Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, Explorer.exe Wont Run


  • This topic is locked This topic is locked
8 replies to this topic

#1 laynes69

laynes69

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 28 February 2008 - 06:31 PM

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:54 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0TMBGXUN\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {132C5652-9957-4AAE-A38F-1391B0F65905} - (no file)
O2 - BHO: (no name) - {25887168-E3C1-4B83-BC26-89628FF5D579} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A7C2ED84-A849-4287-B27A-425058123784} - C:\WINDOWS\system32\ssqpp.dll
O2 - BHO: &ZuneIt - {A8533C62-9399-4640-B36B-D1DDE91EB8B1} - mscoree.dll (file missing)
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINDOWS\system32\byxvtus.dll
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ZuneIt - {00951C02-5731-44e9-B2F5-544EC2279417} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/...tgameloader.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O20 - Winlogon Notify: byxvtus - C:\WINDOWS\SYSTEM32\byxvtus.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

--
End of file - 5466 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:50 PM

Posted 29 February 2008 - 04:17 PM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 laynes69

laynes69
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 02 March 2008 - 12:58 PM

Scan type: Quick Scan
Objects scanned: 33323
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 6
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\byxvtus.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ssqpp.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ed120d76-bf31-412c-a99b-783c6676e128} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed120d76-bf31-412c-a99b-783c6676e128} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxvtus (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ae4e19f6-8b15-486a-a168-fd96fdfa9019} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ae4e19f6-8b15-486a-a168-fd96fdfa9019} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{288c5f13-7e52-4ada-a32e-f5bf9d125f99} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ed120d76-bf31-412c-a99b-783c6676e128} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqpp.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\b1 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iDlo01 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ax3 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cb2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hc4 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jk8 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\byxvtus.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ssqpp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ppqss.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ppqss.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnmjhe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqronkk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\winvsnet.exe (Rogue.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iDlo01\iDlo011065.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hc4\pon89104.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jk8\propbar68.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Hijack this thread:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {132C5652-9957-4AAE-A38F-1391B0F65905} - (no file)
O2 - BHO: (no name) - {25887168-E3C1-4B83-BC26-89628FF5D579} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: &ZuneIt - {A8533C62-9399-4640-B36B-D1DDE91EB8B1} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ZuneIt - {00951C02-5731-44e9-B2F5-544EC2279417} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.moove.com
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/...tgameloader.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 5249 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:50 PM

Posted 02 March 2008 - 01:15 PM

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dogpile.com/ <== check this if you didn't set it to your startpage
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {132C5652-9957-4AAE-A38F-1391B0F65905} - (no file)
O2 - BHO: (no name) - {25887168-E3C1-4B83-BC26-89628FF5D579} - (no file)
O2 - BHO: &ZuneIt - {A8533C62-9399-4640-B36B-D1DDE91EB8B1} - mscoree.dll (file missing)
O9 - Extra button: ZuneIt - {00951C02-5731-44e9-B2F5-544EC2279417} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.moove.com
<== check this if you didn't add this to your trusted zone
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/...tgameloader.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} -


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 laynes69

laynes69
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 02 March 2008 - 02:14 PM

Combofix:

