Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/constant Website Popups


  • This topic is locked This topic is locked
18 replies to this topic

#1 CalebsMommy16

CalebsMommy16

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 10 January 2008 - 05:11 PM

Hello, I'm new to the board so I hope I'm doing this right. I just recently moved and when I did I guess my McAfee Security expired and I wasn't running the Window's Firewall when I got the internet re-connected on my comp, and within 20 minutes of being on the web, I believe I got infected. When I get on the computer, it takes a while to let me actually get on the internet, and when I do the second I type in what site I want to go to, another website pops up along with the original site I typed in. It takes a while for me to be able to X out of the unwanted site, and then it's so slow. I looked at some of your other forums and saw the Autoruns thing and I did that but it only lets me delete the bad .dll's and stuff off that list, when I try to delete them in a search it just tells me I don't have permission to do so? I have SpyBot on here and it gave me a list of all the stuff I had wrong when I did a scan but even then it starts right back up again. Any help at all would be sooo greatly appreciated. Thanks!!

I know that off the top of my head some of the .dll's that kept showing up were :

ddccd.dll
vtuuvsq.dll

Here's my log, no clue what it means:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:25 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...p://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [petknstm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\petknstm.dll"
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [IPPDetect] C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8266] cmd /c del "C:\Documents and Settings\All Users\Application Data\petknstm.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DW_Start.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\DWahcIn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/P...rs.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 5177 bytes

BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:23 PM

Posted 21 January 2008 - 02:52 PM

Hi, and Welcome to Bleeping Computer :thumbsup:

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
As I am still training here, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.


Sorry about the delay in responding :wacko:

If you still need help:

Show all hidden files:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Please do not delete anything unless instructed to.

Next, rename HijackThis.exe to scanner.exe.
Scan again with HijackThis, and "copy/paste" a new log file into this thread.

Then I will analyze your log and sort out a fix for you :blink:

I need to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
Also please describe how your computer behaves at the moment.


jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 CalebsMommy16

CalebsMommy16
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 23 January 2008 - 03:55 PM

Hello,
Thanks for replying! Unfortunately, since the last time I posted now my computer is saying it's too low on virtual memory to even let me do anything. The only way I can sign online is to have the computer in safe mode. Can I do the steps you told me in safe mode? When I try to increase the paging size like the help topic says, the computer freezes up. It's a mess! Thanks in advance for any advice.

#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:23 PM

Posted 23 January 2008 - 03:56 PM

Yes, post a new HijackThis log in safe mode if you can, then we'll see what we can do.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 CalebsMommy16

CalebsMommy16
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 23 January 2008 - 06:32 PM

Here is the log from when I renamed it as scanner.exe (I hope I did it right)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:11 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...p://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {017CB7BB-4A16-4861-B409-EADB2F15632B} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0E607160-6B2B-45AB-93F6-3709BBCCD482} - (no file)
O2 - BHO: (no name) - {106F50E2-DDC1-47F2-A475-54C5095E515D} - (no file)
O2 - BHO: (no name) - {16019672-C277-4EF7-BC8F-448CDB6E9621} - (no file)
O2 - BHO: (no name) - {1D553BDC-FA90-45EF-B979-DC0B5C7AA948} - (no file)
O2 - BHO: (no name) - {2DBF69F9-6CD6-44E9-9A28-01F172A7A3AA} - (no file)
O2 - BHO: (no name) - {304DAF0D-5BB8-423A-911C-C14BAABE7AA3} - (no file)
O2 - BHO: (no name) - {3057B232-7FFC-4123-80B9-8CC3B958D1A0} - (no file)
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: (no name) - {4812B03A-B50B-4FEE-B594-963E5BD6F3DF} - (no file)
O2 - BHO: (no name) - {4995AA53-9A0C-4559-A21E-1D4327AA268B} - (no file)
O2 - BHO: (no name) - {4FA41F6A-B38A-4FD9-A498-F97CC7033C83} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53D423FD-AEAC-4686-BFD2-C3967A21683B} - (no file)
O2 - BHO: SpruceBHO Class - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: (no name) - {5BBA49BD-2009-4FC7-BDF0-FE6D14E2087D} - (no file)
O2 - BHO: (no name) - {6237FB94-790C-408B-B8CB-D6A93FFC7689} - (no file)
O2 - BHO: (no name) - {62780D18-D103-03D3-323A-01F43008B839} - C:\Program Files\Txzvqjjf\uiqhsehh.dll
O2 - BHO: (no name) - {6351220f-ea77-4a28-b8be-bbf4ff21fecc} - C:\WINDOWS\system32\bailxcu.dll (file missing)
O2 - BHO: (no name) - {6458E862-DE89-47A9-BDC1-CDA15680F41D} - (no file)
O2 - BHO: (no name) - {65ADEA75-F6D3-4704-9013-0F9850E9270B} - (no file)
O2 - BHO: (no name) - {68469B49-16FE-4F7C-9CBD-19C6619DBA6A} - (no file)
O2 - BHO: (no name) - {69EBCA86-4CF0-41AA-9544-B482DB2E4E70} - (no file)
O2 - BHO: (no name) - {6FF4306B-5EAA-4BB4-87A3-3DA35E2E42FA} - (no file)
O2 - BHO: (no name) - {70E90DA4-87B7-4C78-8C1E-180D7BFE2EAC} - (no file)
O2 - BHO: (no name) - {720D3D42-3C25-4C6E-84EB-CBFC7D99CDEC} - (no file)
O2 - BHO: (no name) - {74C7C7AA-512D-4AA2-8BC4-3A30A097E115} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {776CE987-909A-4B8B-911E-912F7091750F} - (no file)
O2 - BHO: (no name) - {7EB364BF-F503-4008-85DF-382D8F0F904A} - (no file)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\vtuuvsq.dll
O2 - BHO: (no name) - {92E73A66-51A6-46C3-8E82-472230170E5D} - C:\WINDOWS\system32\ddccd.dll
O2 - BHO: (no name) - {93135F79-56F9-4794-9D70-2312D9DE8350} - (no file)
O2 - BHO: (no name) - {9A5D6084-F854-4BC7-8D0D-612229785FD6} - (no file)
O2 - BHO: (no name) - {A1894CE6-4060-4494-A95C-081D96150186} - (no file)
O2 - BHO: (no name) - {A21DC250-C7D4-4FDC-A84B-D2582B716DAE} - (no file)
O2 - BHO: (no name) - {A8D615B2-CBE3-4A55-B8CA-07FBFFA49AA6} - (no file)
O2 - BHO: (no name) - {B8DB4219-D22E-4B21-BDB2-37644AFAB3FC} - (no file)
O2 - BHO: (no name) - {BE265F3F-4551-4EEF-9A47-038F7D1E8F78} - (no file)
O2 - BHO: (no name) - {C4FB427E-8F16-4A01-9562-A141D9D7E443} - (no file)
O2 - BHO: (no name) - {CADFC52A-E414-406A-9773-E6278EAFC44B} - (no file)
O2 - BHO: (no name) - {D304683B-7D08-4D57-8515-DE301BCA3909} - (no file)
O2 - BHO: (no name) - {D731CD94-5195-4DC8-BE53-88DAB44CED87} - (no file)
O2 - BHO: (no name) - {D82F524B-9626-4E8A-A00F-020F106BF1EB} - (no file)
O2 - BHO: (no name) - {E9DA7947-5742-497D-AE1F-F318E6D9AF24} - (no file)
O2 - BHO: (no name) - {F3C70956-84A7-49E1-921A-6B6D51C08C4C} - (no file)
O2 - BHO: (no name) - {F5144462-97F3-4A36-8C95-BFDF241B04D5} - (no file)
O2 - BHO: (no name) - {F6791ED0-BC4E-4B9F-A947-2D253DBE71CF} - (no file)
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [petknstm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\petknstm.dll"
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [IPPDetect] C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DW_Start.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\DWahcIn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/P...rs.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: vtuuvsq - C:\WINDOWS\SYSTEM32\vtuuvsq.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 8777 bytes

