Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lost Administrative Rights - Windows Xp


  • This topic is locked This topic is locked
15 replies to this topic

#1 bakerman

bakerman

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 30 May 2008 - 01:04 PM

OK. New to this but browsing thru the many discussions looks like I have a similar problem in that I had an invasion and several things corrupted. (one common quirk I saw on some sites was the text "Virus Alert" appearing to the right of the clock in the task bar. That was easy to correct but other common problems explained below exists.) On the most part I've got my PC back but still have some lingering problems that seem to be related to Administrative Rights. Some symptoms are: Can't see All Programs in Start Menu, Can't use Alt-Ctrl-Del, Can't access Display Properties. Running XP Home on Dell with AVG Free 8._ Initially had a bunch of windows popping up stating something about downloading Spyware & Adware software to clean my dirty system. AVG did find a number of infected Trojan files and cleaned/deleted those and seems to be running better. But noticed the problems stated above and can't seem to do anything about them. Not sure even if I have the ability to run System Restore (not at my infected PC now). Couple of posts mention running MsnCleaner in Safe Mode and folks seem to be happy with results. Wondering if I should try that and see what happens???

BC AdBot (Login to Remove)

 


m

#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 30 May 2008 - 03:05 PM

Hello bakerman,

Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 bakerman

bakerman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 30 May 2008 - 04:19 PM

Below is the HijackThis Logfile as requested. Thanks for your quick response.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:21 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27796771-8D05-4EE6-B478-43CE759F2106} - C:\WINDOWS\system32\ddcYqnNE.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {699A5F4F-B191-4FC9-AC5B-85D8065CA7B8} - C:\WINDOWS\system32\byXOgdCU.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: QXK Olive - {82852436-F845-4519-A0CC-B2A8D54C3704} - C:\WINDOWS\boqnrwdmslm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [c0555ad2] rundll32.exe "C:\WINDOWS\system32\mhaplnep.dll",b
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.pinellascounty.org/ActiveX/ver6.5/mgaxctrl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://63.166.97.45:1080/activex/AxisCamControl.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - https://www.peryourhealth.com/crystalreport...tiveXViewer.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://rsvpn.raytheon.com/,DanaInfo=MK2-MS...=java+dwa7W.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rsvpn.raytheon.com/dana-cached/setu...perSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ddcYqnNE - ddcYqnNE.dll (file missing)
O21 - SSODL: AvpMon - {5022351a-52ca-4d2f-a3ce-a66616d3834a} - C:\WINDOWS\Resources\AvpMon.dll (file missing)
O21 - SSODL: vregfwlx - {5904A235-4BA0-47BE-89ED-37624F4F4814} - C:\WINDOWS\vregfwlx.dll (file missing)
O21 - SSODL: vltdfabw - {B4215616-EC0E-4DF2-8B1A-7E66E4F6103E} - C:\WINDOWS\vltdfabw.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11093 bytes

#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 30 May 2008 - 05:32 PM

Hello bakerman,

FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [c0555ad2] rundll32.exe "C:\WINDOWS\system32\mhaplnep.dll",b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.pinellascounty.org/ActiveX/ver6.5/mgaxctrl.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - https://www.peryourhealth.com/crystalreport...tiveXViewer.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://rsvpn.raytheon.com/,DanaInfo=MK2-MS...=java+dwa7W.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rsvpn.raytheon.com/dana-cached/setu...perSetupSP1.cab
O20 - Winlogon Notify: ddcYqnNE - ddcYqnNE.dll (file missing)
O21 - SSODL: AvpMon - {5022351a-52ca-4d2f-a3ce-a66616d3834a} - C:\WINDOWS\Resources\AvpMon.dll (file missing)
O21 - SSODL: vregfwlx - {5904A235-4BA0-47BE-89ED-37624F4F4814} - C:\WINDOWS\vregfwlx.dll (file missing)
O21 - SSODL: vltdfabw - {B4215616-EC0E-4DF2-8B1A-7E66E4F6103E} - C:\WINDOWS\vltdfabw.dll (file missing)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
----------------------------------------------
Post back:
Combofix report.
A new Hijackthis log.

Some symptoms are: Can't see All Programs in Start Menu, Can't use Alt-Ctrl-Del, Can't access Display Properties.

Are these working now?
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 bakerman

bakerman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 31 May 2008 - 11:00 AM

Wow - like magic!

