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\DRIVERS\wg121nd5.sys --> c:\windows\system32\DRIVERS\wg121nd5.sys [?] S4 AdLib FMR;AdLib FMR;c:\progra~1\AdLib\ADLIBE~1\AdLibFMR.exe [2006-12-14 266240] S4 Neepderasaa;Neepderasaa; [x] S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-10-08 157000] . Contents of the 'Scheduled Tasks' folder 2009-01-09 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (HOME-WY767KTWW0-SAL).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe [] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-0004091192915023mcinstcleanup - c:\docume~1\SAL\LOCALS~1\Temp\000409~1.EXE MSConfigStartUp-2ca98d5a - c:\windows\system32\ltnfvalq.dll MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe MSConfigStartUp-Awola6 - c:\documents and settings\SAL\Application Data\Awola6\Awola6.exe MSConfigStartUp-Cleanup - c:\docume~1\SAL\LOCALS~1\Temp\2006125151440_mcappins.exe MSConfigStartUp-CTDVDDET - c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE MSConfigStartUp-CTSysVol - c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe MSConfigStartUp-DSS - c:\windows\EditHostFTP.exe MSConfigStartUp-Explorer - c:\windows\system32\Explorer.exe MSConfigStartUp-Icon - c:\windows\system32\drivers\Icon.EXE MSConfigStartUp-iqri - c:\progra~1\COMMON~1\iqri\iqrim.exe MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\LogMeInSystray.exe MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe MSConfigStartUp-McRegWiz - c:\progra~1\mcafee.com\agent\mcregwiz.exe MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe MSConfigStartUp-Microsoft Windows Adapter 5.1 - c:\documents and settings\SAL\Application Data\uxwpa.exe MSConfigStartUp-msci - c:\docume~1\SAL\LOCALS~1\Temp\2006125151440_mcinfo.exe MSConfigStartUp-MSKAGENTEXE - c:\program files\McAfee\MSK\MskAgent.exe MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe MSConfigStartUp-outlook - c:\program files\outlook\outlook.exe MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE MSConfigStartUp-RemoteCenter - c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE MSConfigStartUp-SBDrvDet - c:\program files\Creative\SB Drive Det\SBDrvDet.exe MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe MSConfigStartUp-STDSB - c:\windows\system32\drivers\STDSB.EXE MSConfigStartUp-tezrtsjhfr84iusjfo84f - c:\docume~1\SAL\LOCALS~1\Temp\csrssc.exe MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe MSConfigStartUp-UpdReg - c:\windows\UpdReg.EXE MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe MSConfigStartUp-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe MSConfigStartUp-WatchDog - c:\program files\mobile PhoneTools\WatchDog.exe MSConfigStartUp-Microsoft Update - enule.exe MSConfigStartUp-SoundMan - SOUNDMAN.EXE MSConfigStartUp-winlog - winlog.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://gmail.com/ uInternet Settings,ProxyOverride = .local LSP: c:\windows\system32\imon.dll Trusted Zone: aol.com\free TCP: {7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2} = 24.29.103.15,24.29.103.16 FF - ProfilePath - c:\documents and settings\SAL\Application Data\Mozilla\Firefox\Profiles\u09gxoft.Sal\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-24 08:36:55 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}] "1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44, fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}] "1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44, fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€\|ÿÿÿÿ•€\|ù•A~] "AB141C35E9F4BF344B9FC010BB17F68A"="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(716) c:\windows\system32\RDDV1045.DLL c:\windows\system32\imon.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\MsPMSPSv.exe c:\program files\AVG\AVG8\avgrsx.exe . ************************************************************************* . Completion time: 2009-01-24 8:43:31 - machine was rebooted [SAL] ComboFix-quarantined-files.txt 2009-01-24 13:43:28 Pre-Run: 44,842,033,152 bytes free Post-Run: 46,693,232,640 bytes free 366 --- E O F --- 2008-12-18 04:09:55 HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:46:00 AM, on 1/24/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116973915758 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2}: NameServer = 24.29.103.15,24.29.103.16 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe -- End of file - 3018 bytes

teacup61 View Member Profile	Jan 24 2009, 04:51 PM Post #8
Bleepin' Texan! Group: HJT Team Coach Posts: 11,729 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hello, Well I see why you were still having problems. On top of everything else you had a rootkit. How is it running now please? The ComboFix report shows you have 2 AntiVirus programs running, but I don't see the Nod32 in the HijackThis log. Did you disable it, or...........? tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3

Scheme2009 View Member Profile	Jan 24 2009, 05:02 PM Post #9
New Member Group: Members Posts: 5 Joined: 9-January 09 Member No.: 280,511	i havent heard any beeps or anything.. whats a rootkit? And iwas puzzled by the msg about 2 antiviruses things as well.. as NOD32 wasnt open in any of my processes... toolbars.. etc.... AVG was open and i closed it.. i think i may be good now... everything else looks nice?

teacup61 View Member Profile	Jan 24 2009, 05:23 PM Post #10
Bleepin' Texan! Group: HJT Team Coach Posts: 11,729 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hi, A rootkit is an infection that installs with stealth, which means it's hard to see, and usually hard to deal with manually. It wreaks havoc, brings friends to play ( ), and causes general misery for the user (you). Some are worse than others, and this was a pretty nasty one. Looks like it had been partially dealt with already, probably by your AntiVirus. Some cleanup to do now....... Your Java is way out of date, which leaves your computer vulnerable. Updating Java Download the latest version of Java Runtime Environment (JRE) 6_u_11. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version. Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. As far as the messages go for the AntiVirus (s), just be sure to only run one at a time. Less is more in this case. Post back, please, and let me know how all that went. Thanks, tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3

teacup61 View Member Profile	Feb 7 2009, 11:11 AM Post #11
Bleepin' Texan! Group: HJT Team Coach Posts: 11,729 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Since this issue appears resolved ... this Topic is closed. If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive