Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help!


  • This topic is locked This topic is locked
16 replies to this topic

#1 mandan252

mandan252

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 21 June 2008 - 03:55 PM

Ok, if anyone could help it would be greatly appreciated. We have tried everything else we could think of. We had the virtumonde virus...have run virtumondebegone, vundofix, and FixVundo. I think that one is gone (hopefully). Tried to get rid of the Vista Antivirus thing (vav.exe) and think that MOST of that is gone but still getting redirected to random internet pages when accessing the web. AVG finds nothing. After 3 failed downloads of Spybot we finally got one to install and it would not run at all, wouldn't even come up on the screen. Now that we disabled MyWebSearch in Administrative Tools/Services, it actually ran but found nothing. Adaware finds things and deletes them but they are mostly the ever multiplying cookies that we cannot stop from building up (even when noone is surfing the web. Dowloaded the Deckards Scan that we needed a log of for this forum and it locked up halfway through at "examining drivers". That also worked finally after we disabled the mywebsearch (but we haven't been able to actually find it and delete it.) Here is the log from the Deckard's Scan

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 3800+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 3800+
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 958.48 MiB / 568.34 MiB
Pagefile Memory (total/avail): 2313.75 MiB / 2012 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.67 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 218.1 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR STM3250310AS - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Installation\\Setupx.exe"="D:\\Installation\\Setupx.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-C8DA8CF27
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\OWNER-C8DA8CF27
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ahead\Lib\;C:\Program Files\Common Files\Ahead\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4303
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=OWNER-C8DA8CF27
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
kay weezy (admin)
Courtney


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems PCI-SV92PP Soft Modem --> agrsmdel
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Jasc Paint Shop Pro 9 --> MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
K-Lite Mega Codec Pack 3.5.7 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kidzui --> "C:\Program Files\Kidzui\uninstall.exe"
LimeWire 4.18.1 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Essentials --> MsiExec.exe /X{8E72B982-D54F-486F-B35A-C24B6F171033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
OpenOffice.org 2.1 --> MsiExec.exe /I{43983EB4-43DC-4C3D-9712-1EF592A31CA8}
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Slide --> C:\WINDOWS\unvise32.exe C:\Program Files\Slide\uninstall.log
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA/S3G Display Driver --> VTsetvga.exe -s -u 'VIA/S3G Display Driver' -rRundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 2 *.inf
VIA/S3G Display Driver 6.14.10.0297 --> C:\PROGRA~1\S3\UChromeP\s3minset.exe /u UChromeP.uns
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type1125 / Warning
Event Submitted/Written: 06/21/2008 07:22:46 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1073 / Error
Event Submitted/Written: 06/19/2008 05:15:44 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x087c58d2.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1072 / Error
Event Submitted/Written: 06/19/2008 04:57:14 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1066 / Error
Event Submitted/Written: 06/19/2008 04:22:18 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 809901298.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type1065 / Error
Event Submitted/Written: 06/19/2008 04:22:11 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x0cbf58d2.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5158 / Error
Event Submitted/Written: 06/21/2008 07:38:03 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type5154 / Error
Event Submitted/Written: 06/21/2008 07:26:44 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AmdK8
AvgLdx86
AvgMfx86
Fips

Event Record #/Type5153 / Error
Event Submitted/Written: 06/21/2008 07:25:25 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type5141 / Error
Event Submitted/Written: 06/21/2008 06:29:29 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type5139 / Warning
Event Submitted/Written: 06/21/2008 03:34:26 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-06-21 20:19:01 ------------




We have also ran malwarebytes and this is the log prior to getting the other scans to work. It says that nothing is wrong.?.


Malwarebytes' Anti-Malware 1.17
Database version: 846

5:47:37 PM 6/21/2008
mbam-log-6-21-2008 (17-47-37).txt

Scan type: Quick Scan
Objects scanned: 13651
Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Can anyone help?!?

Thanks so much.

Edited by mandan252, 21 June 2008 - 07:27 PM.


BC AdBot (Login to Remove)

 


#2 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:07:16 PM

Posted 22 June 2008 - 07:41 AM

Hello mandan252, Welcome to Bleeping Computer.
My name is The Gorilla,Gorilla is fine and I will be helping you with your log. 

I will be handling your log and helping you to get cleaned up.

Please take note of the following:
  • Please do not make any system changes yet. as any changes you make may well alter your log.
  • The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Most Important - Only do what I ask you to do.
  • Please reply to this thread. Do not start a new topic.
As you appear to be experiencing problems with DSS I am going to ask you to download Hijack this, if you already have Hijack this downloaded please delete it and continue as below.

Please follow the below instructions;

Click here to download HijackThis.
Save HJTInstall.exe to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis
After the final dialogue box it will launch HijackThis.

Click on the scan button. It will scan and then ask you to save the log.
Save the log, and post it in your next reply.  

I have subscribed to this topic so I will pick up your replies :thumbsup:

#3 mandan252

mandan252
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 22 June 2008 - 03:26 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:03 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: {ffa4fa7f-d682-ffc9-4c74-5384fac7fe92} - {29ef7caf-4835-47c4-9cff-286df7af4aff} - C:\WINDOWS\system32\ccxqleni.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Owner\lsass.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4444 bytes

#4 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:07:16 PM

Posted 23 June 2008 - 10:30 AM

Hey mandan252, 
Thank you for following my instructions so far, let's proceed and start to clean up your computer.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue please continue with the below.

Step #1
Please disable Spybot S&D’s TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.


Step #2
Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe



Step #3
Please visit this webpage for download links, and instructions for running the tool: 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first. 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.  

Please include the following reports for further review, and so we may continue cleansing the system:


Please provide the folowing in your next reply
SDFix Report.txt
C:\ComboFix.txt
New HijackThis log.


Finally - hows your system running?

#5 mandan252

mandan252
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 23 June 2008 - 01:11 PM

Ok I have run all of these and Im still getting random popups as I am trying to write this, so Im not sure now what to do. Here are my reports:

ComboFix 08-06-20.4 - Owner 2008-06-23 13:56:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.628 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\BM3f7846fa.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bjyefdvs.ini
C:\WINDOWS\system32\busknvkq.ini
C:\WINDOWS\system32\ccmkefcg.ini
C:\WINDOWS\system32\dhmkpajr.ini
C:\WINDOWS\system32\djmkphqi.dll
C:\WINDOWS\system32\fqtrfvxh.dll
C:\WINDOWS\system32\fybhaegf.dll
C:\WINDOWS\system32\geitthkv.dll
C:\WINDOWS\system32\hrjqxems.dll
C:\WINDOWS\system32\IlVCffii.ini
C:\WINDOWS\system32\IlVCffii.ini2
C:\WINDOWS\system32\irhfqnlm.ini
C:\WINDOWS\system32\jfxvyqjr.dll
C:\WINDOWS\system32\jvuqimba.dll
C:\WINDOWS\system32\LlmlkUtv.ini
C:\WINDOWS\system32\LlmlkUtv.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ocqrlmrv.dll
C:\WINDOWS\system32\pcpeerrl.dll
C:\WINDOWS\system32\pctoulpb.ini
C:\WINDOWS\system32\QBJRBcdd.ini
C:\WINDOWS\system32\QBJRBcdd.ini2
C:\WINDOWS\system32\rhxwlvmp.dll
C:\WINDOWS\system32\sssBLkkj.ini
C:\WINDOWS\system32\sssBLkkj.ini2
C:\WINDOWS\system32\svxayGgh.ini
C:\WINDOWS\system32\svxayGgh.ini2
C:\WINDOWS\system32\TEMTEMoq.ini
C:\WINDOWS\system32\TEMTEMoq.ini2
C:\WINDOWS\system32\tkgssxic.dll
C:\WINDOWS\system32\vEdMWyxx.ini
C:\WINDOWS\system32\vEdMWyxx.ini2
C:\WINDOWS\system32\whkvjjkd.dll
C:\WINDOWS\system32\wovohcib.ini
C:\WINDOWS\system32\wxspqcgj.dll
C:\WINDOWS\system32\xadmvtfy.dll
C:\WINDOWS\system32\xISrAcdd.ini
C:\WINDOWS\system32\xISrAcdd.ini2
C:\WINDOWS\system32\ypcufiki.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-23 13:33 . 2008-06-23 13:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-23 13:26 . 2008-06-23 03:15 <DIR> d-------- C:\SDFix
2008-06-22 15:14 . 2008-06-22 15:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Viewpoint
2008-06-21 18:35 . 2008-06-21 18:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-21 18:34 . 2008-06-21 18:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 18:26 . 2008-06-21 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 16:38 . 2008-06-21 16:38 <DIR> d-------- C:\Deckard
2008-06-21 16:05 . 2008-06-21 16:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-21 15:52 . 2008-06-21 16:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 13:27 . 2008-06-21 13:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-21 13:27 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 13:26 . 2008-06-21 13:26 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\VundoFix Backups
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-20 21:08 . 2008-06-20 21:09 132,608 --a------ C:\WINDOWS\system32\ccxqleni.dll
2008-06-19 23:23 . 2008-06-19 23:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-19 21:04 . 2008-06-19 21:04 104,960 --a------ C:\WINDOWS\system32\njoxwgum.dll
2008-06-19 19:39 . 2008-06-19 19:39 104,960 --a------ C:\WINDOWS\system32\ffcydnrv.dll
2008-06-19 18:59 . 2008-06-19 20:23 500 --a------ C:\WINDOWS\wininit.ini
2008-06-19 18:34 . 2008-06-21 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 17:57 . 2008-06-19 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-19 15:20 . 2008-06-19 15:20 104,960 --a------ C:\WINDOWS\system32\kfgnjcrb.dll
2008-06-19 14:13 . 2008-06-19 14:13 109,056 --a------ C:\WINDOWS\system32\tkpqmafr.dll
2008-06-19 14:12 . 2008-06-19 14:12 109,056 --a------ C:\WINDOWS\system32\vncrjglr.dll
2008-06-19 14:11 . 2008-06-19 14:11 104,960 --a------ C:\WINDOWS\system32\xnytgeje.dll
2008-06-19 14:07 . 2008-06-19 14:07 104,960 --a------ C:\WINDOWS\system32\dfusxasp.dll
2008-06-18 15:25 . 2008-06-18 15:25 1,652,564 --ahs---- C:\WINDOWS\system32\irhfqnlm.tmp
2008-06-16 11:31 . 2008-06-16 11:31 89,600 --a------ C:\WINDOWS\system32\urqPhFxx.dll.vir
2008-06-16 09:27 . 2008-06-16 09:27 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-16 02:56 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-06-15 23:44 . 2008-06-15 23:44 <DIR> d-------- C:\Temp\itmp4
2008-06-15 23:44 . 2008-06-15 23:44 <DIR> d-------- C:\Temp
2008-06-15 23:44 . 2008-06-15 23:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-06-11 10:35 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:35 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 09:20 . 2008-06-06 09:20 <DIR> d-------- C:\Program Files\Slide
2008-06-06 09:20 . 2008-06-06 10:30 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Slide
2008-06-06 09:20 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-06-04 19:11 . 2008-06-04 19:11 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-04 19:11 . 2008-06-19 20:29 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-04 19:11 . 2008-06-04 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-04 19:11 . 2008-06-04 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-04 19:11 . 2008-06-04 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-06-04 19:09 . 2008-06-04 19:12 371 --ah----- C:\IPH.PH
2008-06-04 16:09 . 2008-06-21 20:15 <DIR> d---s---- C:\Documents and Settings\Courtney\UserData
2008-06-04 15:49 . 2008-06-04 15:49 <DIR> d-------- C:\Program Files\Kidzui
2008-06-01 20:50 . 2008-06-01 20:50 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\MySpace
2008-06-01 16:44 . 2008-06-01 16:44 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\MySpace
2008-06-01 15:32 . 2008-06-09 15:40 <DIR> d-------- C:\Program Files\MySpace
2008-06-01 15:32 . 2008-06-01 15:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-06-01 12:06 . 2008-06-23 12:31 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-28 17:47 . 2008-06-19 16:45 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\LimeWire
2008-05-28 16:24 . 2008-06-23 02:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-28 16:22 . 2008-06-02 15:56 <DIR> d-------- C:\Program Files\LimeWire
2008-05-28 16:16 . 2008-05-28 16:16 <DIR> d-------- C:\WINDOWS\Sun
2008-05-28 16:15 . 2008-05-28 16:15 <DIR> d-------- C:\Program Files\Java
2008-05-28 16:15 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-28 16:13 . 2008-06-16 00:00 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-28 16:12 . 2008-05-28 16:12 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-25 20:38 . 2008-05-25 20:38 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\Ahead
2008-05-25 17:35 . 2008-06-21 20:13 <DIR> d---s---- C:\Documents and Settings\kay weezy\UserData
2008-05-25 13:23 . 2008-05-25 13:23 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Ahead
2008-05-24 23:35 . 2008-06-19 20:30 <DIR> d-------- C:\Program Files\Google
2008-05-24 10:55 . 2008-06-19 16:17 <DIR> d-------- C:\Documents and Settings\kay weezy
2008-05-24 10:54 . 2008-06-17 22:29 <DIR> d-------- C:\Documents and Settings\Courtney
2008-05-23 22:23 . 2008-05-23 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-05-23 17:43 . 2005-04-05 23:30 26,752 -ra------ C:\WINDOWS\system32\drivers\ipfnd51.sys
2008-05-23 15:02 . 2008-06-23 09:20 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-23 15:02 . 2008-05-23 15:02 <DIR> d-------- C:\Program Files\AVG
2008-05-23 15:02 . 2008-05-23 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-23 15:02 . 2008-05-23 15:02 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-23 15:02 . 2008-05-23 15:02 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-23 15:02 . 2008-05-23 15:02 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 06:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-16 04:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-30 21:36 --------- d-----w C:\Program Files\Microsoft Works
2008-04-30 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-30 21:35 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-30 21:11 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-04-30 21:03 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2008-04-30 20:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-30 20:03 --------- d-----w C:\Program Files\MSBuild
2008-04-30 20:00 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-30 19:59 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-30 19:58 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-30 19:41 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-04-30 19:09 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-30 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-30 19:07 --------- d-----w C:\Program Files\Nero
2008-04-30 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-30 18:32 --------- d-----w C:\Program Files\S3
2008-04-30 18:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 18:04 --------- d-----w C:\Program Files\DIFX
2008-04-30 16:47 --------- d-----w C:\Program Files\VIA
2008-04-30 15:48 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29ef7caf-4835-47c4-9cff-286df7af4aff}]
2008-06-20 21:09 132608 --a------ C:\WINDOWS\system32\ccxqleni.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-23 15:02 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\kay weezy\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-05-27 19:23:48 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]
C:\Program Files\VAV\vav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-06-25 08:47 1057064 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-06-25 08:47 1629480 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-11-16 17:42 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2006-09-14 18:54 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2007-04-25 15:41 176128 C:\WINDOWS\system32\VTTrayp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 08:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 05:39]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-23 15:02]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-23 15:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-23 15:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-23 15:02]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ipfnd51.sys [2005-04-05 23:30]
S4 MyWebSearchService;My Web Search Service;C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 14:00:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-23 14:01:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-23 18:01:34