Ran HijackThis system scan only, checked boxes as suggested and clicked Fix Checked. Bunch of windows came up stating "Registry editing has been disabled by your administrator". Ran scan only again and saw that all but these two were gone

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

So checked them again, clicked Fix Checked and seem to make those go away.

Ran ComboFix as suggested (although acted somewhat different than described in their instructions - assume program updated). After system reboot at least the 3 items noted that didn't work because of administrative rights are now back so looks like I'm back in business. As reuested I'm including the last logs for HijackThis and ComoFix below.

++++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:52 AM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27796771-8D05-4EE6-B478-43CE759F2106} - C:\WINDOWS\system32\ddcYqnNE.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {699A5F4F-B191-4FC9-AC5B-85D8065CA7B8} - C:\WINDOWS\system32\byXOgdCU.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: QXK Olive - {82852436-F845-4519-A0CC-B2A8D54C3704} - C:\WINDOWS\boqnrwdmslm.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://63.166.97.45:1080/activex/AxisCamControl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8967 bytes

++++++++++++++++++++++++++++
ComboFix 08-05-29.1 - Dad 2008-05-31 11:07:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.223 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\myBar\Settings\settings.dat
C:\Program Files\MyWay\myBar\Settings\settings.htm
C:\WINDOWS\cookies.ini
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhaplnep.dll
C:\WINDOWS\SYSTEM32\penlpahm.ini
C:\WINDOWS\system32\qiucwaif.ini
C:\WINDOWS\SYSTEM32\UCdgOXyb.ini
C:\WINDOWS\SYSTEM32\UCdgOXyb.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-29 22:50 . 2008-05-29 22:57 <DIR> d-------- C:\HJT
2008-05-28 22:50 . 2008-05-28 22:50 <DIR> d-------- C:\Program Files\Maxtor
2008-05-28 22:50 . 2008-05-28 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-05-28 22:48 . 2008-05-28 22:48 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-28 22:48 . 2008-05-28 22:48 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-28 22:48 . 2008-05-28 22:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-28 22:48 . 2008-05-28 22:48 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-28 22:22 . 2008-05-28 22:26 <DIR> d-------- C:\Maxtor
2008-05-28 02:45 . 2008-05-28 02:45 <DIR> d--hs---- C:\found.001
2008-05-23 17:05 . 2008-05-28 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-17 12:25 . 2008-05-29 22:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-16 22:34 . 2008-05-31 09:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-05-16 22:34 . 2008-05-16 22:34 <DIR> d-------- C:\Program Files\AVG
2008-05-16 22:34 . 2008-05-16 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-16 22:34 . 2008-05-16 22:34 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-05-16 22:34 . 2008-05-16 22:34 75,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-05-16 22:34 . 2008-05-16 22:34 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-05-09 17:25 . 2008-05-09 17:25 <DIR> d-------- C:\Program Files\Autodesk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 14:35 --------- d-----w C:\Program Files\Lx_cats
2008-05-30 02:38 --------- d-----w C:\Program Files\MUSICMATCH
2008-05-29 23:01 --------- d-----w C:\Program Files\ItsDeductible2005
2008-05-29 23:00 --------- d-----w C:\Program Files\ItsDeductible2004
2008-05-23 21:07 --------- d-----w C:\Program Files\Google
2008-05-11 12:56 --------- d-----w C:\Documents and Settings\Dad\Application Data\AdobeUM
2008-05-02 14:31 --------- d-----w C:\Program Files\FinePixViewer
2008-04-23 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-04-04 21:45 61,440 ----a-w C:\WINDOWS\wnUninstall.exe
2008-04-04 21:45 --------- d-----w C:\Program Files\Common Files\10 News Now
2008-03-30 16:06 --------- d-----w C:\Program Files\Java
2007-04-25 23:59 92,064 ----a-w C:\Documents and Settings\Dad\mqdmmdm.sys
2007-04-25 23:59 9,232 ----a-w C:\Documents and Settings\Dad\mqdmmdfl.sys
2007-04-25 23:59 79,328 ----a-w C:\Documents and Settings\Dad\mqdmserd.sys
2007-04-25 23:59 66,656 ----a-w C:\Documents and Settings\Dad\mqdmbus.sys
2007-04-25 23:59 6,208 ----a-w C:\Documents and Settings\Dad\mqdmcmnt.sys
2007-04-25 23:59 5,936 ----a-w C:\Documents and Settings\Dad\mqdmwhnt.sys
2007-04-25 23:59 4,048 ----a-w C:\Documents and Settings\Dad\mqdmcr.sys
2007-04-25 23:59 25,600 ----a-w C:\Documents and Settings\Dad\usbsermptxp.sys
2007-04-25 23:59 22,768 ----a-w C:\Documents and Settings\Dad\usbsermpt.sys
2001-06-03 01:10 572 ----a-w C:\Documents and Settings\Bryan\AUTOEXEC.BAT
2001-06-03 00:14 139 ----a-w C:\Documents and Settings\Bryan\config.sys
2001-01-01 05:08 4,767 ----a-w C:\Documents and Settings\Bryan\mouse.exe
1988-02-07 10:00 427 ----a-w C:\Documents and Settings\Bryan\REBOOT.COM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27796771-8D05-4EE6-B478-43CE759F2106}]
C:\WINDOWS\system32\ddcYqnNE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{699A5F4F-B191-4FC9-AC5B-85D8065CA7B8}]
C:\WINDOWS\system32\byXOgdCU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82852436-F845-4519-A0CC-B2A8D54C3704}]
C:\WINDOWS\boqnrwdmslm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-03 14:46 4800512]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-16 07:51 77824]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-04-16 07:51 151597]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Lexmark 5200 series"="C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" [2004-03-25 09:30 57344]
"LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 12:30 65536]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-16 22:34 1177368]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 14:53 169264]