I'm still running in safe mode so I'm not sure how it would act if I wasn't in safe mode. Everytime I try to get on the computer and it's not in safe mode it takes forever to start up and then when I finally get to the point where I might be able to get online, the message that I'm out of virtual memory comes up! :thumbsup:

I wasn't sure from your post if I was supposed to do two hijack this logs or one, so for now I'm just putting the one. If you need more, please let me know. Thanks soo much!

#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:23 PM

Posted 24 January 2008 - 10:44 AM

Hi

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.



Download ComboFix by sUBs from here or here

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


You can do these two steps in safe mode if you have to, but after running ComboFix please try to get into normal mode and let me know if its any better.

Thanks,

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 CalebsMommy16

CalebsMommy16
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 24 January 2008 - 01:37 PM

So, I do not know much about these logs at all but I have a gut feeling this ComboFix log is a doozy...haha.

Here's the ComboFix log:

ComboFix 08-01-23.2 - Owner 2008-01-24 9:28:40.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\scurit~1\s?stem32\
C:\Program Files\Spruce
C:\Program Files\Spruce\Spruce.dll
C:\Program Files\Spruce\Spruce.dll.intermediate.manifest
C:\Program Files\Spruce\Spruce.exe
C:\Program Files\Spruce\Spruce.info
C:\Program Files\Spruce\Spruce.original
C:\Program Files\Spruce\Spruce.update
C:\Program Files\Spruce\SpruceRg.dll
C:\Program Files\Spruce\un_SpruceSetup_17737.exe
C:\Program Files\Spruce\un_SpruceSetup_17737.txt
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Spruce\X_Spruce.log
C:\Program Files\Txzvqjjf
C:\Program Files\Txzvqjjf\uiqhsehh.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aiumxjsb.ini
C:\WINDOWS\system32\aphhtjld.dll
C:\WINDOWS\system32\augboany.ini
C:\WINDOWS\system32\bcfgmfqi.dll
C:\WINDOWS\system32\bhkgenos.ini
C:\WINDOWS\system32\bjsqhcpr.dll
C:\WINDOWS\system32\brolaifs.dll
C:\WINDOWS\system32\bsaksqam.dll
C:\WINDOWS\system32\bsjxmuia.dll
C:\WINDOWS\system32\cakjtsxa.dll
C:\WINDOWS\system32\cjuxblrj.dll
C:\WINDOWS\system32\cqkfpgmu.dll
C:\WINDOWS\system32\csevgkkq.dll
C:\WINDOWS\system32\cyjonbwp.ini
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\daSgo02\daSgo021099.exe
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\ddcabbb.dll
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\dhdxycmf.dll
C:\WINDOWS\system32\dhlidhss.dll
C:\WINDOWS\system32\dindpgnt.dll
C:\WINDOWS\system32\dlwhyypj.dll
C:\WINDOWS\system32\dosnxwqr.dll
C:\WINDOWS\system32\dptcbpsl.dll
C:\WINDOWS\system32\drvnezr.dll
C:\WINDOWS\system32\ebfxalea.dll
C:\WINDOWS\system32\edhnllmj.dll
C:\WINDOWS\system32\faicllle.dll
C:\WINDOWS\system32\foindosy.dll
C:\WINDOWS\system32\fvitifpq.ini
C:\WINDOWS\system32\gicewrfy.dll
C:\WINDOWS\system32\gpavolty.ini
C:\WINDOWS\system32\grdefeeh.ini
C:\WINDOWS\system32\gwkxnnci.dll
C:\WINDOWS\system32\heefedrg.dll
C:\WINDOWS\system32\hggghff.dll
C:\WINDOWS\system32\hhjesnjh.dll
C:\WINDOWS\system32\hwmdwknb.dll
C:\WINDOWS\system32\iagbdjfw.ini
C:\WINDOWS\system32\icbuougy.dll
C:\WINDOWS\system32\iexnpuql.dll
C:\WINDOWS\system32\ipicndhn.dll
C:\WINDOWS\system32\jmavvevb.dll
C:\WINDOWS\system32\jmweayoa.dll
C:\WINDOWS\system32\jrlbxujc.ini
C:\WINDOWS\system32\kdsywxet.dll
C:\WINDOWS\system32\kdtwuebw.dll
C:\WINDOWS\system32\klbcnvgn.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\lfgdplli.dll
C:\WINDOWS\system32\lhsfjdkm.ini
C:\WINDOWS\system32\lnsadcep.dll
C:\WINDOWS\system32\lspbctpd.ini
C:\WINDOWS\system32\lypivyud.dll
C:\WINDOWS\system32\mcpcixql.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjlbrqqo.dll
C:\WINDOWS\system32\mkdjfshl.dll
C:\WINDOWS\system32\mllbltoo.ini
C:\WINDOWS\system32\mnbxmmrw.dll
C:\WINDOWS\system32\nabicjfy.dll
C:\WINDOWS\system32\nuiebrbl.dll
C:\WINDOWS\system32\nwdarfft.dll
C:\WINDOWS\system32\nwmfirjh.dll
C:\WINDOWS\system32\oaxdomhk.dll
C:\WINDOWS\system32\oehuddoo.dll
C:\WINDOWS\system32\oiwcnswr.dll
C:\WINDOWS\system32\oodduheo.ini
C:\WINDOWS\system32\ootlbllm.dll
C:\WINDOWS\system32\oqqrbljm.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\poenrowe.dll
C:\WINDOWS\system32\pudnyjvy.dll
C:\WINDOWS\system32\pvbchclq.dll
C:\WINDOWS\system32\pwbnojyc.dll
C:\WINDOWS\system32\qkkgvesc.ini
C:\WINDOWS\system32\qkkynppe.dll
C:\WINDOWS\system32\qpfitivf.dll
C:\WINDOWS\system32\quigdfjp.dll
C:\WINDOWS\system32\qwtcixmg.dll
C:\WINDOWS\system32\redgdbxu.dll
C:\WINDOWS\system32\rwsncwio.ini
C:\WINDOWS\system32\rxumnkza.dllbox
C:\WINDOWS\system32\sbdphpiy.dll
C:\WINDOWS\system32\sboydfgv.dll
C:\WINDOWS\system32\sjtxpgvq.dll
C:\WINDOWS\system32\sonegkhb.dll
C:\WINDOWS\system32\texwysdk.ini
C:\WINDOWS\system32\tngpdnid.ini
C:\WINDOWS\system32\tqtscxjh.dll
C:\WINDOWS\system32\txdiuhee.dll
C:\WINDOWS\system32\ujsfkxkw.dll
C:\WINDOWS\system32\uogqamxf.dll
C:\WINDOWS\system32\uqeomtns.dll
C:\WINDOWS\system32\vanftblr.dll
C:\WINDOWS\system32\vcgtxvoa.dll
C:\WINDOWS\system32\vmqfotps.dll
C:\WINDOWS\system32\vtuuvsq.dll
C:\WINDOWS\system32\wfjdbgai.dll
C:\WINDOWS\system32\whwlvxet.dll
C:\WINDOWS\system32\wkxkfsju.ini
C:\WINDOWS\system32\wpvkymco.dll
C:\WINDOWS\system32\wvfmfhtk.dll
C:\WINDOWS\system32\yfrwecig.ini
C:\WINDOWS\system32\yiphpdbs.ini
C:\WINDOWS\system32\ykqreiwk.exe
C:\WINDOWS\system32\ynaobgua.dll
C:\WINDOWS\system32\ysivekpd.dll
C:\WINDOWS\system32\ysrijwpt.dll
C:\WINDOWS\system32\ytlovapg.dll
C:\WINDOWS\system32\yvjyndup.ini
C:\WINDOWS\system32\ywydttet.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 09:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-19 08:21 . 2008-01-19 08:21 1,073,292 ---hs---- C:\WINDOWS\system32\myxafxxk.ini
2008-01-18 20:19 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 20:09 . 2008-01-18 20:19 <DIR> d-------- C:\Program Files\Java
2008-01-18 20:08 . 2008-01-18 20:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-10 20:10 . 2008-01-20 19:23 15,574 --a------ C:\WINDOWS\BM9bf72261.xml
2008-01-10 20:10 . 2008-01-22 09:48 21 --a------ C:\WINDOWS\pskt.ini
2008-01-10 13:56 . 2008-01-10 13:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 13:39 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-09 14:26 . 2008-01-09 14:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-03 16:25 . 2008-01-03 16:25 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-31 10:06 . 2004-08-04 02:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-31 10:06 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-31 10:06 . 2004-08-04 00:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-31 10:06 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-31 09:46 . 2007-12-31 09:50 <DIR> d-------- C:\WINDOWS\system32\ipp20
2007-12-31 09:46 . 2001-08-23 18:58 1,589,248 --a------ C:\WINDOWS\system32\ippsw711.dll
2007-12-31 09:46 . 2001-08-23 18:58 266,240 --a------ C:\WINDOWS\system32\ippsrw711.dll
2007-12-31 09:46 . 2001-08-23 18:58 159,744 --a------ C:\WINDOWS\system32\ippjw711.dll
2007-12-31 09:45 . 2001-08-23 18:58 2,592,768 --a------ C:\WINDOWS\system32\ippiw711.dll
2007-12-31 09:45 . 2001-08-23 18:58 466,944 --a------ C:\WINDOWS\system32\ippcvw711.dll
2007-12-31 09:45 . 2001-08-23 18:58 94,208 --a------ C:\WINDOWS\system32\ippcv11.dll
2007-12-31 09:45 . 2001-08-23 18:58 77,824 --a------ C:\WINDOWS\system32\ippsr11.dll
2007-12-31 09:44 . 2001-08-23 18:58 225,280 --a------ C:\WINDOWS\system32\ippi11.dll
2007-12-31 09:44 . 2001-08-23 18:58 176,128 --a------ C:\WINDOWS\system32\ipps11.dll
2007-12-31 09:44 . 2007-12-31 09:46 151,566 --a------ C:\WINDOWS\system32\UninstIPP.isu
2007-12-31 09:44 . 2001-08-23 18:58 65,536 --a------ C:\WINDOWS\system32\ippj11.dll
2007-12-31 09:44 . 2001-03-10 17:56 40,960 --a------ C:\WINDOWS\system32\IPPCPUID.DLL
2007-12-31 09:39 . 1998-06-17 00:00 385,100 --------- C:\WINDOWS\system32\MSVCRTD.DLL
2007-12-31 09:23 . 2007-12-31 09:23 <DIR> d-------- C:\Program Files\NewSoft
2007-12-31 09:22 . 2007-12-31 09:23 <DIR> d-------- C:\Program Files\Common Files\NewSoft
2007-12-30 18:39 . 2007-12-30 18:39 1,031,139 ---hs---- C:\WINDOWS\system32\ptbqsfch.ini
2007-12-29 18:37 . 2007-12-29 18:37 1,031,139 ---hs---- C:\WINDOWS\system32\bkbfqhqo.ini
2007-12-28 18:36 . 2007-12-28 18:36 1,031,139 ---hs---- C:\WINDOWS\system32\uokwihfg.ini
2007-12-28 09:40 . 2007-12-28 11:18 <DIR> d-------- C:\Program Files\Oberon Media
2007-12-28 07:56 . 2007-12-28 07:56 1,031,139 ---hs---- C:\WINDOWS\system32\pbpdcvgv.ini
2007-12-26 18:33 . 2007-12-26 18:33 1,027,522 ---hs---- C:\WINDOWS\system32\llqgvwlr.ini
2007-12-25 18:34 . 2007-12-25 18:34 1,018,562 ---hs---- C:\WINDOWS\system32\jgydwaqd.ini
2007-12-24 18:32 . 2007-12-24 18:33 294 ---hs---- C:\WINDOWS\system32\euudodfy.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 00:48 --------- d-----w C:\Program Files\FL Studio Creative Edition
2007-12-31 17:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-18 21:56 81,272 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-18 21:56 23,672 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-18 21:56 --------- d-----w C:\Program Files\COMODO
2007-12-15 19:04 --------- d-----w C:\Program Files\QuickTime
2007-12-14 23:57 --------- d-----w C:\Program Files\razuxupa
2007-12-13 03:12 --------- d-----w C:\Program Files\Ulead Systems
2007-12-13 03:09 --------- d-----w C:\Program Files\MySpace
2007-12-04 01:14 --------- d-----w C:\Program Files\PokerStars.NET
2007-12-02 11:04 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-02 01:48 --------- d-----w C:\Program Files\Common Files\RuleSpace
2007-12-02 01:47 --------- d-----w C:\Program Files\Common Files\Aluria
2007-12-02 01:27 --------- d-----w C:\Program Files\Common Files\Authentium Shared
2007-12-02 00:38 --------- d-----w C:\Program Files\Electronic Arts
2007-12-01 00:12 --------- d-----w C:\Program Files\Common Files\Authentium
2007-12-01 00:05 --------- d-----w C:\Program Files\Cox
2005-07-30 00:24 472 --sha-r C:\WINDOWS\S3J5c3RsZSBBcm1zdHJvbmc\maLcwalPtm11wAYWxJLSvAw.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6351220f-ea77-4a28-b8be-bbf4ff21fecc}]
C:\WINDOWS\system32\bailxcu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 10:37 155648]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40 62952]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-18 13:56 1481472]
"IPPDetect"="C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
winkku32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-19 08:06 110592 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


*Newly Created Service* - DCFS2K
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 10:16:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\guard32.dll
.


And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...p://www.cox.net
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6351220f-ea77-4a28-b8be-bbf4ff21fecc} - C:\WINDOWS\system32\bailxcu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [IPPDetect] C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/P...rs.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4945 bytes


I tried to get on without safe mode and it was still a little slow. Also, I noticed a folder that had a zipper on it that said "catchme". No clue what that's about.

Thank you so much again for all your help. I look forward to what I have to do next! :thumbsup:

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:23 PM

Posted 25 January 2008 - 09:25 AM

Hi

You don't appear to be running any Anti-Virus software.

Install Anti-Virus software! Without any anti-virus software, your computer is wide open to infection. If you don't have any Anti-Virus software I strongly recommend you download Avast! or AVG Free


1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\bailxcu.dll
C:\WINDOWS\system32\winkku32.dll
C:\WINDOWS\system32\myxafxxk.ini
C:\WINDOWS\BM9bf72261.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ptbqsfch.ini
C:\WINDOWS\system32\bkbfqhqo.ini
C:\WINDOWS\system32\uokwihfg.ini
C:\WINDOWS\system32\pbpdcvgv.ini
C:\WINDOWS\system32\llqgvwlr.ini
C:\WINDOWS\system32\jgydwaqd.ini
C:\WINDOWS\system32\euudodfy.ini
C:\WINDOWS\S3J5c3RsZSBBcm1zdHJvbmc\maLcwalPtm11wAYWxJLSvAw.vbs

DirLook::
C:\Program Files\razuxupa

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6351220f-ea77-4a28-b8be-bbf4ff21fecc}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

Please do an online scan with Kaspersky WebScanner

Follow this link in Internet Explorer (Note: You must use Internet explorer to use Kaspersky): Kaspersky WebScanner

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)

    o Scan Options:
    Scan Archives Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    o Now click on the Save as Text button:
  • Save the file to your desktop.
Please post the results of the Kaspersky scan in your next reply, along with a fresh HijackThis log.

Thanks,

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#9 CalebsMommy16

CalebsMommy16
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 25 January 2008 - 04:38 PM

Hello. I have an anti-virus program that comes with my cable internet. Or so I thought. It's called Cox Security Suite and it's supposed to have anti-virus and anti-spyware but I don't know what's going on with it. When I tried to download those anti-virus software from the website it wouldn't let me or something. I'm not sure. I'll try again in a little while. Anyways...

Here is the ComboFix log:

ComboFix 08-01-23.2 - Owner 2008-01-25 11:54:04.3 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.120 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\BM9bf72261.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\S3J5c3RsZSBBcm1zdHJvbmc\maLcwalPtm11wAYWxJLSvAw.vbs
C:\WINDOWS\system32\bailxcu.dll
C:\WINDOWS\system32\bkbfqhqo.ini
C:\WINDOWS\system32\euudodfy.ini
C:\WINDOWS\system32\jgydwaqd.ini
C:\WINDOWS\system32\llqgvwlr.ini
C:\WINDOWS\system32\myxafxxk.ini
C:\WINDOWS\system32\pbpdcvgv.ini
C:\WINDOWS\system32\ptbqsfch.ini
C:\WINDOWS\system32\uokwihfg.ini
C:\WINDOWS\system32\winkku32.dll
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\scurit~1\s?stem32\
C:\Program Files\Spruce
C:\Program Files\Spruce\Spruce.dll
C:\Program Files\Spruce\Spruce.dll.intermediate.manifest
C:\Program Files\Spruce\Spruce.exe
C:\Program Files\Spruce\Spruce.info
C:\Program Files\Spruce\Spruce.original
C:\Program Files\Spruce\Spruce.update
C:\Program Files\Spruce\SpruceRg.dll
C:\Program Files\Spruce\un_SpruceSetup_17737.exe
C:\Program Files\Spruce\un_SpruceSetup_17737.txt
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Spruce\X_Spruce.log
C:\Program Files\Txzvqjjf
C:\Program Files\Txzvqjjf\uiqhsehh.dll
C:\WINDOWS\BM9bf72261.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\S3J5c3RsZSBBcm1zdHJvbmc\maLcwalPtm11wAYWxJLSvAw.vbs
C:\WINDOWS\system32\aiumxjsb.ini
C:\WINDOWS\system32\aphhtjld.dll
C:\WINDOWS\system32\augboany.ini
C:\WINDOWS\system32\bcfgmfqi.dll
C:\WINDOWS\system32\bhkgenos.ini
C:\WINDOWS\system32\bjsqhcpr.dll
C:\WINDOWS\system32\bkbfqhqo.ini
C:\WINDOWS\system32\brolaifs.dll
C:\WINDOWS\system32\bsaksqam.dll
C:\WINDOWS\system32\bsjxmuia.dll
C:\WINDOWS\system32\cakjtsxa.dll
C:\WINDOWS\system32\cjuxblrj.dll
C:\WINDOWS\system32\cqkfpgmu.dll
C:\WINDOWS\system32\csevgkkq.dll
C:\WINDOWS\system32\cyjonbwp.ini
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\daSgo02\daSgo021099.exe
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\ddcabbb.dll
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\dhdxycmf.dll
C:\WINDOWS\system32\dhlidhss.dll
C:\WINDOWS\system32\dindpgnt.dll
C:\WINDOWS\system32\dlwhyypj.dll
C:\WINDOWS\system32\dosnxwqr.dll
C:\WINDOWS\system32\dptcbpsl.dll
C:\WINDOWS\system32\drvnezr.dll
C:\WINDOWS\system32\ebfxalea.dll
C:\WINDOWS\system32\edhnllmj.dll
C:\WINDOWS\system32\euudodfy.ini
C:\WINDOWS\system32\faicllle.dll
C:\WINDOWS\system32\foindosy.dll
C:\WINDOWS\system32\fvitifpq.ini
C:\WINDOWS\system32\gicewrfy.dll
C:\WINDOWS\system32\gpavolty.ini
C:\WINDOWS\system32\grdefeeh.ini
C:\WINDOWS\system32\gwkxnnci.dll
C:\WINDOWS\system32\heefedrg.dll
C:\WINDOWS\system32\hggghff.dll
C:\WINDOWS\system32\hhjesnjh.dll
C:\WINDOWS\system32\hwmdwknb.dll
C:\WINDOWS\system32\iagbdjfw.ini
C:\WINDOWS\system32\icbuougy.dll
C:\WINDOWS\system32\iexnpuql.dll
C:\WINDOWS\system32\ipicndhn.dll
C:\WINDOWS\system32\jgydwaqd.ini
C:\WINDOWS\system32\jmavvevb.dll
C:\WINDOWS\system32\jmweayoa.dll
C:\WINDOWS\system32\jrlbxujc.ini
C:\WINDOWS\system32\kdsywxet.dll
C:\WINDOWS\system32\kdtwuebw.dll
C:\WINDOWS\system32\klbcnvgn.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\lfgdplli.dll
C:\WINDOWS\system32\lhsfjdkm.ini
C:\WINDOWS\system32\llqgvwlr.ini
C:\WINDOWS\system32\lnsadcep.dll
C:\WINDOWS\system32\lspbctpd.ini
C:\WINDOWS\system32\lypivyud.dll
C:\WINDOWS\system32\mcpcixql.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjlbrqqo.dll
C:\WINDOWS\system32\mkdjfshl.dll
C:\WINDOWS\system32\mllbltoo.ini
C:\WINDOWS\system32\mnbxmmrw.dll
C:\WINDOWS\system32\myxafxxk.ini
C:\WINDOWS\system32\nabicjfy.dll
C:\WINDOWS\system32\nuiebrbl.dll
C:\WINDOWS\system32\nwdarfft.dll
C:\WINDOWS\system32\nwmfirjh.dll
C:\WINDOWS\system32\oaxdomhk.dll
C:\WINDOWS\system32\oehuddoo.dll
C:\WINDOWS\system32\oiwcnswr.dll
C:\WINDOWS\system32\oodduheo.ini
C:\WINDOWS\system32\ootlbllm.dll
C:\WINDOWS\system32\oqqrbljm.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pbpdcvgv.ini
C:\WINDOWS\system32\poenrowe.dll
C:\WINDOWS\system32\ptbqsfch.ini
C:\WINDOWS\system32\pudnyjvy.dll
C:\WINDOWS\system32\pvbchclq.dll
C:\WINDOWS\system32\pwbnojyc.dll
C:\WINDOWS\system32\qkkgvesc.ini
C:\WINDOWS\system32\qkkynppe.dll
C:\WINDOWS\system32\qpfitivf.dll
C:\WINDOWS\system32\quigdfjp.dll
C:\WINDOWS\system32\qwtcixmg.dll
C:\WINDOWS\system32\redgdbxu.dll
C:\WINDOWS\system32\rwsncwio.ini
C:\WINDOWS\system32\rxumnkza.dllbox
C:\WINDOWS\system32\sbdphpiy.dll
C:\WINDOWS\system32\sboydfgv.dll
C:\WINDOWS\system32\sjtxpgvq.dll
C:\WINDOWS\system32\sonegkhb.dll
C:\WINDOWS\system32\texwysdk.ini
C:\WINDOWS\system32\tngpdnid.ini
C:\WINDOWS\system32\tqtscxjh.dll
C:\WINDOWS\system32\txdiuhee.dll
C:\WINDOWS\system32\ujsfkxkw.dll
C:\WINDOWS\system32\uogqamxf.dll
C:\WINDOWS\system32\uokwihfg.ini
C:\WINDOWS\system32\uqeomtns.dll
C:\WINDOWS\system32\vanftblr.dll
C:\WINDOWS\system32\vcgtxvoa.dll
C:\WINDOWS\system32\vmqfotps.dll
C:\WINDOWS\system32\vtuuvsq.dll
C:\WINDOWS\system32\wfjdbgai.dll
C:\WINDOWS\system32\whwlvxet.dll
C:\WINDOWS\system32\wkxkfsju.ini
C:\WINDOWS\system32\wpvkymco.dll
C:\WINDOWS\system32\wvfmfhtk.dll
C:\WINDOWS\system32\yfrwecig.ini
C:\WINDOWS\system32\yiphpdbs.ini
C:\WINDOWS\system32\ykqreiwk.exe
C:\WINDOWS\system32\ynaobgua.dll
C:\WINDOWS\system32\ysivekpd.dll
C:\WINDOWS\system32\ysrijwpt.dll
C:\WINDOWS\system32\ytlovapg.dll
C:\WINDOWS\system32\yvjyndup.ini
C:\WINDOWS\system32\ywydttet.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR






((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-24 11:57 . 2008-01-24 11:57 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-01-24 09:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-18 20:19 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 20:09 . 2008-01-18 20:19 <DIR> d-------- C:\Program Files\Java
2008-01-18 20:08 . 2008-01-18 20:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-10 13:56 . 2008-01-10 13:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 13:39 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-09 14:26 . 2008-01-09 14:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-03 16:25 . 2008-01-03 16:25 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-31 10:06 . 2004-08-04 02:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-31 10:06 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-31 10:06 . 2004-08-04 00:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-31 10:06 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-31 09:46 . 2007-12-31 09:50 <DIR> d-------- C:\WINDOWS\system32\ipp20
2007-12-31 09:46 . 2001-08-23 18:58 1,589,248 --a------ C:\WINDOWS\system32\ippsw711.dll
2007-12-31 09:46 . 2001-08-23 18:58 266,240 --a------ C:\WINDOWS\system32\ippsrw711.dll
2007-12-31 09:46 . 2001-08-23 18:58 159,744 --a------ C:\WINDOWS\system32\ippjw711.dll
2007-12-31 09:45 . 2001-08-23 18:58 2,592,768 --a------ C:\WINDOWS\system32\ippiw711.dll
2007-12-31 09:45 . 2001-08-23 18:58 466,944 --a------ C:\WINDOWS\system32\ippcvw711.dll
2007-12-31 09:45 . 2001-08-23 18:58 94,208 --a------ C:\WINDOWS\system32\ippcv11.dll
2007-12-31 09:45 . 2001-08-23 18:58 77,824 --a------ C:\WINDOWS\system32\ippsr11.dll
2007-12-31 09:44 . 2001-08-23 18:58 225,280 --a------ C:\WINDOWS\system32\ippi11.dll
2007-12-31 09:44 . 2001-08-23 18:58 176,128 --a------ C:\WINDOWS\system32\ipps11.dll
2007-12-31 09:44 . 2007-12-31 09:46 151,566 --a------ C:\WINDOWS\system32\UninstIPP.isu
2007-12-31 09:44 . 2001-08-23 18:58 65,536 --a------ C:\WINDOWS\system32\ippj11.dll
2007-12-31 09:44 . 2001-03-10 17:56 40,960 --a------ C:\WINDOWS\system32\IPPCPUID.DLL
2007-12-31 09:39 . 1998-06-17 00:00 385,100 --------- C:\WINDOWS\system32\MSVCRTD.DLL
2007-12-31 09:23 . 2007-12-31 09:23 <DIR> d-------- C:\Program Files\NewSoft
2007-12-31 09:22 . 2007-12-31 09:23 <DIR> d-------- C:\Program Files\Common Files\NewSoft
2007-12-28 09:40 . 2007-12-28 11:18 <DIR> d-------- C:\Program Files\Oberon Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 00:48 --------- d-----w C:\Program Files\FL Studio Creative Edition
2007-12-31 17:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-18 21:56 81,272 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-18 21:56 23,672 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-18 21:56 --------- d-----w C:\Program Files\COMODO
2007-12-15 19:04 --------- d-----w C:\Program Files\QuickTime
2007-12-14 23:57 --------- d-----w C:\Program Files\razuxupa
2007-12-13 03:12 --------- d-----w C:\Program Files\Ulead Systems
2007-12-13 03:09 --------- d-----w C:\Program Files\MySpace
2007-12-04 01:14 --------- d-----w C:\Program Files\PokerStars.NET
2007-12-02 11:04 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-02 01:48 --------- d-----w C:\Program Files\Common Files\RuleSpace
2007-12-02 01:47 --------- d-----w C:\Program Files\Common Files\Aluria
2007-12-02 01:27 --------- d-----w C:\Program Files\Common Files\Authentium Shared
2007-12-02 00:38 --------- d-----w C:\Program Files\Electronic Arts
2007-12-01 00:12 --------- d-----w C:\Program Files\Common Files\Authentium
2007-12-01 00:05 --------- d-----w C:\Program Files\Cox
2007-11-24 21:00 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\razuxupa ----



((((((((((((((((((((((((((((( snapshot@2008-01-24_10.19.45.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 17:24:26 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-25 19:51:12 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 17:24:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-25 19:51:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 17:24:26 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-25 19:51:13 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 17:24:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-25 19:51:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 17:24:26 3,059,712 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-25 19:51:13 3,059,712 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-24 17:24:26 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-25 19:51:13 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 10:37 155648]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40 62952]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-18 13:56 1481472]
"IPPDetect"="C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-19 08:06 110592 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-05-09 13:41]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-18 13:56]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-18 13:56]
S2 Ca536av;4.0M MPEG4 DV Video Capture;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-07-09 08:49]
S2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-05-09 13:41]
S2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-03 23:56]
S3 USBCamera;4.0M MPEG4 DV Digital Camera;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 14:28]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 12:13:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.


Here is the Kaspersky scan log:

--------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-01-25 13:36
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/01/2008
Kaspersky Anti-Virus database records: 532688
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 60649
Number of viruses found: 37
Number of infected objects: 147
Number of suspicious objects: 0
Duration of the scan process: 00:42:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\22\53368ad6-35216458/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\22\53368ad6-35216458 ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0E2EB54F-C075-42BD-91CF-80CB98FA919E} Infected: Trojan.Win32.Qhost.nl skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{4B9847ED-A641-431A-BF68-64E72E3D7393} Infected: Trojan.Win32.Qhost.nl skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C7242498-3A15-4FB8-A57F-AE310260170D} Infected: Trojan.Win32.Qhost.nl skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D6ED4DE8-F3AF-4A92-8912-F5C8740709EA} Infected: Trojan.Win32.Qhost.nl skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\kspdxyxf.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\Owner\Local Settings\Temp\stany.exe Infected: Trojan-Dropper.Win32.Agent.chq skipped
C:\Documents and Settings\Owner\Local Settings\Temp\T0CHD001_c.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\Documents and Settings\Owner\Local Settings\Temp\tcnvnbwu.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\Owner\Local Settings\Temp\VVSNInst.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Owner\Local Settings\Temp\YazzleBundle-1549.exe/data0003 Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\Documents and Settings\Owner\Local Settings\Temp\YazzleBundle-1549.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~tmp143 Infected: Trojan-Clicker.Win32.Agent.mv skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~uga6psetup.exe/file14 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~uga6psetup.exe/file20 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~uga6psetup.exe/file23 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~uga6psetup.exe/file24 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~uga6psetup.exe/file26 Infected: not-a-virus:FraudTool.Win32.BestSeller.c skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~uga6psetup.exe/file34 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~uga6psetup.exe/file36 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~uga6psetup.exe Inno: infected - 7 skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aphhtjld.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bjsqhcpr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bsjxmuia.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cakjtsxa.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ec skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\csevgkkq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\daSgo02\daSgo021099.exe.vir Infected: Trojan-Downloader.Win32.VB.cho skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcabbb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dindpgnt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dptcbpsl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ebfxalea.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\edhnllmj.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\faicllle.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\foindosy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gicewrfy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hggghff.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.atj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hwmdwknb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iexnpuql.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ipicndhn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kdtwuebw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mjlbrqqo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mkdjfshl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nuiebrbl.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nwdarfft.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\oehuddoo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pudnyjvy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pvbchclq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pwbnojyc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qkkynppe.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\redgdbxu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sbdphpiy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sjtxpgvq.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sonegkhb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tqtscxjh.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ujsfkxkw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uogqamxf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vanftblr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vmqfotps.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wfjdbgai.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wvfmfhtk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dim skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ykqreiwk.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ynaobgua.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ysivekpd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ytlovapg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\catchme2008-01-24_101648.42.zip/ddccd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bkx skipped
C:\QooBox\Quarantine\catchme2008-01-24_101648.42.zip/vtuuvsq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\QooBox\Quarantine\catchme2008-01-24_101648.42.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027339.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027340.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027341.dll Infected: Trojan.Win32.Pakes.bwd skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027343.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027344.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.is skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027345.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027346.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027347.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027349.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027350.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027351.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027352.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027353.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027354.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027356.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027357.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027358.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027359.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027360.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027362.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027363.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027364.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027365.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP32\A0027366.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP35\A0029471.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP35\A0029628.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.d skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP35\A0029629.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.aa skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP35\A0029632.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP35\A0029635.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP35\A0029638.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP35\A0029638.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP35\A0029640.exe Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057488.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057491.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057493.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057496.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057497.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ec skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057500.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057501.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057504.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057507.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057508.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057509.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057510.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057511.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnl skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057512.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057515.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.atj skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057517.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057519.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057520.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057524.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057530.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057531.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057534.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057535.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057538.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057542.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057543.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnr skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057544.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057545.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057549.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057550.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057552.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057553.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057554.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057556.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057557.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057559.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057561.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057562.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057565.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dim skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057566.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057567.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057569.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\A0057599.exe Infected: Trojan-Downloader.Win32.VB.cho skipped
C:\System Volume Information\_restore{B037E84E-B17C-48BF-8568-9D3ED36F9B76}\RP56\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ft21\basendll2.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\WINDOWS\system32\mm6\ncstdb33.exe Infected: Trojan.Win32.Pakes.bvs skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

Scan process completed.