Pre-Run: 233,819,271,168 bytes free
Post-Run: 234,849,112,064 bytes free

249 --- E O F --- 2008-06-21 23:44:33



SDFix: Version 1.196
Run by Owner on Mon 06/23/2008 at 01:35 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\runthis.bat\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\LOG13.TMP - Deleted



Folder C:\WINDOWS\system32\netrax05 - Removed
Folder C:\WINDOWS\system32\netrax18 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 13:40:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Installation\\Setupx.exe"="D:\\Installation\\Setupx.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\Owner\Desktop\runthis.bat\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 18 Jun 2008 1,652,564 A.SH. --- "C:\WINDOWS\system32\irhfqnlm.tmp"
Thu 12 Jun 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 30 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 30 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a7556514a051f797f4\BIT1.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Owner\Application Data\U3\temp\Launchpad Removal.exe"

Finished!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:12 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: {ffa4fa7f-d682-ffc9-4c74-5384fac7fe92} - {29ef7caf-4835-47c4-9cff-286df7af4aff} - C:\WINDOWS\system32\ccxqleni.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4684 bytes

I read the information on installing the recovery console but my computer did not come with a windows xp disk so I could not install it.?.?
If you can tell me what else I nee to do I'll be glad to try it. Also my computer is ok as far as security because unless anyone wants to steal my music or my childs myspace info they will be disappointed. We have no banking or important things on it! LOL!

Edited by mandan252, 23 June 2008 - 01:18 PM.


#6 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:07:16 PM

Posted 25 June 2008 - 11:37 AM

Hey mandan252 :thumbsup:
Well that certainly cleared out some junk, we still have a little way to go so please hang on in there.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Step #1

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ccxqleni.dll
C:\WINDOWS\system32\njoxwgum.dll
C:\WINDOWS\system32\ffcydnrv.dll
C:\WINDOWS\system32\kfgnjcrb.dll
C:\WINDOWS\system32\tkpqmafr.dll
C:\WINDOWS\system32\vncrjglr.dll
C:\WINDOWS\system32\xnytgeje.dll
C:\WINDOWS\system32\dfusxasp.dll
C:\WINDOWS\system32\irhfqnlm.tmp
C:\WINDOWS\system32\urqPhFxx.dll.vir

Folder::
C:\Temp\itmp4
C:\Program Files\VAV

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29ef7caf-4835-47c4-9cff-286df7af4aff}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Step #2
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I would suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player

Step #3
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case ????). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves. 

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Step #4
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Step #5
I see from your logs that you already have MalwareBytes Anti Malware installed - please ensure you update and run as below;
  • Launch the programme
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button. 
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




Step #6
Please post back the following logs;
  • C:\ComboFix.txt
  • MalwareBytes log - this will open in notepad
Finally - Please tell me how your computer is running.

#7 mandan252

mandan252
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 25 June 2008 - 09:12 PM

HERE IS MY MBAM LOG:

Malwarebytes' Anti-Malware 1.18
Database version: 893

9:44:26 PM 6/25/2008
mbam-log-6-25-2008 (21-44-26).txt

Scan type: Quick Scan
Objects scanned: 41208
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HERE IS MY COMBO FIX LOG:

ComboFix 08-06-20.4 - Owner 2008-06-25 21:12:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.555 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ccxqleni.dll
C:\WINDOWS\system32\dfusxasp.dll
C:\WINDOWS\system32\ffcydnrv.dll
C:\WINDOWS\system32\irhfqnlm.tmp
C:\WINDOWS\system32\kfgnjcrb.dll
C:\WINDOWS\system32\njoxwgum.dll
C:\WINDOWS\system32\tkpqmafr.dll
C:\WINDOWS\system32\urqPhFxx.dll.vir
C:\WINDOWS\system32\vncrjglr.dll
C:\WINDOWS\system32\xnytgeje.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Temp\itmp4
C:\WINDOWS\system32\ccxqleni.dll
C:\WINDOWS\system32\dfusxasp.dll
C:\WINDOWS\system32\ffcydnrv.dll
C:\WINDOWS\system32\irhfqnlm.tmp
C:\WINDOWS\system32\kfgnjcrb.dll
C:\WINDOWS\system32\njoxwgum.dll
C:\WINDOWS\system32\tkpqmafr.dll
C:\WINDOWS\system32\urqPhFxx.dll.vir
C:\WINDOWS\system32\vncrjglr.dll
C:\WINDOWS\system32\xnytgeje.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-23 13:33 . 2008-06-23 13:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-23 13:26 . 2008-06-23 03:15 <DIR> d-------- C:\SDFix
2008-06-22 15:14 . 2008-06-22 15:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Viewpoint
2008-06-21 18:35 . 2008-06-21 18:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-21 18:34 . 2008-06-21 18:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 18:26 . 2008-06-21 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 16:38 . 2008-06-21 16:38 <DIR> d-------- C:\Deckard
2008-06-21 16:05 . 2008-06-21 16:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-21 15:52 . 2008-06-21 16:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 13:27 . 2008-06-21 13:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-21 13:27 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 13:26 . 2008-06-21 13:26 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\VundoFix Backups
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-19 23:23 . 2008-06-19 23:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-19 18:59 . 2008-06-19 20:23 500 --a------ C:\WINDOWS\wininit.ini
2008-06-19 18:34 . 2008-06-21 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 17:57 . 2008-06-19 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 09:27 . 2008-06-16 09:27 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-16 02:56 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-06-15 23:44 . 2008-06-25 21:12 <DIR> d-------- C:\Temp
2008-06-15 23:44 . 2008-06-15 23:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-06-11 10:35 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:35 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 09:20 . 2008-06-06 09:20 <DIR> d-------- C:\Program Files\Slide
2008-06-06 09:20 . 2008-06-06 10:30 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Slide
2008-06-06 09:20 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-06-04 19:11 . 2008-06-04 19:11 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-04 19:11 . 2008-06-19 20:29 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-04 19:11 . 2008-06-04 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-04 19:11 . 2008-06-04 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-04 19:11 . 2008-06-04 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-06-04 19:09 . 2008-06-04 19:12 371 --ah----- C:\IPH.PH
2008-06-04 16:09 . 2008-06-21 20:15 <DIR> d---s---- C:\Documents and Settings\Courtney\UserData
2008-06-04 15:49 . 2008-06-04 15:49 <DIR> d-------- C:\Program Files\Kidzui
2008-06-01 20:50 . 2008-06-01 20:50 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\MySpace
2008-06-01 16:44 . 2008-06-01 16:44 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\MySpace
2008-06-01 15:32 . 2008-06-09 15:40 <DIR> d-------- C:\Program Files\MySpace
2008-06-01 15:32 . 2008-06-01 15:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-06-01 12:06 . 2008-06-23 12:31 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-28 17:47 . 2008-06-19 16:45 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\LimeWire
2008-05-28 16:24 . 2008-06-25 18:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-28 16:22 . 2008-06-02 15:56 <DIR> d-------- C:\Program Files\LimeWire
2008-05-28 16:16 . 2008-05-28 16:16 <DIR> d-------- C:\WINDOWS\Sun
2008-05-28 16:15 . 2008-05-28 16:15 <DIR> d-------- C:\Program Files\Java
2008-05-28 16:15 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-28 16:13 . 2008-06-24 18:24 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-28 16:12 . 2008-05-28 16:12 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 19:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-06-20 00:30 --------- d-----w C:\Program Files\Google
2008-06-16 06:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-26 00:38 --------- d-----w C:\Documents and Settings\Courtney\Application Data\Ahead
2008-05-25 17:23 --------- d-----w C:\Documents and Settings\kay weezy\Application Data\Ahead
2008-05-24 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2008-05-23 19:02 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-23 19:02 75,272 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-23 19:02 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-05-23 19:02 --------- d-----w C:\Program Files\AVG
2008-05-23 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-30 21:36 --------- d-----w C:\Program Files\Microsoft Works
2008-04-30 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-30 21:35 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-30 21:11 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-04-30 21:03 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2008-04-30 20:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-30 20:03 --------- d-----w C:\Program Files\MSBuild
2008-04-30 20:00 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-30 19:59 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-30 19:58 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-30 19:41 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-04-30 19:09 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-30 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-30 19:07 --------- d-----w C:\Program Files\Nero
2008-04-30 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-30 18:32 --------- d-----w C:\Program Files\S3
2008-04-30 18:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 18:04 --------- d-----w C:\Program Files\DIFX
2008-04-30 16:47 --------- d-----w C:\Program Files\VIA
2008-04-30 15:48 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-23 15:02 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\kay weezy\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-05-27 19:23:48 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]
C:\Program Files\VAV\vav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-06-25 08:47 1057064 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-06-25 08:47 1629480 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-11-16 17:42 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2006-09-14 18:54 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2007-04-25 15:41 176128 C:\WINDOWS\system32\VTTrayp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 08:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 05:39]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-23 15:02]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-23 15:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-23 15:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-23 15:02]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ipfnd51.sys [2005-04-05 23:30]
S4 MyWebSearchService;My Web Search Service;C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 21:13:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-25 21:14:01
ComboFix-quarantined-files.txt 2008-06-26 01:13:57
ComboFix2.txt 2008-06-23 18:01:38

Pre-Run: 234,556,547,072 bytes free
Post-Run: 234,614,272,000 bytes free

209 --- E O F --- 2008-06-21 23:44:33


IM SO EXCITED! NO PO-UP PAGES ANYMORE! :thumbsup: I HOPE THIS IS THE END! YOU ARE A GOD! YOUR WORTH YOUR WEIGHT IN GOLD! THANKS! LET ME KNOW IF I NEED TO DO ANYTHING ELSE.

#8 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:07:16 PM

Posted 27 June 2008 - 10:56 AM

Hey mandan252 :thumbsup:

IM SO EXCITED! NO PO-UP PAGES ANYMORE! thumbup.gif I HOPE THIS IS THE END! YOU ARE A GOD! YOUR WORTH YOUR WEIGHT IN GOLD! THANKS! LET ME KNOW IF I NEED TO DO ANYTHING ELSE.


That's good news on the pop up front :) In relation to I am a god I can't fault your arguement ;)

On a serious note we are nearly there and I just need to check my handy work to ensure everything is gone.

Step #1
Did you uninstall viewpoint and Limewire - if you forgot then please follow the directions in the previous post. It is certainly possibly that you obtained this infection via download.

Please let me know what you did.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Step #2

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Program Files\VAV
C:\PROGRA~1\MYWEBS~1

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Step #3
You already have DSS downloaded so lets see if we can run it. Please follow these directions as I require both logs;
  • Click Start and then Run to bring up the Run box.
  • Copy and paste the contents of this quote box into the run box:

    "%userprofile%\desktop\dss.exe" /config

  • Close all other open windows.
  • Click OK.
  • A window will now open. Click Check All and then click Scan!.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.

Finally - please tell me how you computer is running and post the following newly created;
CFScript.txt
main.txt
extra.txt


#9 mandan252

mandan252
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 29 June 2008 - 08:35 PM

My computer is running good. my daughter said she recieved a threat warning and then a few popups?! Its hasnet done it since I have been up here though.but Im going to save all of my limewire files on disk then Im going to uninstall it. Here are the logs that you asked for

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-29 21:30:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
54: 2008-06-30 01:31:02 UTC - RP54 - Deckard's System Scanner Restore Point
53: 2008-06-30 01:16:52 UTC - RP53 - ComboFix created restore point
52: 2008-06-29 02:30:37 UTC - RP52 - System Checkpoint
51: 2008-06-28 02:03:36 UTC - RP51 - System Checkpoint
50: 2008-06-27 01:31:37 UTC - RP50 - System Checkpoint


-- First Restore Point --
1: 2008-06-16 15:36:58 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:05 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4309 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080621-172313-150 O2 - BHO: (no name) - {3B0242DB-07A5-426E-8783-A9248111B21B} - C:\WINDOWS\system32\iiffCVlI.dll (file missing)
backup-20080621-172313-253 O2 - BHO: (no name) - {AD49054B-A97F-4EFE-813A-87FE407F7360} - C:\WINDOWS\system32\ddcArSIx.dll (file missing)
backup-20080621-172313-755 O2 - BHO: (no name) - {23491DA2-29C7-4314-BF76-8F52CF44CDBD} - (no file)
backup-20080621-172313-787 O2 - BHO: (no name) - {A18CCFF2-7A83-4A05-8C0C-F10278A20037} - C:\WINDOWS\system32\jkkLBsss.dll (file missing)
backup-20080621-172313-915 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing)
backup-20080621-172313-922 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080621-172313-965 O2 - BHO: (no name) - {8BF1A2F7-954C-4A9C-ADB6-C7EA60162C51} - C:\WINDOWS\system32\ddcBRJBQ.dll (file missing)
backup-20080621-172313-975 O2 - BHO: (no name) - {1309BF26-7CC2-4A91-A553-B2FF4B19B237} - C:\WINDOWS\system32\xxyWMdEv.dll (file missing)
backup-20080621-172350-988 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing)
backup-20080621-172914-492 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing)
backup-20080621-193354-525 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing)
backup-20080621-193642-380 O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing)
backup-20080621-195128-910 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 ip100xp (ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver) - c:\windows\system32\drivers\ipfnd51.sys <Not Verified; ENCORE ELECTRONICS, INC.; ENCORE 10/100Mbps Fast Ethernet PCI Adapter>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 MyWebSearchService (My Web Search Service) - c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: ENCORE 10/100Mbps Fast Ethernet PCI Adapter
Device ID: PCI\VEN_13F0&DEV_0200&SUBSYS_020113F0&REV_31\3&13C0B0C5&0&40
Manufacturer: ENCORE ELECTRONICS, INC.
Name: ENCORE 10/100Mbps Fast Ethernet PCI Adapter
PNP Device ID: PCI\VEN_13F0&DEV_0200&SUBSYS_020113F0&REV_31\3&13C0B0C5&0&40
Service: ip100xp