C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-05-29 10:32:42 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-26 21:26:51 25214]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-09-01 21:30:33 1528880]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2005-12-05 21:39:06 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 11:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{27796771-8D05-4EE6-B478-43CE759F2106}"= C:\WINDOWS\system32\ddcYqnNE.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\10 News Now\\TrueWeather.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-16 22:34]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-16 22:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-16 22:34]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-16 22:34]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 12:24]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 11:20:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\Lexmark 5200 Series\lxbtbmon.exe
.
**************************************************************************
.
Completion time: 2008-05-31 11:31:21 - machine was rebooted [Dad]
ComboFix-quarantined-files.txt 2008-05-31 15:31:17

Pre-Run: 40,078,577,664 bytes free
Post-Run: 40,902,909,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

169 --- E O F --- 2008-05-29 22:33:18

+++++++++++++++++++++++++++
Thanks so much for the help. If there's anything else needed please advise.

#6 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 31 May 2008 - 01:27 PM

Hello bakerman,

Wow - like magic!

It is isn't it? :thumbsup:
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\WINDOWS\system32\ddcYqnNE.dll
    C:\WINDOWS\system32\byXOgdCU.dll
    C:\WINDOWS\boqnrwdmslm.dll
    
    Folder::
    C:\found.001
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27796771-8D05-4EE6-B478-43CE759F2106}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{699A5F4F-B191-4FC9-AC5B-85D8065CA7B8}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82852436-F845-4519-A0CC-B2A8D54C3704}]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{27796771-8D05-4EE6-B478-43CE759F2106}"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Combofix report.
Malwarebytes' Anti-Malware report.
A new HijackThis log.
Is the pc running better?

Edited by chryssi2001, 31 May 2008 - 02:00 PM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#7 bakerman

bakerman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 31 May 2008 - 04:14 PM

chryssi2001 - OK. Did all as requested and here's the log files. PC seems to be running fine now. Question - Do you recommend running that same Malware program on my laptop even though its not experiencing problems? I'm currently running the new AVG 8.0 on it also.

+++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:29 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://63.166.97.45:1080/activex/AxisCamControl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8708 bytes

++++++++++++++++++++++++
ComboFix 08-05-29.1 - Dad 2008-05-31 15:23:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.234 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\boqnrwdmslm.dll
C:\WINDOWS\system32\byXOgdCU.dll
C:\WINDOWS\system32\ddcYqnNE.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\found.001
C:\found.001\dir0000.chk\79003_90_110[1].jpg
C:\found.001\dir0000.chk\81651_50_50[1].jpg

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-29 22:50 . 2008-05-29 22:57 <DIR> d-------- C:\HJT
2008-05-28 22:50 . 2008-05-28 22:50 <DIR> d-------- C:\Program Files\Maxtor
2008-05-28 22:50 . 2008-05-28 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-05-28 22:48 . 2008-05-28 22:48 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-28 22:48 . 2008-05-28 22:48 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-28 22:48 . 2008-05-28 22:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-28 22:48 . 2008-05-28 22:48 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-28 22:22 . 2008-05-28 22:26 <DIR> d-------- C:\Maxtor
2008-05-23 17:05 . 2008-05-28 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-17 12:25 . 2008-05-29 22:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-16 22:34 . 2008-05-31 09:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-05-16 22:34 . 2008-05-16 22:34 <DIR> d-------- C:\Program Files\AVG
2008-05-16 22:34 . 2008-05-16 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-16 22:34 . 2008-05-16 22:34 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-05-16 22:34 . 2008-05-16 22:34 75,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-05-16 22:34 . 2008-05-16 22:34 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-05-09 17:25 . 2008-05-09 17:25 <DIR> d-------- C:\Program Files\Autodesk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 14:35 --------- d-----w C:\Program Files\Lx_cats
2008-05-30 02:38 --------- d-----w C:\Program Files\MUSICMATCH
2008-05-29 23:01 --------- d-----w C:\Program Files\ItsDeductible2005
2008-05-29 23:00 --------- d-----w C:\Program Files\ItsDeductible2004
2008-05-23 21:07 --------- d-----w C:\Program Files\Google
2008-05-11 12:56 --------- d-----w C:\Documents and Settings\Dad\Application Data\AdobeUM
2008-05-02 14:31 --------- d-----w C:\Program Files\FinePixViewer
2008-04-23 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-04-04 21:45 61,440 ----a-w C:\WINDOWS\wnUninstall.exe
2008-04-04 21:45 --------- d-----w C:\Program Files\Common Files\10 News Now
2008-03-30 16:06 --------- d-----w C:\Program Files\Java
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\SYSTEM32\msctf.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msctf.dll
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-04-25 23:59 92,064 ----a-w C:\Documents and Settings\Dad\mqdmmdm.sys
2007-04-25 23:59 9,232 ----a-w C:\Documents and Settings\Dad\mqdmmdfl.sys
2007-04-25 23:59 79,328 ----a-w C:\Documents and Settings\Dad\mqdmserd.sys
2007-04-25 23:59 66,656 ----a-w C:\Documents and Settings\Dad\mqdmbus.sys
2007-04-25 23:59 6,208 ----a-w C:\Documents and Settings\Dad\mqdmcmnt.sys
2007-04-25 23:59 5,936 ----a-w C:\Documents and Settings\Dad\mqdmwhnt.sys
2007-04-25 23:59 4,048 ----a-w C:\Documents and Settings\Dad\mqdmcr.sys
2007-04-25 23:59 25,600 ----a-w C:\Documents and Settings\Dad\usbsermptxp.sys
2007-04-25 23:59 22,768 ----a-w C:\Documents and Settings\Dad\usbsermpt.sys
2001-06-03 01:10 572 ----a-w C:\Documents and Settings\Bryan\AUTOEXEC.BAT
2001-06-03 00:14 139 ----a-w C:\Documents and Settings\Bryan\config.sys
2001-01-01 05:08 4,767 ----a-w C:\Documents and Settings\Bryan\mouse.exe
1988-02-07 10:00 427 ----a-w C:\Documents and Settings\Bryan\REBOOT.COM
.

((((((((((((((((((((((((((((( snapshot@2008-05-31_11.31.06.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-31 15:16:17 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-31 18:27:02 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-03 14:46 4800512]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-16 07:51 77824]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-04-16 07:51 151597]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Lexmark 5200 series"="C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" [2004-03-25 09:30 57344]
"LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 12:30 65536]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-16 22:34 1177368]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 14:53 169264]

C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-05-29 10:32:42 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-26 21:26:51 25214]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-09-01 21:30:33 1528880]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2005-12-05 21:39:06 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 11:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\10 News Now\\TrueWeather.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-16 22:34]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-16 22:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-16 22:34]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-16 22:34]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 12:24]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 15:29:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 15:33:59
ComboFix-quarantined-files.txt 2008-05-31 19:33:26

Pre-Run: 40,880,414,720 bytes free
Post-Run: 40,875,859,968 bytes free

156 --- E O F --- 2008-05-29 22:33:18

++++++++++++++++++++++++++++++++++++
Malwarebytes' Anti-Malware 1.14
Database version: 810

5:00:22 PM 5/31/2008
mbam-log-5-31-2008 (17-00-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 155564
Time elapsed: 49 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55277-OEM-0011903-00102) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Dad\Local Settings\Tempboome20.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 01 June 2008 - 02:33 AM

Hello bakerman :thumbsup: ,

Do you recommend running that same Malware program on my laptop even though its not experiencing problems? I'm currently running the new AVG 8.0 on it also.