And finally, the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:37, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...p://www.cox.net
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [IPPDetect] C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/P...rs.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4913 bytes


Thank you so much!!!

#10 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:23 PM

Posted 27 January 2008 - 02:07 PM

Hi

Sorry about the delays, I am usually less active during the weekends.

You need to disable TeaTimer, so that it doesn't interfere with our fix.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, click once on Resident Protection, then right-click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For both versions :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go to the bottom of the vertical panel on the left, click Tools
  • Then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
  • Please download and install CCleaner Slim.
  • Once installed, double click on the desktop shortcut created.
  • On the Windows tab, leave the default options alone.
  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • Close CCleaner.

Open HijackThis. Hit Do A System Scan Only. Place a check next to the following items (if present):
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)


Close all browsers and windows except for HijackThis and click Fix Checked.


Please Right Click your Start button, and click Explore.
Next, locate and delete the following files and folders (if present):

Folders:
C:\WINDOWS\system32\ft21\ <<FOLDER
C:\WINDOWS\system32\mm6\ <<FOLDER

If any of them aren't there then don't worry, but if you have a problem deleting one of them then please let me know.

Please then reboot your computer and post a new HijackThis. Please try and do this in normal mode, we need to know if we are making progress in that direction. Describe how the rest of your computer is running at the moment.

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#11 CalebsMommy16

CalebsMommy16
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 28 January 2008 - 05:28 PM

Hello. Okay, after all of that, I was able to get on the computer outside of safe mode and there was an improvement because I could get online again (after a LONG wait at start up) but when I went to post you the new HijackThis log, it said I wasn't authorized to open HijackThis. So confusing. The computer also popped about about the paging size needing to be increased, but I didn't know how to do that. Here is the HijackThis log from safe mode-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:28, on 2008-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...p://www.cox.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [IPPDetect] C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/P...rs.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4778 bytes


I don't know if that even helps you, but thanks for trying!

#12 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:23 PM

Posted 30 January 2008 - 01:11 PM

Hi, sorry about the delays.

Not seeing a lot in the logs, lets look a bit deeper.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#13 CalebsMommy16

CalebsMommy16
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 02 February 2008 - 11:18 AM

Hello! I'm so sorry it took so long to respond. I was a little busy this week! :blink: Anyways, here are the scans. Oh, and I am also not in safe mode right now and it's like I have a totally different computer. It is running awesome right now, but when I started it up in normal mode it said my Cox Security Suite had failed. So, I'm gonna try to run the other ones you had suggested. Should I just get rid of the Cox Security Suite once I download another anti-virus program? It doesn't seem to help much anyways! Thanks again!!! You have no idea how much I appreciate your help! :thumbsup:

Here are the scans:

Main

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-02 08:09:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
57: 2008-02-02 16:09:36 UTC - RP57 - Deckard's System Scanner Restore Point
56: 2008-01-24 17:29:16 UTC - RP56 - Restore Operation
55: 2008-01-24 17:29:16 UTC - RP55 - Software Distribution Service 3.0
54: 2008-01-24 17:29:16 UTC - RP54 - Restore Operation
53: 2008-01-24 17:29:16 UTC - RP53 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-01-24 17:28:59 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:11, on 2008-02-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...p://www.cox.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [IPPDetect] C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/P...rs.1.0.0.39.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4837 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080128-132905-433 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080128-132905-578 O2 - BHO: (no name) - AutorunsDisabled - (no file)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 GRFILTER (Authentium NDIS Driver) - c:\windows\system32\drivers\grfilter.sys <Not Verified; Global RISC; NSX>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S2 GRTdiMon (Authentium TDI Mon) - c:\windows\system32\drivers\grtdimon.sys <Not Verified; Authentium Inc; NSX>
S4 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys <Not Verified; McAfee; McAfee Personal Firewall>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 KodakCCS (Kodak Camera Connection Software) - c:\windows\system32\drivers\kodakccs.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Service: bcm4sbxp


-- Files created between 2008-01-02 and 2008-02-02 -----------------------------

2008-01-28 13:22:53 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-01-28 13:18:18 0 d-------- C:\Program Files\CCleaner
2008-01-25 12:25:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-25 12:25:44 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-18 20:09:47 0 d-------- C:\Program Files\Java
2008-01-18 20:08:49 0 d-------- C:\Program Files\Common Files\Java
2008-01-10 13:56:19 0 d-------- C:\Program Files\Trend Micro
2008-01-10 13:33:01 0 d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
2008-01-09 14:26:06 0 d-------- C:\WINDOWS\BDOSCAN8
2008-01-03 16:25:57 0 d-------- C:\Program Files\Microsoft Games


-- Find3M Report ---------------------------------------------------------------

2008-01-24 09:52:48 0 d-------- C:\Program Files\Common Files
2008-01-17 20:09:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Move Networks
2008-01-08 13:48:53 0 d-------- C:\Program Files\MSN Gaming Zone
2008-01-03 16:48:24 0 d-------- C:\Program Files\FL Studio Creative Edition
2007-12-31 09:23:59 0 d-------- C:\Program Files\Common Files\NewSoft
2007-12-31 09:23:38 0 d-------- C:\Program Files\NewSoft
2007-12-31 09:22:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-28 11:18:24 0 d-------- C:\Program Files\Oberon Media
2007-12-18 13:56:42 0 d-------- C:\Documents and Settings\Owner\Application Data\Comodo
2007-12-18 13:56:34 0 d-------- C:\Program Files\COMODO
2007-12-15 11:22:22 47 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-12-15 11:04:20 0 d-------- C:\Program Files\QuickTime
2007-12-14 15:57:13 0 d-------- C:\Program Files\razuxupa
2007-12-12 19:12:30 0 d-------- C:\Program Files\Ulead Systems
2007-12-12 19:09:14 0 d-------- C:\Program Files\MySpace
2007-12-04 10:08:55 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-12-03 17:14:23 0 d-------- C:\Program Files\PokerStars.NET
2007-12-02 03:04:03 0 d-------- C:\Program Files\MSXML 4.0
2007-11-24 13:30:54 1262 --a------ C:\WINDOWS\EReg515.dat
2007-11-24 13:00:48 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-11-24 13:00:48 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 10:37]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-18 13:56]
"IPPDetect"="C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"