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 236)
2006-11-14 12:03:30 335872 --a------ C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll <Not Verified; Sun Microsystems, Inc.; >
2006-11-22 13:31:08 98304 --a------ C:\Program Files\OpenOffice.org 2.1\program\uwinapi.dll <Not Verified; Sun Microsystems, Inc.; >
2006-10-27 09:42:12 577536 --a------ C:\Program Files\OpenOffice.org 2.1\program\stlport_vc7145.dll <Not Verified; STLport Consulting, Inc.; STLport Standard ANSI C++ Libarary>


-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-23 13:56:03 68096 --a------ C:\WINDOWS\zip.exe
2008-06-23 13:56:03 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-23 13:56:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 13:56:03 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 13:56:03 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 13:56:03 98816 --a------ C:\WINDOWS\sed.exe
2008-06-23 13:56:03 80412 --a------ C:\WINDOWS\grep.exe
2008-06-23 13:56:03 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 13:33:34 0 d-------- C:\WINDOWS\ERUNT
2008-06-21 18:35:06 0 d-------- C:\Program Files\Lavasoft
2008-06-21 18:34:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 18:26:45 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 16:05:25 0 d-------- C:\Program Files\Trend Micro
2008-06-21 14:13:55 0 d-------- C:\WINDOWS\pss
2008-06-21 13:27:05 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-21 13:27:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 13:27:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 13:26:05 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-21 12:01:56 0 d-------- C:\VundoFix Backups
2008-06-21 12:01:30 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-19 23:23:24 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-19 18:34:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 17:57:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 09:27:51 0 d-------- C:\Documents and Settings\Courtney\Application Data\Jasc Software Inc
2008-06-16 02:57:52 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-16 02:57:37 0 d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-06-16 02:57:24 0 d-------- C:\Documents and Settings\kay weezy\Application Data\Jasc Software Inc
2008-06-16 02:56:50 0 d-------- C:\Program Files\Jasc Software Inc
2008-06-15 23:44:51 0 d-------- C:\Temp
2008-06-15 23:44:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-06-11 16:41:24 0 d-------- C:\Documents and Settings\Courtney\Application Data\Real
2008-06-06 09:20:38 0 d-------- C:\Documents and Settings\kay weezy\Application Data\Slide
2008-06-06 09:20:37 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-06-06 09:20:36 0 d-------- C:\Program Files\Slide
2008-06-04 19:11:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-04 19:11:46 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-06-04 19:11:46 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-04 19:11:29 0 d-------- C:\Program Files\Common Files\AOL
2008-06-04 16:09:09 0 d---s---- C:\Documents and Settings\Courtney\UserData
2008-06-04 15:49:08 0 d-------- C:\Program Files\Kidzui
2008-06-01 20:50:47 0 d-------- C:\Documents and Settings\Courtney\Application Data\MySpace
2008-06-01 16:44:57 0 d-------- C:\Documents and Settings\kay weezy\Application Data\MySpace
2008-06-01 15:32:12 0 d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-06-01 15:32:09 0 d-------- C:\Program Files\MySpace
2008-06-01 12:06:51 0 d--h----- C:\$AVG8.VAULT$


-- Find3M Report ---------------------------------------------------------------

2008-06-27 19:14:40 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-23 15:51:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-06-21 18:34:32 0 d-------- C:\Program Files\Common Files
2008-06-19 20:30:47 0 d-------- C:\Program Files\Google
2008-06-16 02:57:37 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-02 15:56:39 0 d-------- C:\Program Files\LimeWire
2008-05-28 16:16:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-05-28 16:15:43 0 d-------- C:\Program Files\Java
2008-05-28 16:12:10 0 d-------- C:\Program Files\Common Files\Java
2008-05-25 00:07:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-05-24 23:33:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-05-24 23:33:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-05-23 15:02:25 0 d-------- C:\Program Files\AVG
2008-04-30 17:36:00 0 d-------- C:\Program Files\Microsoft Works
2008-04-30 17:35:39 0 d-------- C:\Program Files\Microsoft.NET
2008-04-30 17:11:37 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-04-30 17:11:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-04-30 17:03:31 0 d-------- C:\Program Files\OpenOffice.org 2.1
2008-04-30 16:05:54 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-30 16:03:02 0 d-------- C:\Program Files\MSBuild
2008-04-30 16:00:18 0 d-------- C:\Program Files\Reference Assemblies
2008-04-30 15:59:20 0 d-------- C:\Program Files\MSXML 4.0
2008-04-30 15:58:36 0 d-------- C:\Program Files\MSXML 6.0
2008-04-30 15:41:27 0 d-------- C:\Program Files\Common Files\LightScribe
2008-04-30 15:09:33 0 d-------- C:\Program Files\Common Files\Ahead
2008-04-30 15:07:38 0 d-------- C:\Program Files\Nero
2008-04-30 14:36:19 0 d-------- C:\Program Files\Messenger
2008-04-30 14:32:11 0 d-------- C:\Program Files\S3
2008-04-30 14:31:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-30 14:04:33 0 d-------- C:\Program Files\DIFX
2008-04-30 12:47:22 0 d-------- C:\Program Files\VIA
2008-04-30 12:19:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2008-04-30 11:48:23 0 d-------- C:\Program Files\microsoft frontpage
2008-04-30 11:48:16 0 -rahs---- C:\MSDOS.SYS
2008-04-30 11:48:16 0 -rahs---- C:\IO.SYS
2008-04-30 11:48:16 0 --a------ C:\CONFIG.SYS
2008-04-30 11:48:16 0 --a------ C:\AUTOEXEC.BAT
2008-04-30 11:47:03 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-30 11:46:23 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-30 11:46:16 0 d-------- C:\Program Files\Movie Maker
2008-04-30 11:45:55 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-30 11:45:18 0 d-------- C:\Program Files\Online Services
2008-04-30 11:45:12 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-30 11:45:05 0 d-------- C:\Program Files\Windows NT
2008-04-30 05:47:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-30 05:47:19 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-30 05:46:59 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/23/2008 03:02 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\LaunchU3.exe -a

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- End of Deckard's System Scanner: finished at 2008-06-29 21:31:55 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 3800+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 3800+
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 958.48 MiB / 563.98 MiB
Pagefile Memory (total/avail): 2313.75 MiB / 2047.77 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1909.67 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 218.32 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR STM3250310AS - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-C8DA8CF27
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\OWNER-C8DA8CF27
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ahead\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4303
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=OWNER-C8DA8CF27
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
kay weezy (admin)
Courtney


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems PCI-SV92PP Soft Modem --> agrsmdel
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Jasc Paint Shop Pro 9 --> MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
K-Lite Mega Codec Pack 3.5.7 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kidzui --> "C:\Program Files\Kidzui\uninstall.exe"
LimeWire 4.18.1 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Essentials --> MsiExec.exe /X{8E72B982-D54F-486F-B35A-C24B6F171033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
OpenOffice.org 2.1 --> MsiExec.exe /I{43983EB4-43DC-4C3D-9712-1EF592A31CA8}
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Slide --> C:\WINDOWS\unvise32.exe C:\Program Files\Slide\uninstall.log
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA/S3G Display Driver --> VTsetvga.exe -s -u 'VIA/S3G Display Driver' -rRundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 2 *.inf
VIA/S3G Display Driver 6.14.10.0297 --> C:\PROGRA~1\S3\UChromeP\s3minset.exe /u UChromeP.uns
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type1176 / Error
Event Submitted/Written: 06/25/2008 10:47:41 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application ShowTime.exe, version 3.10.1.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1170 / Error
Event Submitted/Written: 06/25/2008 02:12:01 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1168 / Error
Event Submitted/Written: 06/24/2008 03:14:32 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1167 / Error
Event Submitted/Written: 06/24/2008 03:13:53 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type1166 / Error
Event Submitted/Written: 06/23/2008 08:18:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.3354, fault address 0x0023a95b.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5496 / Warning
Event Submitted/Written: 06/29/2008 04:06:19 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type5495 / Warning
Event Submitted/Written: 06/28/2008 02:28:39 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5461 / Warning
Event Submitted/Written: 06/27/2008 05:07:30 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5452 / Warning
Event Submitted/Written: 06/27/2008 00:38:01 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5448 / Warning
Event Submitted/Written: 06/27/2008 04:38:13 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-06-29 21:31:55 ------------