If when saying same Malware program you mean Malwarebytes'Anti-Malware then it's a yes, you can use it and do that often.
Malwarebytes' Anti-Malware is a very good scanner and can be used frequently to clean a pc.

Combofix should not be used on any machine without supervision from an authorised person.

You can open another thread after we finish this one for your laptop, just to be checked if you like to.
----------------------------------------------
Please download ATF cleaner
Make sure that all browser windows are closed.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
----------------------------------------------
Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 8.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
----------------------------------------------
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 6 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u6-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
----------------------------------------------
Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log.
----------------------------------------------
Post back:
Kaspersky report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 bakerman

bakerman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 01 June 2008 - 06:48 PM

Performed the ATF Cleaner and updated Java. Regarding Adobe, note that I have Adobe Acrobat Pro 7.0.1 and I believe that is the latest for Acrobat.

Here's the next round of logs...

KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 7:38:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/06/2008
Kaspersky Anti-Virus database records: 820756
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 107512
Number of viruses found: 11
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 01:35:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\427166d473e2469cc191c2dc14c1172d_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e634d72008ccbd8e4928749b01859e81_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Brett\My Documents\burn4free_setup.exe/data0008/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Brett\My Documents\burn4free_setup.exe/data0008/v2.0.4b.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.g skipped
C:\Documents and Settings\Brett\My Documents\burn4free_setup.exe/data0008/v2.0.4b.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Brett\My Documents\burn4free_setup.exe/data0008/v2.0.4b.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Brett\My Documents\burn4free_setup.exe/data0008/v2.0.4b.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Brett\My Documents\burn4free_setup.exe/data0008 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Brett\My Documents\burn4free_setup.exe Inno: infected - 6 skipped
C:\Documents and Settings\Bryan\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DF5AF5.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DF5B09.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe/WISE0034.BIN/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe/WISE0034.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe/WISE0034.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe/WISE0034.BIN/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe/WISE0034.BIN/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe/WISE0034.BIN/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe/WISE0034.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe/WISE0035.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe WiseSFX: infected - 8 skipped
C:\Documents and Settings\Dad\My Documents\My Files\Stuff\Gators\Floridav2.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped
C:\Documents and Settings\Dad\My Documents\My Files\Stuff\Gators\Floridav2.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Dad\My Documents\My Files\Stuff\Gators\gatordesktoptheme.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.EZula.d skipped
C:\Documents and Settings\Dad\My Documents\My Files\Stuff\Gators\gatordesktoptheme.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mhaplnep.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vlu skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1280\A0321820.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vlu skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1289\A0324557.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vlu skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1300\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6EC37550-6D1E-4094-94D3-E5B2B7C84094}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

++++++++++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:13 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_1_0 -reboot 1
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://63.166.97.45:1080/activex/AxisCamControl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8818 bytes

#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 02 June 2008 - 12:23 AM

Hello bakerman :thumbsup: ,

Regarding Adobe, note that I have Adobe Acrobat Pro 7.0.1 and I believe that is the latest for Acrobat.

Noted. Just for your information Adobe Acrobat Pro 9.00 is out ;).
http://www.adobe.com/products/acrobatpro/
----------------------------------------------
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following Folders:

C:\Documents and Settings\Brett\My Documents\burn4free_setup.exe
C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted
C:\Documents and Settings\Dad\My Documents\My Files\Stuff\Gators


Right-Click and delete them.
I am sorry about your ScreenSaver, but it's infected.
----------------------------------------------
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Posted Image
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
----------------------------------------------
Congratulations you are clean! :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Here are some free programs I recommend that could help you improve your computer's security.
(Vista users must ensure that any programs are Vista compatible BEFORE installing)

Spybot Search and Destroy 1.5.2
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing!
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#11 bakerman

bakerman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 June 2008 - 07:39 AM

Good Morning chryssi2001!