-- End of Deckard's System Scanner: finished at 2008-02-02 08:14:37 ------------


Extra

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 254 MiB / 97.16 MiB
Pagefile Memory (total/avail): 941.01 MiB / 789.6 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.06 MiB

C: is Fixed (NTFS) - 38.28 GiB total, 29.08 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 2F040L0 - 38.29 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 38.28 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: COMODO Firewall Pro v3.0 (COMODO)
AV: Cox Security Suite Anti-Virus v3.00.001.r0174 (Cox and Authentium, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KRYSTLE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\KRYSTLE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=KRYSTLE
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)
CaLeBs DaDdY


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4.0M MPEG4 DV --> C:\Program Files\4.0M MPEG4 DV\uninst.exe
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Anti-Spyware (Aluria) --> MsiExec.exe /I{5D52D604-F3C0-45B4-9128-630B4AF57B13}
Anti-Virus (Command Software) --> MsiExec.exe /I{C1A5671F-3BD1-4EAE-B613-946BB890662D}
Authentium AntiVirus SDK - 2 --> MsiExec.exe /I{1ACE3F9D-CDA4-4F39-9605-334CF37A1579}
Authentium Web Install Helper --> RunDll32 setupapi.dll,InstallHinfSection RemoveFiles 9 AuthUninstall.inf
CardRd81 --> MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
COMODO Firewall Pro --> C:\Program Files\COMODO\Firewall\cfpconfg.exe -u
Cox (CVUS) --> MsiExec.exe /I{5BD7238A-6B67-41FE-AC97-E59A71838F4D}
Cox High Speed Internet Security Suite --> "C:\Program Files\Cox\Applications\app\repair.exe" -remove
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
Dell AIO Printer A940 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBAUN5C.EXE -dDell AIO Printer A940
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DFX for MUSICMATCH --> C:\PROGRA~1\DFX\MUSICM~1\UNWISE.EXE C:\PROGRA~1\DFX\MUSICM~1\INSTALL.LOG
ESP --> MsiExec.exe /I{F61BC717-3F50-457D-86AC-DA5D537D1850}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Firewall (Core) --> MsiExec.exe /I{B01F6BFA-2761-4621-A47F-CD46532D40B4}
Firewall (User) --> MsiExec.exe /I{3BEFC9CE-F87D-4D98-8E82-36C5FA90D4D2}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HLPRFO --> MsiExec.exe /I{AADAC983-FDE9-42FA-8FD9-7BB324155593}
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® Integrated Performance Primitives RTI 4.0 --> MsiExec.exe /X{51C91B84-7B46-4FE7-8999-8228CFA75F89}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Popup Blocker --> MsiExec.exe /I{5A79D76E-D50E-46A6-9D78-F689CF58AC9D}
Presto! Mr. Photo 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD8B3C0-0877-418D-ACC9-2AB0064B901A}\SETUP.EXE" -l0x9
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Sound'Em 1.0 --> C:\Program Files\4.0M MPEG4 DV\UNWISE.EXE C:\Program Files\4.0M MPEG4 DV\install.log
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spruce --> "C:\Program Files\Spruce\un_SpruceSetup_17737.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Third Party Prerequisites --> MsiExec.exe /I{F6A31EEF-7DB9-4A46-B3BB-9DB5F117508D}
Ulead Photo Explorer 7.0 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E38E1721-7FE7-11D4-A898-0000E83DCDA6}\pex6.exe" -l0x9
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Web Filtering (Base 2) --> MsiExec.exe /I{D3AB0F01-C515-4470-B9CA-8CB78FD42AE8}
Web Filtering (Base) --> MsiExec.exe /I{6AC20055-5E5B-48FA-9F5F-E778D354CE50}
Web Filtering (Kids Page) --> MsiExec.exe /I{2D02E0B0-D759-4F33-88E5-B83DDCB58473}
Web Filtering (RuleSpace Anti-Phishing) --> MsiExec.exe /I{634B7897-EDEA-4893-9A8A-54DA037928A5}
Web Filtering (Rulespace) --> MsiExec.exe /I{9043ED00-BEA5-44EE-AA13-44C71149AFAD}
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1331 / Error
Event Submitted/Written: 02/02/2008 08:11:47 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type1330 / Error
Event Submitted/Written: 02/02/2008 08:11:47 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type1329 / Error
Event Submitted/Written: 01/29/2008 11:00:37 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type1327 / Error
Event Submitted/Written: 01/29/2008 10:29:00 AM
Event ID/Source: 4689 / COM+
Event Description:
The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in d:\qxp_slp\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 8007043c: InitEventCollector failed

Event Record #/Type1324 / Error
Event Submitted/Written: 01/28/2008 01:02:18 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1823 / Error
Event Submitted/Written: 02/02/2008 08:08:01 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type1822 / Error
Event Submitted/Written: 02/02/2008 08:08:00 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type1821 / Error
Event Submitted/Written: 02/02/2008 08:07:58 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type1818 / Error
Event Submitted/Written: 02/02/2008 08:05:14 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type1814 / Error
Event Submitted/Written: 02/02/2008 08:04:24 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-02-02 08:14:37 ------------

Have a great day!

#14 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:23 PM

Posted 04 February 2008 - 12:20 PM

Hi

It may be a good idea to uninstall and re-install Cox security suite. Alternatively, you could uninstall it and install a different Anti-Virus program instead like you mentioned. If you opt to do this I recommend either:
Avast! or
AVG Free


Disable Windows Internal Firewall:

Using Windows Internal Firewall with a third party firewall can cause conflicts and also slow down your computer's performance. You have Comodo installed, which is a comprehensive firewall that should be powerful enough to protect your computer. I would recommend you follow the below steps to disable Windows Firewall.
  • Make sure you are logged in as a system Administrator.
  • Click Start >> Control Panel
  • If you are in the 'Category View, click "Switch to Classic View" on the left hand side.
  • Double click on "Windows Firewall" and navigate to the "General" tab.
  • Check the radio button that says "Off (Not Recommended)".
  • Click "OK" to confirm changes, and exit.

Viewpoint Media Player is often installed without the users permission. If you didn't install it, or if you did but you no longer use it, I recommend you get rid of it.

Please click Start >> Control Panel >> Add or Remove Programs.
Find the item below on the list and click Remove.
Viewpoint Media Player
Let me know how it goes.


Open HijackThis. Hit Do A System Scan Only. Place a check next to the following items (if present):
O4 - HKLM\..\Run: [IPPDetect] C:\PROGRA~1\NewSoft\PRESTO~1.PHO\MrPhoto3\MrPhoto3\IPP4Detect.exe

Close all browsers and windows except for HijackThis and click Fix Checked.


Please run this online scan:

Panda ActiveScan
  • Once you are on the Panda site, click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log

Please describe how the computer is running now.

Thanks,

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#15 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:23 PM

Posted 11 February 2008 - 03:27 AM

Hey, are you still after help here?
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users