ComboFix 08-06-20.4 - Owner 2008-06-29 21:16:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.594 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-23 13:33 . 2008-06-23 13:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-23 13:26 . 2008-06-23 03:15 <DIR> d-------- C:\SDFix
2008-06-21 18:35 . 2008-06-21 18:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-21 18:34 . 2008-06-21 18:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 18:26 . 2008-06-21 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 16:38 . 2008-06-21 16:38 <DIR> d-------- C:\Deckard
2008-06-21 16:05 . 2008-06-21 16:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-21 15:52 . 2008-06-21 16:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 13:27 . 2008-06-25 21:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-21 13:27 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 13:26 . 2008-06-21 13:26 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\VundoFix Backups
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-19 23:23 . 2008-06-19 23:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-19 18:59 . 2008-06-19 20:23 500 --a------ C:\WINDOWS\wininit.ini
2008-06-19 18:34 . 2008-06-21 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 17:57 . 2008-06-19 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 09:27 . 2008-06-16 09:27 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-16 02:56 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-06-15 23:44 . 2008-06-25 21:12 <DIR> d-------- C:\Temp
2008-06-15 23:44 . 2008-06-15 23:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-06-11 10:35 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:35 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 09:20 . 2008-06-06 09:20 <DIR> d-------- C:\Program Files\Slide
2008-06-06 09:20 . 2008-06-06 10:30 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Slide
2008-06-06 09:20 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-06-04 19:11 . 2008-06-19 20:29 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-04 19:11 . 2008-06-25 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-04 19:11 . 2008-06-04 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-04 19:11 . 2008-06-04 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-06-04 19:09 . 2008-06-04 19:12 371 --ah----- C:\IPH.PH
2008-06-04 16:09 . 2008-06-21 20:15 <DIR> d---s---- C:\Documents and Settings\Courtney\UserData
2008-06-04 15:49 . 2008-06-04 15:49 <DIR> d-------- C:\Program Files\Kidzui
2008-06-01 20:50 . 2008-06-01 20:50 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\MySpace
2008-06-01 16:44 . 2008-06-01 16:44 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\MySpace
2008-06-01 15:32 . 2008-06-09 15:40 <DIR> d-------- C:\Program Files\MySpace
2008-06-01 15:32 . 2008-06-01 15:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-06-01 12:06 . 2008-06-27 12:18 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-28 17:47 . 2008-06-27 14:46 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\LimeWire
2008-05-28 16:24 . 2008-06-27 19:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-28 16:22 . 2008-06-02 15:56 <DIR> d-------- C:\Program Files\LimeWire
2008-05-28 16:16 . 2008-05-28 16:16 <DIR> d-------- C:\WINDOWS\Sun
2008-05-28 16:15 . 2008-05-28 16:15 <DIR> d-------- C:\Program Files\Java
2008-05-28 16:15 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-28 16:13 . 2008-06-25 22:46 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-28 16:12 . 2008-05-28 16:12 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-25 20:38 . 2008-05-25 20:38 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\Ahead
2008-05-25 17:35 . 2008-06-21 20:13 <DIR> d---s---- C:\Documents and Settings\kay weezy\UserData
2008-05-25 13:23 . 2008-05-25 13:23 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Ahead
2008-05-24 23:35 . 2008-06-19 20:30 <DIR> d-------- C:\Program Files\Google
2008-05-24 10:55 . 2008-06-19 16:17 <DIR> d-------- C:\Documents and Settings\kay weezy
2008-05-24 10:54 . 2008-06-17 22:29 <DIR> d-------- C:\Documents and Settings\Courtney
2008-05-23 22:23 . 2008-05-23 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-05-23 17:43 . 2005-04-05 23:30 26,752 -ra------ C:\WINDOWS\system32\drivers\ipfnd51.sys
2008-05-23 15:02 . 2008-06-29 20:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-23 15:02 . 2008-05-23 15:02 <DIR> d-------- C:\Program Files\AVG
2008-05-23 15:02 . 2008-05-23 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-23 15:02 . 2008-05-23 15:02 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-23 15:02 . 2008-05-23 15:02 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-23 15:02 . 2008-05-23 15:02 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 19:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-06-16 06:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-30 21:36 --------- d-----w C:\Program Files\Microsoft Works
2008-04-30 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-30 21:35 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-30 21:11 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-04-30 21:03 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2008-04-30 20:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-30 20:03 --------- d-----w C:\Program Files\MSBuild
2008-04-30 20:00 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-30 19:59 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-30 19:58 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-30 19:41 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-04-30 19:09 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-30 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-30 19:07 --------- d-----w C:\Program Files\Nero
2008-04-30 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-30 18:32 --------- d-----w C:\Program Files\S3
2008-04-30 18:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 18:04 --------- d-----w C:\Program Files\DIFX
2008-04-30 16:47 --------- d-----w C:\Program Files\VIA
2008-04-30 15:48 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-23_14.01.24.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 17:59:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-28 18:26:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-23 15:02 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\kay weezy\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-05-27 19:23:48 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-06-25 08:47 1057064 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-06-25 08:47 1629480 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-11-16 17:42 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2006-09-14 18:54 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2007-04-25 15:41 176128 C:\WINDOWS\system32\VTTrayp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 08:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 05:39]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-23 15:02]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-23 15:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-23 15:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-23 15:02]
S3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ipfnd51.sys [2005-04-05 23:30]
S4 MyWebSearchService;My Web Search Service;C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 21:18:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-29 21:18:51
ComboFix-quarantined-files.txt 2008-06-30 01:18:47
ComboFix2.txt 2008-06-26 01:14:02
ComboFix3.txt 2008-06-23 18:01:38

Pre-Run: 234,238,599,168 bytes free
Post-Run: 234,428,108,800 bytes free

189 --- E O F --- 2008-06-21 23:44:33

Edited by mandan252, 29 June 2008 - 11:23 PM.


#10 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:07:16 PM

Posted 01 July 2008 - 04:13 PM

Hey mandan252,:thumbsup:
We are making progress but we still have a few loose ends to tidy up.

I note your comments in relation to Limewire and saving all your files onto disk. 

All I would say is that this is probably how you became infected in the first place and if you store the files on disk you could infect another computer in the future. 

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Step #1
Please disable Spybot S&D’s TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.


Step #2
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\PROGRA~1\MYWEBS~1\

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]

Driver::
MyWebSearchService


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Step #4
Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Finally please post back the following logs along with your decision about limewire and how your system is running.
  • CFScript.txt
  • Kaspersky log


#11 mandan252

mandan252
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 02 July 2008 - 04:14 PM

I HAVE UNINSTALLED LIMEWIRE. THESE ARE MY LOGS.

