Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 PikeyMikey

PikeyMikey

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 27 April 2008 - 09:17 AM

Hi,

Not quite sure how we picked this up but its really starting to frustrate me. Adaware picked it up and deleted it, and cant find anymore traces of it but we are still getting the pop ups. VundoFix didnt find anything first time around but later found and deleted the file C:\WINDOWS\system32\intdpurn.dll. I would appreciate your help getting rid of this.

Deckard's System Scanner v20071014.68
Run by Annette on 2008-04-27 23:55:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
92: 2008-04-27 13:55:39 UTC - RP540 - Deckard's System Scanner Restore Point
91: 2008-04-27 12:26:40 UTC - RP539 - Removed Windows Installer Clean Up
90: 2008-04-27 10:38:31 UTC - RP538 - Installed Windows Installer Clean Up
89: 2008-04-26 23:02:17 UTC - RP537 - Last known good configuration
88: 2008-04-26 23:02:10 UTC - RP536 - System Checkpoint


-- First Restore Point --
1: 2008-04-26 23:01:17 UTC - RP449 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Annette.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-27 23:56:28
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Annette\lsass.exe
C:\WINDOWS\system32\jlwnw64j.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Msn Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rcntmkdn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Msn Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Annette\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telstra.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Telstra BigPond
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telstra.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F2E455-6346-4DD1-B0F5-B8F6DDCE2343} - C:\WINDOWS\system32\xxyxWOhe.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: Search Assistant MySidesearch - {6156A32A-C512-4e23-AA9A-2315F4265681} - C:\WINDOWS\system32\myss_sb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Annette\lsass.exe
O4 - HKLM\..\Run: [{E5-5E-E7-7D-DW}] C:\windows\system32\jlwnw64j.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rcntmkdn.exe DWram
O4 - HKLM\..\Run: [844e5ed2] rundll32.exe "C:\WINDOWS\system32\qecjacuq.dll",b
O4 - HKLM\..\Run: [BM877d6d4e] Rundll32.exe "C:\WINDOWS\system32\intdpurn.dll",s
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntmkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jlwnw64j.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://files.authentium.com/bp/rsau/bin/wizard.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161610290703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} () - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Msn Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Msn Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: vvfxqowo - C:\WINDOWS\system32\vvfxqowo.dll
O20 - Winlogon Notify: __c001780C - C:\WINDOWS\system32\__c001780C.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


--
End of file - 9165 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20061016-025233-269 O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\HQVideoCodec\isaddon.dll
backup-20061016-025233-687 O3 - Toolbar: Protection Bar - {44d22a64-2399-4edf-8b32-f2c729c1e8a7} - C:\Program Files\HQVideoCodec\iesplugin.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S1 vcdrom (Virtual CD-ROM Device Driver) - c:\documents and settings\annette\my documents\michael\utorrent\vcdrom.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-21 17:18:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-27 22:18:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-27 22:18:21 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-27 21:07:11 94784 --a------ C:\WINDOWS\system32\qecjacuq.dll
2008-04-27 21:04:33 32320 --a------ C:\WINDOWS\system32\__c001780C.dat
2008-04-27 21:04:30 32320 --a------ C:\WINDOWS\system32\vvfxqowo.dll
2008-04-27 20:37:04 0 d-------- C:\Program Files\MSECACHE
2008-04-27 19:51:12 0 d-------- C:\VundoFix Backups
2008-04-27 17:52:32 49184 --a------ C:\WINDOWS\system32\jlwnw64j.exe <Not Verified; ; Browser Driver>
2008-04-27 17:31:44 89070 --a------ C:\WINDOWS\system32\myss_sb_uninstall.exe
2008-04-27 14:56:32 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-04-27 14:56:27 298317 --a------ C:\WINDOWS\system32\gside.exe
2008-04-27 09:01:06 315071 --ahs---- C:\WINDOWS\system32\ehOWxyxx.ini2
2008-04-27 09:00:59 283136 --a------ C:\WINDOWS\system32\xxyxWOhe.dll
2008-04-27 08:56:34 37376 --a------ C:\WINDOWS\mrofinu1188.exe
2008-04-27 08:56:32 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-27 08:56:32 37376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-04-27 08:56:18 200778 --a------ C:\WINDOWS\system32\rcntmkdn.exe
2008-04-27 08:56:13 400586 --a------ C:\WINDOWS\system32\g0.exe
2008-04-27 08:56:08 49164 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-04-27 08:56:05 0 d-------- C:\WINDOWS\system32\ve2
2008-04-27 08:56:05 0 d-------- C:\WINDOWS\system32\p7
2008-04-27 08:56:05 0 d-------- C:\WINDOWS\system32\n4
2008-04-27 08:56:02 0 d-------- C:\WINDOWS\system32\pnVes18
2008-04-27 08:56:02 0 d-------- C:\Temp
2008-04-27 08:55:55 40448 --a------ C:\WINDOWS\system32\ljJYQJyA.dll
2008-04-27 08:55:43 27136 --a------ C:\Documents and Settings\Annette\services.exe
2008-04-27 08:55:17 85504 ---hs---- C:\Documents and Settings\Annette\lsass.exe
2008-04-12 01:46:26 334848 --a------ C:\WINDOWS\system32\myss_sb.dll
2008-03-30 10:06:58 0 d-------- C:\Program Files\Common Files\TI Shared
2008-03-30 10:06:57 0 d-------- C:\Program Files\TI Education
2008-03-30 09:56:09 0 d-------- C:\Program Files\Pedagoguery Software
2008-03-30 09:52:44 0 d-------- C:\Program Files\Mathsoft
2008-03-30 09:50:25 0 d-------- C:\Program Files\Graphmatica
2008-03-30 09:48:26 0 d-------- C:\Program Files\Cabri II Plus
2008-03-30 09:16:27 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-03-30 09:16:26 0 d-------- C:\Program Files\Maths Quest CD


-- Find3M Report ---------------------------------------------------------------

2008-04-27 20:45:29 0 d-------- C:\Program Files\Common Files
2008-04-19 22:30:19 0 d-------- C:\Documents and Settings\Annette\Application Data\uTorrent
2008-04-08 17:10:01 26016 --a------ C:\Documents and Settings\Annette\Application Data\GDIPFONTCACHEV1.DAT
2008-03-30 09:56:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 13:50:22 0 d-------- C:\Program Files\Picasa2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12F2E455-6346-4DD1-B0F5-B8F6DDCE2343}]
27/04/2008 09:01 AM 283136 --a------ C:\WINDOWS\system32\xxyxWOhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681}]
12/04/2008 01:46 AM 334848 --a------ C:\WINDOWS\system32\myss_sb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/06/2006 05:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/06/2007 06:24 AM]
"LSA Shellu"="C:\Documents and Settings\Annette\lsass.exe" [26/04/2008 03:03 PM]
"{E5-5E-E7-7D-DW}"="C:\windows\system32\jlwnw64j.exe" [27/04/2008 05:52 PM]
"ExploreUpdSched"="C:\WINDOWS\system32\rcntmkdn.exe" [27/04/2008 08:56 AM]
"844e5ed2"="C:\WINDOWS\system32\qecjacuq.dll" [27/04/2008 09:07 PM]
"BM877d6d4e"="C:\WINDOWS\system32\intdpurn.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [02/06/2005 03:03 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]
"PowerBar"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Annette\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 6:16:50 PM]
Deewoo.lnk - C:\WINDOWS\system32\rcntmkdn.exe [27/04/2008 8:56:18 AM]
DW_Start.lnk - C:\WINDOWS\system32\jlwnw64j.exe [27/04/2008 5:52:32 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 12:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vvfxqowo]
vvfxqowo.dll 27/04/2008 09:04 PM 32320 C:\WINDOWS\system32\vvfxqowo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c001780C]
__c001780C.dat 27/04/2008 09:04 PM 32320 C:\WINDOWS\system32\__c001780C.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\xxyxWOhe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1929c02-8de5-11dc-8484-00148537cd76}]
Auto\command- G:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe




-- End of Deckard's System Scanner: finished at 2008-04-27 23:57:15 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 511.48 MiB / 145.23 MiB
Pagefile Memory (total/avail): 1247.18 MiB / 916.63 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.96 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 120.24 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3160021A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:

\\.\PHYSICALDRIVE1 - Canon MP Memory Card USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Msn Messenger\\msnmsgr.exe"="C:\\Program Files\\Msn Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\Msn Messenger\\livecall.exe"="C:\\Program Files\\Msn Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe:*:Enabled:Age of Empires 3"
"C:\\Program Files\\MSN Gaming Zone\\zclient.exe"="C:\\Program Files\\MSN Gaming Zone\\zclient.exe:*:Disabled:Zone Datafile"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\LimeWire\\LimeWire.exe"="C:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe:*:Enabled:The Conquerors"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caiss.exe"="C:\\Program Files\\CA\\eTrust Internet Security Suite\\caiss.exe:*:Enabled:eTrust Internet Security Suite"
"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\autodown.exe"="C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\autodown.exe:*:Enabled:Update eTrust EZ Antivirus"
"C:\\Program Files\\CA\\eTrust Internet Security Suite\\licreg.exe"="C:\\Program Files\\CA\\eTrust Internet Security Suite\\licreg.exe:*:Enabled:Licensing and Registration"
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Disabled:RTC App Sharing"
"C:\\Program Files\\Msn Messenger\\msnmsgr.exe"="C:\\Program Files\\Msn Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\Msn Messenger\\livecall.exe"="C:\\Program Files\\Msn Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe:*:Disabled:Football Manager 2007"
"C:\\Documents and Settings\\Annette\\My Documents\\Downloads\\TVUPlayer\\TVUPlayer.exe"="C:\\Documents and Settings\\Annette\\My Documents\\Downloads\\TVUPlayer\\TVUPlayer.exe:*:Disabled:TVUPlayer Component"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Annette\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ANNETTE001
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Annette
LOGONSERVER=\\ANNETTE001
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Annette\LOCALS~1\Temp
TMP=C:\DOCUME~1\Annette\LOCALS~1\Temp
USERDOMAIN=ANNETTE001
USERNAME=Annette
USERPROFILE=C:\Documents and Settings\Annette
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Annette (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Age of Empires II - The Conquerors - 1.0e Patch FINAL --> "C:\Program Files\Microsoft Games\Age of Empires II\unins000.exe"
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Alfred Platinum Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BB78E652-163A-411C-90E0-F1388165A0A8}
America's Army --> MsiExec.exe /I{EF434C52-D882-43DB-8777-EC7B10D8943C}
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Authentium Web Install Helper --> RunDll32 setupapi.dll,InstallHinfSection RemoveFiles 9 AuthUninstall.inf
BigPond Broadband ADSL FAQ --> MsiExec.exe /I{86EAA5D0-3445-4945-993A-98F128C9299E}
Cabri Geometry II Plus --> MsiExec.exe /I{E45873F4-AB2D-473F-9CBB-78125F4BF624}
Canon MP Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F8C6D9-5B55-486A-A322-4E8D87670031}\Setup.exe" -l0x9 -Uninstall
Canon MP Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4669544E-20E4-4E56-8B44-2E6E1200051F}\Setup.exe" -l0x9 -Uninstall
Digimax Master --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}\Setup.exe" -l0x9 -removeonly
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
e-tax 2007 --> C:\etax2007\e-tax 2007_uninstall.exe
Football Manager 2007 --> C:\Program Files\Sports Interactive\Football Manager 2007\uninstall\Uninstall FM 2007.exe
GamePark --> "C:\Program Files\GamePark\unins000.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Graphmatica --> C:\Program Files\Graphmatica\uninstall.exe
Hazard Perception Test Demo --> C:\WINDOWS\st6unst.exe -n "C:\Clt\ST6UNST.LOG"
Hazard Perception Test Demo (C:\Clt\) --> C:\WINDOWS\st6unst.exe -n "C:\Clt\ST6UNST.000"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IGZones Update --> "C:\Documents and Settings\Annette\My Documents\Michael\IGZones\unins000.exe"
iPod for Windows 2005-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
iTunes --> MsiExec.exe /I{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.14.12 --> "C:\LimeWire\uninstall.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Mathcad Client 2001 --> MsiExec.exe /X{B43945D3-AE12-421B-A88B-B5BE72F054CC}
Maths Quest CD-ROM --> C:\WINDOWS\unvise32.exe C:\Program Files\Maths Quest CD\uninstal.log
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Age of Empires II: The Conquerors Expansion --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTALX.EXE" /runtemp /addremove
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MotionDV STUDIO 5.3E LE for DV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{43F8F1E5-C740-4293-A309-EA9DD6474DB1}\setup.exe" UNINSTALL
Multimedia Launcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
MYOB Accounting v11 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14046109-42DB-11D5-ACCE-0050BA8A3BB1}\setup.exe"
MySidesearch Search Assistant Adzgalore --> C:\WINDOWS\system32\myss_sb_uninstall.exe
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Poly --> C:\Program Files\Pedagoguery Software\Poly\uninstall.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 REMOVE -removeonly
Samsung USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{86D6A20D-3910-4441-A3E5-EB6977251C86}\Setup.exe" anything
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SoftV92 Spkerphone SoftRing Modem with SmartSP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F00&SUBSYS_200614F1\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F30&SUBSYS_205D14F1
Telstra Big Pond --> C:\program files\Telstra\Signup\tbpt.exe /u
Tess --> C:\Program Files\Pedagoguery Software\Tess\uninstall.exe
TI Connect 1.6 --> MsiExec.exe /I{A8B94669-8654-4126-BD28-D0D2412CDED6}
Total Annihilation --> C:\CAVEDOG\TOTALA\setup.exe -u
Video Stream Driver for Panasonic DVC --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{9A97D672-6C93-4DFA-B527-DE005A761495} /l1033
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type22412 / Success
Event Submitted/Written: 04/27/2008 11:40:09 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type22395 / Success
Event Submitted/Written: 04/27/2008 09:36:45 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type22370 / Warning
Event Submitted/Written: 04/27/2008 05:49:48 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type22351 / Success
Event Submitted/Written: 04/27/2008 03:27:10 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type22350 / Error
Event Submitted/Written: 04/27/2008 07:05:43 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application syssvcnt.exe, version 3.0.1.5, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00009783.
Processing media-specific event for [syssvcnt.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type54089 / Warning
Event Submitted/Written: 04/27/2008 11:40:26 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type54006 / Warning
Event Submitted/Written: 04/27/2008 09:37:25 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type53968 / Error
Event Submitted/Written: 04/27/2008 08:22:32 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The dvpapi service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type53937 / Warning
Event Submitted/Written: 04/27/2008 11:00:19 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type53934 / Error
Event Submitted/Written: 04/27/2008 07:05:53 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The BigPond Security System Service service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-04-27 23:57:15 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:12 PM

Posted 27 April 2008 - 07:27 PM

Hello PikeyMikey,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 PikeyMikey

PikeyMikey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 27 April 2008 - 11:19 PM

Hi. Here are the los as requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:59 PM, on 28/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rcntmkdn.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Annette\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telstra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6156A32A-C512-4e23-AA9A-2315F4265681} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: gooochi browser optimizer - {c83a2ff0-f318-79a9-e667-e548b83e2d03} - C:\WINDOWS\system32\{5156c6dc-1b08-44cb-4c9a-dfc1973f1557}.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{E5-5E-E7-7D-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [BM877d6d4e] Rundll32.exe "C:\WINDOWS\system32\intdpurn.dll",s
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{5156c6dc-1b08-44cb-4c9a-dfc1973f1557}.dll" DllInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntmkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.telstra.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://files.authentium.com/bp/rsau/bin/wizard.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161610290703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: vvfxqowo - vvfxqowo.dll (file missing)
O20 - Winlogon Notify: __c001780C - C:\WINDOWS\SYSTEM32\__c001780C.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7364 bytes





ComboFix 08-04-26.5 - Annette 2008-04-28 13:47:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.266 [GMT 10:00]
Running from: C:\Documents and Settings\Annette\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dllcache\spoolsv.exe
C:\WINDOWS\system32\ehOWxyxx.ini
C:\WINDOWS\system32\ehOWxyxx.ini2
C:\WINDOWS\system32\ljJYQJyA.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\n4
C:\WINDOWS\system32\p7
C:\WINDOWS\system32\p7\idevdpll.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qecjacuq.dll
C:\WINDOWS\system32\qucajceq.ini
C:\WINDOWS\system32\vvfxqowo.dll
C:\WINDOWS\system32\xxyxWOhe.dll
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 23:55 . 2008-04-27 23:55 <DIR> d-------- C:\Deckard
2008-04-27 22:18 . 2008-04-27 22:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-27 22:18 . 2008-04-27 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-27 21:04 . 2008-04-27 22:18 109,775 --a------ C:\WINDOWS\BM877d6d4e.xml
2008-04-27 21:04 . 2008-04-27 21:04 32,320 --a------ C:\WINDOWS\system32\__c001780C.dat
2008-04-27 20:37 . 2008-04-27 22:26 <DIR> d-------- C:\Program Files\MSECACHE
2008-04-27 19:51 . 2008-04-27 22:40 <DIR> d-------- C:\VundoFix Backups
2008-04-27 17:52 . 2008-04-27 17:52 49,184 --a------ C:\WINDOWS\system32\jlwnw64j.exe
2008-04-27 17:31 . 2008-04-27 17:31 89,070 --a------ C:\WINDOWS\system32\myss_sb_uninstall.exe
2008-04-27 14:56 . 2008-04-27 14:56 298,317 --a------ C:\WINDOWS\system32\gside.exe
2008-04-27 14:56 . 2008-04-27 14:56 88,961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-04-27 08:56 . 2008-04-27 08:56 <DIR> d-------- C:\WINDOWS\system32\ve2
2008-04-27 08:56 . 2008-04-27 08:56 <DIR> d-------- C:\WINDOWS\system32\pnVes18
2008-04-27 08:56 . 2008-04-27 08:56 <DIR> d-------- C:\Temp\zvebs14
2008-04-27 08:56 . 2008-04-27 08:56 <DIR> d-------- C:\Temp\kvebs14
2008-04-27 08:56 . 2008-04-28 13:48 <DIR> d-------- C:\Temp
2008-04-27 08:56 . 2008-04-27 08:56 400,586 --a------ C:\WINDOWS\system32\g0.exe
2008-04-27 08:56 . 2008-04-27 08:56 200,778 --a------ C:\WINDOWS\system32\rcntmkdn.exe
2008-04-27 08:56 . 2008-04-27 08:56 49,164 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-04-27 08:56 . 2008-04-27 08:56 37,376 --a------ C:\WINDOWS\mrofinu1188.exe
2008-04-27 08:56 . 2008-04-27 08:56 37,376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-04-27 08:56 . 2008-04-28 06:07 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-27 08:55 . 2008-04-26 15:03 85,504 ---hs---- C:\Documents and Settings\Annette\lsass.exe
2008-04-27 08:55 . 2008-04-27 08:55 27,136 --a------ C:\Documents and Settings\Annette\services.exe
2008-04-24 06:30 . 2008-04-27 13:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-24 06:30 . 2008-04-24 06:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-12 01:46 . 2008-04-12 01:46 334,848 --a------ C:\WINDOWS\system32\myss_sb.dll
2008-04-10 19:38 . 2008-04-10 19:38 244 --ah----- C:\sqmnoopt11.sqm
2008-04-10 19:38 . 2008-04-10 19:38 232 --ah----- C:\sqmdata11.sqm
2008-03-30 10:07 . 2004-01-28 14:03 21,456 --a------ C:\WINDOWS\system32\drivers\SilvrLnk.sys
2008-03-30 10:06 . 2008-03-30 10:07 <DIR> d-------- C:\Program Files\TI Education
2008-03-30 10:06 . 2008-03-30 10:07 <DIR> d-------- C:\Program Files\Common Files\TI Shared
2008-03-30 10:04 . 2008-03-30 10:04 430 --a------ C:\WINDOWS\Poly Preferences.rps
2008-03-30 09:56 . 2008-03-30 09:56 <DIR> d-------- C:\Program Files\Pedagoguery Software
2008-03-30 09:56 . 2008-03-30 09:56 838 --a------ C:\WINDOWS\Tess Preferences.trs
2008-03-30 09:52 . 2008-03-30 09:52 <DIR> d-------- C:\Program Files\Mathsoft
2008-03-30 09:50 . 2008-03-30 10:04 <DIR> d-------- C:\Program Files\Graphmatica
2008-03-30 09:48 . 2008-03-30 09:48 <DIR> d-------- C:\Program Files\Cabri II Plus
2008-03-30 09:16 . 2008-03-30 09:16 <DIR> d-------- C:\Program Files\Maths Quest CD
2008-03-30 09:16 . 1999-06-23 16:13 86,016 --a------ C:\WINDOWS\unvise32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 12:30 --------- d-----w C:\Documents and Settings\Annette\Application Data\uTorrent
2008-04-08 07:10 26,016 ----a-w C:\Documents and Settings\Annette\Application Data\GDIPFONTCACHEV1.DAT
2008-03-29 23:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 03:50 --------- d-----w C:\Program Files\Picasa2
2006-07-28 10:28 744,839 ------w C:\Documents and Settings\Annette\Newsletter22-06.zip
2004-10-01 04:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 15:03 1957888]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"PowerBar"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"{E5-5E-E7-7D-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-27 08:56 49164]
"BM877d6d4e"="C:\WINDOWS\system32\intdpurn.dll" [ ]
"ExploreUpdSched"="C:\WINDOWS\system32\rcntmkdn.exe" [2008-04-27 08:56 200778]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 07:18 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 22:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Annette\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50 113664]
Deewoo.lnk - C:\WINDOWS\system32\rcntmkdn.exe [2008-04-27 08:56:18 200778]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-04-27 08:56:08 49164]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vvfxqowo]
vvfxqowo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c001780C]
__c001780C.dat 2008-04-27 21:04 32320 C:\WINDOWS\system32\__c001780C.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\StubInstaller.exe"=
"C:\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Msn Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Msn Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]
S1 vcdrom;Virtual CD-ROM Device Driver;C:\Documents and Settings\Annette\My Documents\Michael\Utorrent\VCdRom.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1929c02-8de5-11dc-8484-00148537cd76}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 07:18:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 13:55:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\__c001780C.dat
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-04-28 14:04:08 - machine was rebooted [Annette]
ComboFix-quarantined-files.txt 2008-04-28 04:04:04

Pre-Run: 128,993,882,112 bytes free
Post-Run: 129,540,542,464 bytes free

181 --- E O F --- 2008-04-09 05:37:37

#4 PikeyMikey

PikeyMikey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 27 April 2008 - 11:27 PM

Also, I should add that now I'm receiving an error message everytime i start the computeri get an error message to the effect of "Error loading C:/window/system32/intdpurn.dll. The specified module could not be found

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:12 PM

Posted 28 April 2008 - 01:21 AM

Hello,

The error is actually a good thing. It means it's trying to be called up to run and cannot be found. :thumbsup: We'll fix it, but right now you have to know you have a lot more than just Vundo going on that needs to be fixed.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 PikeyMikey

PikeyMikey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 28 April 2008 - 03:33 AM

OK here are some more logs for you to enjoy! :thumbsup:


SDFix: Version 1.176
Run by Annette on Mon 28/04/2008 at 06:07 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu1188.exe - Deleted
C:\Documents and Settings\Annette\lsass.exe - Deleted
C:\Documents and Settings\Annette\services.exe - Deleted
C:\Documents and Settings\Annette\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
C:\Documents and Settings\Annette\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\rwwnw64d.exe - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 18:20:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000000
"TracesSuccessful"=dword:00000000
"LastTraceFailure"=dword:00000000

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe:*:Enabled:Age of Empires 3"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\LimeWire\\LimeWire.exe"="C:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe:*:Enabled:The Conquerors"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Disabled:RTC App Sharing"
"C:\\Program Files\\Msn Messenger\\msnmsgr.exe"="C:\\Program Files\\Msn Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\Msn Messenger\\livecall.exe"="C:\\Program Files\\Msn Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe:*:Disabled:Football Manager 2007"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Msn Messenger\\msnmsgr.exe"="C:\\Program Files\\Msn Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\Msn Messenger\\livecall.exe"="C:\\Program Files\\Msn Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 14 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Fri 29 Feb 2008 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 4 Aug 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sun 19 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 11 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 29 Aug 2007 31,744 ...H. --- "C:\Documents and Settings\Annette\My Documents\Hurstbridge Horse & Pony Club\~WRL0003.tmp"
Sat 28 May 2005 28,160 A..H. --- "C:\Documents and Settings\All Users\Documents\Michael\Politics\~WRL0696.tmp"
Sun 29 May 2005 33,280 A..H. --- "C:\Documents and Settings\All Users\Documents\Michael\Politics\~WRL2965.tmp"
Thu 21 Apr 2005 369,152 A..H. --- "C:\Documents and Settings\All Users\Documents\Michael\SOC21MSR\~WRL2239.tmp"
Wed 2 Nov 2005 30,208 A..H. --- "C:\Documents and Settings\All Users\Documents\Michael\SWS\~WRL2829.tmp"
Sat 28 May 2005 28,160 A..H. --- "C:\Documents and Settings\Annette\My Documents\Michael\Politics\~WRL0696.tmp"
Sun 29 May 2005 33,280 A..H. --- "C:\Documents and Settings\Annette\My Documents\Michael\Politics\~WRL2965.tmp"
Wed 2 Nov 2005 30,208 A..H. --- "C:\Documents and Settings\Annette\My Documents\Michael\SWS\~WRL2829.tmp"
Sun 19 Mar 2006 4,348 ...H. --- "C:\Documents and Settings\Annette\My Documents\My Music\License Backup\drmv1key.bak"
Thu 23 Mar 2006 20 A..H. --- "C:\Documents and Settings\Annette\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 23 Mar 2006 312 ...H. --- "C:\Documents and Settings\Annette\My Documents\My Music\License Backup\drmv2key.bak"
Thu 23 Mar 2006 1,536 A..H. --- "C:\Documents and Settings\Annette\My Documents\My Music\License Backup\drmv2lic.bak"
Tue 8 May 2007 80,896 A..H. --- "C:\Documents and Settings\Annette\My Documents\Michael\Honours\Politics\~WRL3369.tmp"
Thu 21 Apr 2005 369,152 A..H. --- "C:\Documents and Settings\Annette\My Documents\Michael\sociology\SOC21MSR\~WRL2239.tmp"