ComboFix 08-03-03.4 - Owner 2008-03-02 13:58:39.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HKZSXW1\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\HJLWP4XB\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\HJLWP4XB\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\HJLWP4XB\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\windows
C:\Program Files\dns
C:\Program Files\dns\affid.dat
C:\Program Files\dns\regexp.dat
C:\Program Files\dns\regexpDate.dat
C:\Program Files\dns\uid.dat
C:\Program Files\dns\urls.dat
C:\Program Files\dns\version.txt
C:\Program Files\dns\x.bmp
C:\setup.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\WINDOWS\bobsaver.exe
C:\WINDOWS\bobsaver.scr
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\vMW02a
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://resources.zune.net
hxxp://store.zune.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 12:44 . 2008-03-02 12:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-02 12:44 . 2008-03-02 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-02 12:44 . 2008-03-02 12:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-02-29 17:44 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-29 17:44 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-29 17:43 . 2008-02-29 17:43 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-29 17:43 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-29 17:43 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-29 17:43 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-29 17:43 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-29 17:43 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-29 17:43 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-29 16:45 . 2008-02-29 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg7
2008-02-29 16:22 . 2008-02-29 16:22 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-02-29 15:36 . 2008-02-29 15:36 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-02-26 17:44 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-02-26 17:44 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-02-26 17:44 . 2004-08-04 14:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-02-26 17:44 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-02-26 17:44 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-02-26 17:44 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-02-26 17:44 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-02-26 17:42 . 2001-08-17 13:28 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
2008-02-26 17:41 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-02-26 17:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-02-26 17:39 . 2004-08-04 14:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-02-26 17:38 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-02-26 17:37 . 2004-08-04 14:00 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-02-26 17:36 . 2004-08-03 22:41 404,990 --a--c--- C:\WINDOWS\system32\dllcache\slntamr.sys
2008-02-26 17:35 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-02-26 17:34 . 2004-08-04 00:56 397,056 --a--c--- C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-02-26 17:33 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-02-26 17:32 . 2004-08-04 14:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-02-26 17:31 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-02-26 17:30 . 2004-08-03 22:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-02-26 17:29 . 2004-08-04 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-26 17:28 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-02-26 17:27 . 2004-08-04 14:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-02-26 17:26 . 2004-08-04 14:00 811,064 --a--c--- C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-02-26 17:25 . 2004-08-04 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-26 17:24 . 2001-08-17 13:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
2008-02-26 17:23 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-02-26 17:22 . 2001-08-17 13:28 595,647 --a--c--- C:\WINDOWS\system32\dllcache\es56cvmp.sys
2008-02-26 17:21 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-02-26 17:20 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-02-26 17:19 . 2004-08-04 14:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-26 17:18 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-02-26 17:17 . 2004-08-04 00:56 870,784 --a--c--- C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2008-02-26 07:46 . 2008-02-26 07:47 <DIR> d-------- C:\Temp\sanR24
2008-02-24 20:34 . 2008-01-11 17:39 145,408 --a------ C:\WINDOWS\system32\ZuneMTPZ.dll
2008-02-24 20:34 . 2008-01-11 17:39 70,656 --a------ C:\WINDOWS\system32\ZuneIpTransport.dll
2008-02-24 20:34 . 2008-01-11 17:39 62,464 --a------ C:\WINDOWS\system32\ZuneUsbTransport.dll
2008-02-24 20:34 . 2008-01-11 17:39 35,840 --a------ C:\WINDOWS\system32\ZuneUsbCOnnection.dll
2008-02-22 12:50 . 2008-02-22 12:52 <DIR> d-------- C:\Program Files\Hunting Unlimited 2008
2008-02-21 08:15 . 2008-02-29 16:47 <DIR> d-------- C:\Program Files\PuppyLuv_at
2008-02-15 16:48 . 2008-02-15 16:49 <DIR> d-------- C:\Program Files\AdventureFishing2
2008-02-15 12:37 . 2008-02-15 12:37 <DIR> d-------- C:\Program Files\MonopolySpongeBob_at
2008-02-10 15:43 . 2008-02-10 15:43 <DIR> d-------- C:\Program Files\3DGroove
2008-02-06 19:25 . 2006-03-06 13:51 692,224 --a------ C:\WINDOWS\system32\lxcrdrs.dll
2008-02-06 19:25 . 2006-02-20 15:03 409,600 --a------ C:\WINDOWS\system32\lxcrinpa.dll
2008-02-06 19:25 . 2006-02-20 15:06 393,216 --a------ C:\WINDOWS\system32\lxcriesc.dll
2008-02-06 19:25 . 2006-03-21 11:42 303,104 --a------ C:\WINDOWS\system32\lxcrcoin.dll
2008-02-06 19:25 . 2006-03-06 13:48 65,536 --a------ C:\WINDOWS\system32\lxcrcaps.dll
2008-02-06 19:25 . 2005-12-20 12:54 61,440 --a------ C:\WINDOWS\system32\lxcrcnv4.dll
2008-02-06 19:25 . 2005-07-08 04:11 40,960 --a------ C:\WINDOWS\system32\lxcrvs.dll
2008-02-06 19:24 . 2008-02-06 19:25 <DIR> d-------- C:\Program Files\Lexmark 2400 Series
2008-02-04 07:40 . 2008-02-04 07:40 <DIR> d-------- C:\Program Files\Hasbro Interactive
2008-02-04 07:40 . 2008-02-04 07:41 298 --a------ C:\WINDOWS\Chutes.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 01:38 --------- d-----w C:\Program Files\Movavi VideoSuite 4.4
2008-02-29 21:47 --------- d-----w C:\Program Files\KittyLuv_at
2008-02-29 21:47 --------- d-----w C:\Program Files\DeerDrive_at
2008-02-29 21:46 --------- d-----w C:\Program Files\Ballistik_at
2008-02-27 01:35 --------- d-----w C:\Program Files\Lavasoft
2008-02-27 01:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 01:35 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-02-27 01:10 --------- d-----w C:\Program Files\AquaBall_at
2008-02-27 01:09 --------- d-----w C:\Program Files\Alawar
2008-02-26 13:23 --------- d-----w C:\Program Files\lx_cats