ComboFix 08-06-30.2 - Owner 2008-07-02 16:19:19.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFSCRIPT.TXT
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-06-30 22:04 . 2008-06-30 22:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jasc Software Inc
2008-06-23 13:33 . 2008-06-23 13:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-23 13:26 . 2008-06-23 03:15 <DIR> d-------- C:\SDFix
2008-06-21 18:35 . 2008-06-21 18:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-21 18:34 . 2008-06-21 18:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 18:26 . 2008-06-21 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 16:38 . 2008-06-21 16:38 <DIR> d-------- C:\Deckard
2008-06-21 16:05 . 2008-06-21 16:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-21 15:52 . 2008-06-21 16:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 13:27 . 2008-06-25 21:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-21 13:27 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 13:26 . 2008-06-21 13:26 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\VundoFix Backups
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-19 23:23 . 2008-06-19 23:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-19 18:59 . 2008-06-19 20:23 500 --a------ C:\WINDOWS\wininit.ini
2008-06-19 18:34 . 2008-06-21 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 17:57 . 2008-06-19 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 09:27 . 2008-06-16 09:27 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-16 02:56 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-06-15 23:44 . 2008-06-25 21:12 <DIR> d-------- C:\Temp
2008-06-15 23:44 . 2008-06-15 23:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-06-11 10:35 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:35 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 09:20 . 2008-06-06 09:20 <DIR> d-------- C:\Program Files\Slide
2008-06-06 09:20 . 2008-06-06 10:30 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Slide
2008-06-06 09:20 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-06-04 19:11 . 2008-06-19 20:29 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-04 19:11 . 2008-06-04 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-04 19:11 . 2008-06-04 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-06-04 19:09 . 2008-06-04 19:12 371 --ah----- C:\IPH.PH
2008-06-04 16:09 . 2008-06-21 20:15 <DIR> d---s---- C:\Documents and Settings\Courtney\UserData
2008-06-04 15:49 . 2008-06-04 15:49 <DIR> d-------- C:\Program Files\Kidzui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 20:16 --------- d-----w C:\Program Files\LimeWire
2008-07-02 20:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-27 18:46 --------- d-----w C:\Documents and Settings\kay weezy\Application Data\LimeWire
2008-06-23 19:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-06-20 00:30 --------- d-----w C:\Program Files\Google
2008-06-16 06:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-09 19:40 --------- d-----w C:\Program Files\MySpace
2008-06-02 00:50 --------- d-----w C:\Documents and Settings\Courtney\Application Data\MySpace
2008-06-01 20:44 --------- d-----w C:\Documents and Settings\kay weezy\Application Data\MySpace
2008-06-01 19:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2008-05-28 20:15 --------- d-----w C:\Program Files\Java
2008-05-28 20:12 --------- d-----w C:\Program Files\Common Files\Java
2008-05-26 00:38 --------- d-----w C:\Documents and Settings\Courtney\Application Data\Ahead
2008-05-25 17:23 --------- d-----w C:\Documents and Settings\kay weezy\Application Data\Ahead
2008-05-24 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2008-05-23 19:02 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-23 19:02 75,272 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-23 19:02 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-05-23 19:02 --------- d-----w C:\Program Files\AVG
2008-05-23 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-23_14.01.24.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 17:59:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 17:25:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-16 13:27:51 25,214 ----a-r C:\WINDOWS\Installer\{F843C6A3-224D-4615-94F8-3C461BD9AEA0}\ARPPRODUCTICON.exe
+ 2008-07-01 02:04:30 25,214 ----a-r C:\WINDOWS\Installer\{F843C6A3-224D-4615-94F8-3C461BD9AEA0}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-23 15:02 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\kay weezy\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-05-27 19:23:48 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-06-25 08:47 1057064 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-06-25 08:47 1629480 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-11-16 17:42 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2006-09-14 18:54 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2007-04-25 15:41 176128 C:\WINDOWS\system32\VTTrayp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 08:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 05:39]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-23 15:02]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-23 15:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-23 15:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-23 15:02]
S3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ipfnd51.sys [2005-04-05 23:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0500eb70-2a8b-11dd-a131-0019dbe92578}]
\Shell\Auto\command - I:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 16:20:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-02 16:21:07
ComboFix-quarantined-files.txt 2008-07-02 20:21:01
ComboFix2.txt 2008-07-02 01:10:55
ComboFix3.txt 2008-06-30 01:18:52
ComboFix4.txt 2008-06-26 01:14:02
ComboFix5.txt 2008-06-23 18:01:38

Pre-Run: 234,179,162,112 bytes free

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 2, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 02, 2008 19:49:12
Records in database: 907658


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 32985
Threat name 6
Infected objects 18
Suspicious objects 0
Duration of the scan 00:31:13

File name Threat name Threats count
C:\Documents and Settings\kay weezy\My Documents\LimeWire\Incomplete\T-3545425-jigga juice music video 2008.mpg Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cv 1

C:\QooBox\Quarantine\C\WINDOWS\system32\ccxqleni.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\djmkphqi.dll.vir Infected: Trojan.Win32.Monder.ys 1

C:\QooBox\Quarantine\C\WINDOWS\system32\fqtrfvxh.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\fybhaegf.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\geitthkv.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\hrjqxems.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\jfxvyqjr.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\jvuqimba.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\ocqrlmrv.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\pcpeerrl.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\rhxwlvmp.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\tkgssxic.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\urqPhFxx.dll.vir.vir Infected: Trojan.Win32.Monder.yq 1

C:\QooBox\Quarantine\C\WINDOWS\system32\whkvjjkd.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\wxspqcgj.dll.vir Infected: Trojan.Win32.Monder.yo 1

C:\QooBox\Quarantine\C\WINDOWS\system32\xadmvtfy.dll.vir Infected: Trojan.Win32.Mondera.gen 1

The selected area was scanned.


AFTER READING THIS I ALSO DELETED THE LIMEWIRE FILES THAT WERE LEFT AFTER I UNINSTALLED IT. IT SEEMS THAT MY CHILD HAS DOWNLOADED THE VIRUS. AFTER I DELETED ALL T6HE LIMEWIRE FILES I RAN THE KASPERSKY SCAN AGAIN AND HERE IS THE LOG FOR IT:





KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 3, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 03, 2008 17:13:27
Records in database: 910775


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics
Files scanned 34301
Threat name 5
Infected objects 17
Suspicious objects 0
Duration of the scan 00:32:32

File name Threat name Threats count
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cv 1

C:\QooBox\Quarantine\C\WINDOWS\system32\ccxqleni.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\djmkphqi.dll.vir Infected: Trojan.Win32.Monder.ys 1

C:\QooBox\Quarantine\C\WINDOWS\system32\fqtrfvxh.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\fybhaegf.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\geitthkv.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\hrjqxems.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\jfxvyqjr.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\jvuqimba.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\ocqrlmrv.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\pcpeerrl.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\rhxwlvmp.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\tkgssxic.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\urqPhFxx.dll.vir.vir Infected: Trojan.Win32.Monder.yq 1

C:\QooBox\Quarantine\C\WINDOWS\system32\whkvjjkd.dll.vir Infected: Trojan.Win32.Mondera.gen 1

C:\QooBox\Quarantine\C\WINDOWS\system32\wxspqcgj.dll.vir Infected: Trojan.Win32.Monder.yo 1

C:\QooBox\Quarantine\C\WINDOWS\system32\xadmvtfy.dll.vir Infected: Trojan.Win32.Mondera.gen 1

The selected area was scanned.