Finished!







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:26 PM, on 28/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\bigpond\security\App\syssvcnt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\Rundll32.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\bigpond\security\app\Console.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Annette\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telstra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\bigpond\security\App\popupbho01.dll
O2 - BHO: (no name) - {6156A32A-C512-4e23-AA9A-2315F4265681} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: gooochi browser optimizer - {c83a2ff0-f318-79a9-e667-e548b83e2d03} - C:\WINDOWS\system32\{5156c6dc-1b08-44cb-4c9a-dfc1973f1557}.dll
O3 - Toolbar: BigPond Security Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\bigpond\security\App\popupbho01.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{E5-5E-E7-7D-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [BM877d6d4e] Rundll32.exe "C:\WINDOWS\system32\intdpurn.dll",s
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{5156c6dc-1b08-44cb-4c9a-dfc1973f1557}.dll" DllInit
O4 - HKLM\..\Run: [ESP] "c:\Program Files\bigpond\security\app\start.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.telstra.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://audownload.authentium.com/wbiw/bin/wizard.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161610290703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: vvfxqowo - vvfxqowo.dll (file missing)
O20 - Winlogon Notify: __c001780C - C:\WINDOWS\SYSTEM32\__c001780C.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BigPond Security System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\bigpond\security\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7884 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:12 PM

Posted 28 April 2008 - 01:26 PM

Hello there,

Thank you for that....seeing any improvement in performance? You have a ton going on, and it merits just one more tool to run, then we'll start yanking out what's left. :thumbsup:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Incidentally, I really do enjoy the challenge the logs give me. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 PikeyMikey

PikeyMikey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 28 April 2008 - 10:10 PM

Hi Tea

Ok, I ran the scan and here are the logs you requested. Performance is improving but new internet explorer windows seem to take forever to come up and to load. In the windows task manager it seems to be taking up an enormous amount of memory.

Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Quick Scan
Objects scanned: 37434
Time elapsed: 36 minute(s), 51 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
C:\WINDOWS\system32\jlwnw64j.exe (Adware.ZeroSearch) -> Unloaded process successfully.
C:\WINDOWS\system32\rcntmkdn.exe (Adware.ZeroSearch) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\{5156c6dc-1b08-44cb-4c9a-dfc1973f1557}.dll (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c001780C.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6156a32a-c512-4e23-aa9a-2315f4265681} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mysearchassistant (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gooochi (Adware.Rotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c83a2ff0-f318-79a9-e667-e548b83e2d03} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c83a2ff0-f318-79a9-e667-e548b83e2d03} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c001780c (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{E5-5E-E7-7D-DW} (Adware.ZeroSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExploreUpdSched (Adware.ZeroSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM877d6d4e (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jlwnw64j.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rcntmkdn.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\myss_sb.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\myss_sb_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwwnw64d.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{5156c6dc-1b08-44cb-4c9a-dfc1973f1557}.dll-uninst.exe (Adware.Rotator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{5156c6dc-1b08-44cb-4c9a-dfc1973f1557}.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c001780C.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annette\Start Menu\Programs\Startup\Deewoo.lnk (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annette\Start Menu\Programs\Startup\DW_Start.lnk (Trojan.Agent) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:43 PM, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\bigpond\security\App\syssvcnt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\bigpond\security\app\Console.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Annette\Desktop\HiJackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telstra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\bigpond\security\App\popupbho01.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: BigPond Security Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\bigpond\security\App\popupbho01.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ESP] "c:\Program Files\bigpond\security\app\start.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.telstra.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://audownload.authentium.com/wbiw/bin/wizard.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161610290703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: vvfxqowo - vvfxqowo.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BigPond Security System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\bigpond\security\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7244 bytes

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:12 PM

Posted 28 April 2008 - 11:04 PM

Hello,

Believe it or not, it's looking better. :thumbsup: This much stuff takes a little while to get rid of. You're doing great, and it IS going away. :blink:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vvfxqowo]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c001780C]

File::
C:\WINDOWS\system32\__c001780C.dat
C:\WINDOWS\BM877d6d4e.xml
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\mrofinu1000106.exe

Folder::
C:\Temp
C:\VundoFix Backups
C:\WINDOWS\system32\ve2
C:\WINDOWS\system32\pnVes18


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 PikeyMikey

PikeyMikey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 28 April 2008 - 11:48 PM

Ok here are the Comfix log and a new Hijackthis log.