2008-02-25 01:35 --------- d-----w C:\Program Files\Zune
2008-02-23 21:16 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-22 20:28 --------- d-----w C:\Program Files\MonsterTruckStuntsDemo11
2008-02-21 18:11 --------- d-----w C:\Program Files\TrackMania Nations ESWC
2008-02-21 12:56 --------- d-----w C:\Program Files\MagicBall2_at
2008-02-20 21:06 --------- d-----w C:\Program Files\MagicBall3_at
2008-02-19 22:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-18 04:08 --------- d-----w C:\Program Files\LimeWire
2008-02-17 20:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2008-02-15 23:25 --------- d-----w C:\Program Files\GTI Racing Demo
2008-02-13 11:20 --------- d-----w C:\Program Files\Yahoo!
2008-02-12 21:17 --------- d-----w C:\Program Files\Shockwave.com
2008-02-10 00:55 --------- d-----w C:\Program Files\Activision Value
2008-02-09 22:41 --------- d-----w C:\Program Files\Infogrames
2008-02-07 00:24 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-02-03 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 14:00 --------- d-----w C:\Program Files\Ultimate Duck Hunting Demo
2008-02-03 14:00 --------- d-----w C:\Program Files\Maestro Learning(V)
2008-02-03 01:30 --------- d-----w C:\Program Files\Trend Micro
2008-02-03 00:15 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-03 00:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-03 00:07 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-01 21:04 --------- d-----w C:\Program Files\Mouse in a Stew
2008-01-31 10:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-01-30 13:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-30 11:32 --------- d-----w C:\Program Files\Gamenext
2008-01-30 11:17 --------- d-----w C:\Program Files\MadCars_at
2008-01-30 11:16 --------- d-----w C:\Program Files\FlySim
2008-01-30 11:16 --------- d-----w C:\Program Files\AHDEMO
2008-01-28 11:18 --------- d-----w C:\Program Files\Google
2008-01-27 21:09 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\NFS Underground Demo
2008-01-27 21:07 --------- d-----w C:\Program Files\EA GAMES
2008-01-22 22:34 --------- d-----w C:\Program Files\EA SPORTS
2008-01-21 21:34 --------- d-----w C:\Program Files\Trymedia
2008-01-20 20:57 --------- d-----w C:\Program Files\MyTube
2008-01-20 20:53 --------- d-----w C:\Program Files\zuneieplugin
2008-01-20 20:51 6,586,576 ----a-w C:\Program Files\zuneieplugin.zip
2008-01-20 14:31 --------- d-----w C:\Program Files\Cucusoft
2008-01-20 14:20 --------- d-----w C:\Program Files\Haali
2008-01-20 01:32 --------- d-----w C:\Program Files\QuickTime
2008-01-16 19:14 --------- d-----w C:\Program Files\sz8001
2008-01-15 02:02 --------- d-----w C:\Program Files\Saints & Sinners Bowling
2008-01-15 02:01 --------- d-----w C:\Program Files\MyPlayCity.com
2008-01-14 21:06 --------- d-----w C:\Program Files\Electronic Arts
2008-01-11 22:39 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-01-06 16:05 --------- d-----w C:\Program Files\Sewer Run
2008-01-04 20:30 --------- d-----w C:\Program Files\MOVAVI
2008-01-04 01:34 --------- d-----w C:\Program Files\ImTOO
2007-10-03 00:35 106 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-01-21 13:37 87,608 -c--a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-01-21 13:37 47,360 -c--a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-12-22 13:10 1,617,920 -c--a-w C:\Documents and Settings\Owner\LFS.exe
2006-12-21 15:24 45,056 -c--a-w C:\Documents and Settings\Owner\lfs_restart.exe
2006-11-29 23:59 9,282,056 -c--a-w C:\Program Files\TU2006TrialEN.exe
2006-03-08 22:40 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
1998-08-24 17:09 10,000 -c--a-w C:\WINDOWS\inf\unregpn.exe
2007-02-18 01:27 80 -csh--r C:\WINDOWS\system32\399BBB8B06.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 07:54 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 14:00 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccuWeatherDesktopAlerts]
-----c--- 2004-11-19 21:40 249856 C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a--c--- 2005-08-12 13:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2005-03-17 21:05 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_Run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2007-12-16 09:54 290112 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2006-05-22 13:26 694272 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2006-02-07 01:10 98304 C:\Program Files\Lexmark 2400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a--c--- 2006-02-02 03:11 290816 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-11-29 01:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
--a------ 2006-03-06 13:48 286720 C:\Program Files\Lexmark 2400 Series\lxcrmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
--a------ 2007-04-08 11:44 303104 C:\Program Files\Essentials Codec Pack\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a--c--- 2000-08-15 20:25 311350 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2000-08-15 20:25 28739 C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]
--a--c--- 2000-07-19 08:00 24625 C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a--c--- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a--c--- 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
--a------ 2007-01-04 15:51 1700864 C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
--a------ 2007-01-04 15:51 889856 C:\Program Files\PCPitstop\Optimize\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2004-12-01 18:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a--c--- 2004-11-15 17:04 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-12-10 18:02 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a--c--- 2007-03-11 16:37 936960 C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\version]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a--c--- 2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a--c--- 2000-08-15 20:25 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-01-11 17:54 166304 C:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"UserAccess7"=2 (0x2)
"PrismXL"=2 (0x2)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"lxcr_device"=3 (0x3)
"GEARSecurity"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\Auxiliary Power\\Demo\\DerbyDemo.exe"=
"C:\\WINDOWS\\system32\\lxcrcoms.exe"=
"C:\\Program Files\\Atari\\Deer Hunter 2005 Demo\\DH2005Demo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-12-28 17:25]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 17:54]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6adc7af9-cd74-11d9-b105-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeaae8fc-a6d0-11da-84c8-806d6172696f}]
\Shell\AutoRun\command - K:\launcher.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 14:05:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-03-03 14:11:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 19:11:05
.
2008-02-13 11:09:31 --- E O F ---