First of all THANKS for all your help - this was a very interesting and rewarding experience! I'm at work now so Home PC not available and I'll finish up with your recommendations later this evening. I do have couple of questions just for my understanding..

Two of the folders (Hanunted and Gators) you suggested to delete (screensaver I don't use anyway) I also have on my work PC. We have a very tight IT group and run Symantec (currently 10.1.6.6010) anti-vitus program. I believe its like a corporate license and updates everyday - its all controlled via IT - I don't do anything with it. I selected both of those folders and scanned them using this program and it didn't come up with anything. I guess I'm just surprised that no infection was found. Am I missing something or are the "free" programs you had me use "better" than, I'm sure, a very expensive Symantec corporate program?

For the Acrobat program, I guess the free update provisions from Adobe just apply to a particular purchased level (7..., 8...). To go from my version 7.0.1 to 9... would involve an upgrade cost - For my use and purpose don't think I need to go to the expense as 7.0.1 works just fine for me but thanks for the heads up.

And lastly I may next run my laptop thru your site (new thread) even though it seems to be operating fine. I have noticed it slowing down but that may be result of all the stuff I have loaded on it. I did run the anti-Malware program and removed a couple of items it found.

So again thanks for all the excellent support. Have a great day!

bakerman

#12 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 02 June 2008 - 08:37 AM

Good Morning chryssi2001!

First of all THANKS for all your help - this was a very interesting and rewarding experience! I'm at work now so Home PC not available and I'll finish up with your recommendations later this evening. I do have couple of questions just for my understanding..

You are welcome :thumbsup:

Two of the folders (Hanunted and Gators) you suggested to delete (screensaver I don't use anyway) I also have on my work PC. We have a very tight IT group and run Symantec (currently 10.1.6.6010) anti-vitus program. I believe its like a corporate license and updates everyday - its all controlled via IT - I don't do anything with it. I selected both of those folders and scanned them using this program and it didn't come up with anything. I guess I'm just surprised that no infection was found. Am I missing something or are the "free" programs you had me use "better" than, I'm sure, a very expensive Symantec corporate program?

The ones you have on your pc are infected as you can see:

C:\Documents and Settings\Dad\My Documents\My Files\Screen Savers\Haunted\hhousefree2.exe/WISE0034.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped

C:\Documents and Settings\Dad\My Documents\My Files\Stuff\Gators\Floridav2.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped

Anti-Virus programs do not cover all infections. We do use Kaspersky online scan because it's one of the best out there.

For the Acrobat program, I guess the free update provisions from Adobe just apply to a particular purchased level (7..., 8...). To go from my version 7.0.1 to 9... would involve an upgrade cost - For my use and purpose don't think I need to go to the expense as 7.0.1 works just fine for me but thanks for the heads up.

I know it costs, that's why i just mention that version 9 is out. You don't have to upgrade if you are fine with the version you had.

And lastly I may next run my laptop thru your site (new thread) even though it seems to be operating fine. I have noticed it slowing down but that may be result of all the stuff I have loaded on it. I did run the anti-Malware program and removed a couple of items it found.

You can open a new thread, but be patient, because the forum is very very busy.

So again thanks for all the excellent support. Have a great day!

Thanks, have a nice day too.

Let me know you've read my answer and you've finished all my instructions so i can close this thread. :)
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#13 bakerman

bakerman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 June 2008 - 09:47 AM

This is all very interesting. Another question regarding the files that I need to remove.

C:\Documents and Settings\Dad\My Documents\My Files\Screen savers\Haunted\hhousefree2.exe/WISE0034.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped

Is there a de-coding for what the above report says? It says "Infected:" then goes on to say "not-a-virus:AdWare...."

Or is this just to complicated for the typical "point and click" user like me?

#14 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 02 June 2008 - 09:57 AM

Actually is very simple.

It's not a virus. If it's a virus it will say, as it will say if it's a trojan blah blah name :thumbsup:

It's adware :)
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#15 bakerman

bakerman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 June 2008 - 05:32 PM

OK. I've removed the infected files and removed ComboFix. I'll begin running all the other programs you've suggested when I get some more time. So again thanks so much for your tremendous help. Have a great one!
bakerman




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users