ComboFix 08-04-26.5 - Annette 2008-04-29 14:32:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.234 [GMT 10:00]
Running from: C:\Documents and Settings\Annette\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Annette\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM877d6d4e.xml
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\__c001780C.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\Program Files\bigpond\security\app\start.exe
C:\Temp
C:\Temp\kvebs14\zvKarru.log
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\intdpurn.dll.bad
C:\WINDOWS\BM877d6d4e.xml
C:\WINDOWS\system32\pnVes18
C:\WINDOWS\system32\pnVes18\pnVes182328.exe
C:\WINDOWS\system32\ve2
C:\WINDOWS\system32\ve2\demw136.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-29 12:06 . 2008-04-29 12:06 <DIR> d-------- C:\Documents and Settings\Annette\Application Data\Malwarebytes
2008-04-29 12:05 . 2008-04-29 12:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 12:05 . 2008-04-29 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 18:00 . 2008-04-28 18:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-28 17:56 . 2008-04-28 18:27 <DIR> d-------- C:\SDFix
2008-04-28 14:37 . 2008-04-28 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-04-28 14:36 . 2008-04-28 14:36 <DIR> d-------- C:\Program Files\Common Files\RuleSpace
2008-04-28 14:36 . 2008-04-28 14:36 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-04-28 14:36 . 2008-04-28 14:36 <DIR> d-------- C:\Program Files\Common Files\Aluria
2008-04-28 14:36 . 2008-04-28 14:36 <DIR> d-------- C:\Program Files\bigpond
2008-04-28 14:29 . 2008-04-28 14:35 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2008-04-27 23:55 . 2008-04-27 23:55 <DIR> d-------- C:\Deckard
2008-04-27 22:18 . 2008-04-27 22:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-27 22:18 . 2008-04-27 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-27 20:37 . 2008-04-27 22:26 <DIR> d-------- C:\Program Files\MSECACHE
2008-04-27 14:56 . 2008-04-27 14:56 298,317 --a------ C:\WINDOWS\system32\gside.exe
2008-04-27 08:56 . 2008-04-27 08:56 400,586 --a------ C:\WINDOWS\system32\g0.exe
2008-04-27 08:56 . 2008-04-28 20:40 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-24 06:30 . 2008-04-27 13:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-24 06:30 . 2008-04-24 06:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 10:45 . 2008-04-11 10:45 443,656 --a------ C:\WINDOWS\system32\grfilter.dll
2008-04-11 10:45 . 2008-04-11 10:45 39,688 --a------ C:\WINDOWS\system32\drivers\GRTdiMon.sys
2008-04-11 10:45 . 2008-04-11 10:45 21,000 --a------ C:\WINDOWS\system32\drivers\GRFilter.sys
2008-04-11 10:25 . 2008-04-11 10:25 103,656 --a------ C:\WINDOWS\system32\authcrypt.dll
2008-04-11 10:25 . 2008-04-11 10:25 79,336 --a------ C:\WINDOWS\system32\AuthWSC.dll
2008-04-10 19:38 . 2008-04-10 19:38 244 --ah----- C:\sqmnoopt11.sqm
2008-04-10 19:38 . 2008-04-10 19:38 232 --ah----- C:\sqmdata11.sqm
2008-03-30 10:07 . 2004-01-28 14:03 21,456 --a------ C:\WINDOWS\system32\drivers\SilvrLnk.sys
2008-03-30 10:06 . 2008-03-30 10:07 <DIR> d-------- C:\Program Files\TI Education
2008-03-30 10:06 . 2008-03-30 10:07 <DIR> d-------- C:\Program Files\Common Files\TI Shared
2008-03-30 10:04 . 2008-03-30 10:04 430 --a------ C:\WINDOWS\Poly Preferences.rps
2008-03-30 09:56 . 2008-03-30 09:56 <DIR> d-------- C:\Program Files\Pedagoguery Software
2008-03-30 09:56 . 2008-03-30 09:56 838 --a------ C:\WINDOWS\Tess Preferences.trs
2008-03-30 09:52 . 2008-03-30 09:52 <DIR> d-------- C:\Program Files\Mathsoft
2008-03-30 09:50 . 2008-03-30 10:04 <DIR> d-------- C:\Program Files\Graphmatica
2008-03-30 09:48 . 2008-03-30 09:48 <DIR> d-------- C:\Program Files\Cabri II Plus
2008-03-30 09:16 . 2008-03-30 09:16 <DIR> d-------- C:\Program Files\Maths Quest CD
2008-03-30 09:16 . 1999-06-23 16:13 86,016 --a------ C:\WINDOWS\unvise32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 12:30 --------- d-----w C:\Documents and Settings\Annette\Application Data\uTorrent
2008-04-11 00:30 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-11 00:30 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-11 00:30 106,496 ----a-w C:\WINDOWS\system32\atl71.dll
2008-04-08 07:10 26,016 ----a-w C:\Documents and Settings\Annette\Application Data\GDIPFONTCACHEV1.DAT
2008-03-29 23:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-29 03:50 --------- d-----w C:\Program Files\Picasa2
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-30 02:24 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2006-07-28 10:28 744,839 ------w C:\Documents and Settings\Annette\Newsletter22-06.zip
2004-10-01 04:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-28_14.03.42.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 03:54:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 02:52:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 10:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-28 08:01:42 5,378,048 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-28 08:01:43 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-27 10:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-28 08:01:20 5,378,048 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-28 08:01:20 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2006-07-30 02:04:40 221,184 ----a-w C:\WINDOWS\system32\DartSock.dll
+ 2007-11-26 06:33:52 835,792 ----a-w C:\WINDOWS\system32\drivers\Css-Dvp.sys
+ 2006-07-30 02:04:40 40,960 ----a-w C:\WINDOWS\system32\dwBkThrd.dll
+ 2006-07-30 02:04:40 200,704 ----a-w C:\WINDOWS\system32\dwSock6.dll
+ 2006-07-30 02:04:40 137,216 ----a-w C:\WINDOWS\system32\dwspy32.dll
+ 2006-07-30 02:04:40 77,312 ----a-w C:\WINDOWS\system32\DWSPY36.dll
+ 2006-07-30 02:04:40 122,880 ----a-w C:\WINDOWS\system32\dwspyvb6.dll
+ 2006-07-30 02:04:40 405,504 ----a-w C:\WINDOWS\system32\ExComboBox.dll
+ 2006-07-30 02:04:40 63,488 ----a-w C:\WINDOWS\system32\FlexBag.dll
+ 2006-07-30 02:04:40 331,776 ----a-w C:\WINDOWS\system32\IMDBvb.dll
+ 2006-07-30 02:04:40 103,424 ----a-w C:\WINDOWS\system32\sgRegExp.dll
+ 2006-07-30 02:04:40 22,528 ----a-w C:\WINDOWS\system32\SockIntf.dll
+ 2006-07-30 02:04:42 63,008 ----a-w C:\WINDOWS\system32\wscapi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 15:03 1957888]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"PowerBar"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"ESP"="c:\Program Files\bigpond\security\app\start.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 07:18 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 22:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\StubInstaller.exe"=
"C:\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Msn Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Msn Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2008-04-11 10:45]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2008-04-11 10:45]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]
S1 vcdrom;Virtual CD-ROM Device Driver;C:\Documents and Settings\Annette\My Documents\Michael\Utorrent\VCdRom.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1929c02-8de5-11dc-8484-00148537cd76}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 07:19:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 14:37:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-04-29 14:41:30
ComboFix-quarantined-files.txt 2008-04-29 04:40:45
ComboFix2.txt 2008-04-28 04:04:09