Hijack this Thread:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:04 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/...tgameloader.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:50 PM

Posted 02 March 2008 - 02:24 PM

Hi,

Navigate to and delete the following folder:

C:\Temp\sanR24

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\version]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

I assume you recognise the following folders? Are they games you installed?

C:\Program Files\PuppyLuv_at
C:\Program Files\MonopolySpongeBob_at
C:\Program Files\KittyLuv_at
C:\Program Files\DeerDrive_at
C:\Program Files\Ballistik_at
C:\Program Files\AquaBall_at
C:\Program Files\MadCars_at

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 laynes69

laynes69
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 02 March 2008 - 02:32 PM

Runs like greased lightning now. How can I prevent this in the future? First thing I have a 3 and a 6 year old that love to download and play games w/o my permission. Next, i do run ad-ware, and avg, or avast, Anyother thing i should run? Thanks a million!

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:50 PM

Posted 02 March 2008 - 02:38 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

First thing I have a 3 and a 6 year old that love to download and play games w/o my permission

I would start with creating an extra useraccount for them with restricted privileges and passwordprotect your useraccount.
Read here how to do this: http://www.microsoft.com/windowsxp/using/s...p/accounts.mspx
That should already help a lot.

Also, your kids are still very young, so in case you also have Firefox installed, take a look at next extension:
http://www.glubble.com/

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:50 PM

Posted 04 March 2008 - 01:43 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users