Pre-Run: 128,502,984,704 bytes free
Post-Run: 128,566,878,208 bytes free

182 --- E O F --- 2008-04-09 05:37:37



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:01 PM, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\bigpond\security\App\syssvcnt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\bigpond\security\app\Console.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Annette\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telstra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\bigpond\security\App\popupbho01.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: BigPond Security Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\bigpond\security\App\popupbho01.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ESP] "c:\Program Files\bigpond\security\app\start.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.telstra.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://audownload.authentium.com/wbiw/bin/wizard.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161610290703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BigPond Security System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\bigpond\security\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7099 bytes

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:12 PM

Posted 28 April 2008 - 11:57 PM

Hello,

Performance is improving but new internet explorer windows seem to take forever to come up and to load. In the windows task manager it seems to be taking up an enormous amount of memory.

Is this better now? :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 PikeyMikey

PikeyMikey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 29 April 2008 - 12:27 AM

yeah, the performance has improved heaps. Thanks for your help. I take it since you didnt ask for another log file that we are done? Thanks for all your help. Should i start getting rid of the little programs I've downloaded? Also, any ideas on how we got these infections and what we could do to prevent it in the future. We have an anti-virus but i feel that it is next to useless.

Any feedback would be appreciated.


Thanks again for your help

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:12 PM

Posted 29 April 2008 - 12:49 AM

Hello,

You're welcome. :blink:

Yes, everything looks good now, and since the performance is back up looks like the worries are over. :thumbsup:

Please delete ComboFix and its accompanying folder C:\Qoobox, as well as SDFix. Empty your Recycle bin and reboot your computer. MBAM is up to you. Keep it if you like it. :wacko:

I can't really say exactly how you got this. It could have been from a site you visited, a link you clicked on, a program you downloaded, many things.

This is what I tell everyone:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 PikeyMikey

PikeyMikey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 29 April 2008 - 01:22 AM

Eh, I may have spoken too soon on the performance front. There are still minor delays when openning programs but it is more obvious when I'm openning webpages. But I've started implimenting some of your suggestions like installing firefox. thanks for your help

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:12 PM

Posted 29 April 2008 - 02:01 AM

Hello,

How about a little tidy up to go along with that and see if it helps..........

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files.This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Give the computer a defrag, then reboot a couple of times and see if it's any better. :blink:

Do let me know. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users