Post-Run: 234,208,419,840 bytes free

159 --- E O F --- 2008-06-21 23:44:33

Edited by mandan252, 03 July 2008 - 02:43 PM.


#12 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:07:16 PM

Posted 04 July 2008 - 11:23 AM

Hey mandan252,
That's good news on the Limewire. We just need to tidy up a few loose ends. :thumbsup:

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Step #1
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\kay weezy\Start Menu\Programs\Startup\LimeWire On Startup.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

Folder::
C:\Program Files\LimeWire
C:\Documents and Settings\Owner\Application Data\LimeWire
C:\Documents and Settings\kay weezy\Application Data\LimeWire
C:\Documents and Settings\kay weezy\My Documents\LimeWire

Registry::
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Step #2

Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
    The Onlinescan will now start and scan your pc (please let it run to completion)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
    The Scan results will now open in Notepad
  • Click into the text area, right-click and chose "select all"  
  • Right-click again and chose "copy"  
  • Close Notepad
Include this log in your reply by right-clicking and "paste" in the text area of the reply post you just created.

Finally please post back ComboFix.txt and Eset log in your next post along with how your system is running. 

#13 mandan252

mandan252
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 07 July 2008 - 08:27 PM

So far So Good! Here are my logs:


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3248 (20080707)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=1696caaf80c42842957e4ee5f091274a
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-07-08 01:21:26
# local_time=2008-07-07 09:21:26 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=150051
# found=8
# scan_time=1011
C:\QooBox\Quarantine\C\WINDOWS\system32\ccxqleni.dll.vir Win32/BHO.NFD trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\fybhaegf.dll.vir Win32/BHO.NFD trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\jfxvyqjr.dll.vir Win32/BHO.NFD trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\jvuqimba.dll.vir Win32/BHO.NFD trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\ocqrlmrv.dll.vir Win32/BHO.NFD trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\rhxwlvmp.dll.vir Win32/BHO.NFD trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\tkgssxic.dll.vir Win32/BHO.NFD trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\xadmvtfy.dll.vir Win32/BHO.NFD trojan (unable to clean - deleted) 00000000000000000000000000000000


and my combifix log:


ComboFix 08-06-30.2 - Owner 2008-07-07 20:47:48.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.574 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\kay weezy\Start Menu\Programs\Startup\LimeWire On Startup.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
.

((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-06-30 22:04 . 2008-06-30 22:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jasc Software Inc
2008-06-23 13:33 . 2008-06-23 13:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-23 13:26 . 2008-06-23 03:15 <DIR> d-------- C:\SDFix
2008-06-21 18:35 . 2008-06-21 18:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-21 18:34 . 2008-06-21 18:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 18:26 . 2008-06-21 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 16:38 . 2008-06-21 16:38 <DIR> d-------- C:\Deckard
2008-06-21 16:05 . 2008-06-21 16:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-21 15:52 . 2008-06-21 16:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 13:27 . 2008-06-25 21:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-21 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 13:27 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-21 13:27 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 13:26 . 2008-06-21 13:26 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\VundoFix Backups
2008-06-21 12:01 . 2008-06-21 12:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-19 23:23 . 2008-06-19 23:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-19 18:59 . 2008-06-19 20:23 500 --a------ C:\WINDOWS\wininit.ini
2008-06-19 18:34 . 2008-06-21 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 17:57 . 2008-06-19 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 09:27 . 2008-06-16 09:27 <DIR> d-------- C:\Documents and Settings\Courtney\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\kay weezy\Application Data\Jasc Software Inc
2008-06-16 02:57 . 2008-06-16 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-16 02:56 . 2008-06-16 02:57 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-06-15 23:44 . 2008-06-25 21:12 <DIR> d-------- C:\Temp
2008-06-15 23:44 . 2008-06-15 23:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-06-11 10:35 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:35 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 18:48 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 18:48 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-03 18:48 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-23 19:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-06-20 00:30 --------- d-----w C:\Program Files\Google
2008-06-20 00:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-16 06:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-09 19:40 --------- d-----w C:\Program Files\MySpace
2008-06-06 14:30 --------- d-----w C:\Documents and Settings\kay weezy\Application Data\Slide
2008-06-06 13:20 --------- d-----w C:\Program Files\Slide
2008-06-04 23:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-04 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-04 19:49 --------- d-----w C:\Program Files\Kidzui
2008-06-02 00:50 --------- d-----w C:\Documents and Settings\Courtney\Application Data\MySpace
2008-06-01 20:44 --------- d-----w C:\Documents and Settings\kay weezy\Application Data\MySpace
2008-06-01 19:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2008-05-28 20:15 --------- d-----w C:\Program Files\Java
2008-05-28 20:12 --------- d-----w C:\Program Files\Common Files\Java
2008-05-26 00:38 --------- d-----w C:\Documents and Settings\Courtney\Application Data\Ahead
2008-05-25 17:23 --------- d-----w C:\Documents and Settings\kay weezy\Application Data\Ahead
2008-05-24 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2008-05-23 19:02 --------- d-----w C:\Program Files\AVG
2008-05-23 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-23_14.01.24.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 17:59:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 14:21:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-16 13:27:51 25,214 ----a-r C:\WINDOWS\Installer\{F843C6A3-224D-4615-94F8-3C461BD9AEA0}\ARPPRODUCTICON.exe
+ 2008-07-01 02:04:30 25,214 ----a-r C:\WINDOWS\Installer\{F843C6A3-224D-4615-94F8-3C461BD9AEA0}\ARPPRODUCTICON.exe
- 2008-05-23 19:02:31 26,184 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-07-03 18:48:12 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 14:48 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-06-25 08:47 1057064 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-06-25 08:47 1629480 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-11-16 17:42 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2006-09-14 18:54 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2007-04-25 15:41 176128 C:\WINDOWS\system32\VTTrayp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 08:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 05:39]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 14:48]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 14:48]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-23 15:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 14:48]
S3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ipfnd51.sys [2005-04-05 23:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0500eb70-2a8b-11dd-a131-0019dbe92578}]
\Shell\Auto\command - I:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 20:48:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-07 20:49:27
ComboFix-quarantined-files.txt 2008-07-08 00:49:22
ComboFix2.txt 2008-07-02 20:21:08
ComboFix3.txt 2008-07-02 01:10:55
ComboFix4.txt 2008-06-30 01:18:52
ComboFix5.txt 2008-06-26 01:14:02

Pre-Run: 240,231,030,784 bytes free
Post-Run: 240,305,709,056 bytes free

155 --- E O F --- 2008-06-21 23:44:33

#14 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:07:16 PM

Posted 10 July 2008 - 11:53 AM

Hey mandan252 :) Sorry for the delay.
I am glad your system is working well and the pop up's have stopped.

We just need to undertake a little bit of housekeeping;

Step #1
Remove ComboFix: 
Go to Start > Run > copy and paste next command in the field: ComboFix /u 
Make sure there's a space between Combofix and /u 
Then hit Enter. 
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again. 


Step #2
Start TeaTimer in Spybot.:
Open Spybot and under the mode tab click advanced. A window will open up asking you if you want to make this switch, answer Yes. On the left side click on tools> resident and then CHECK "Resident TeaTimer" and close Spybot.
Please Reboot your computer.

Congratulations your system is clean  :thumbsup:

You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.  

    The easiest and safest way to do this is:
    Go to Start > Programs > Accessories > System Tools and click "System Restore"
    Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    Then go to Start > Run and type: Cleanmgr
    Click "OK".
    Click the "More Options" Tab.
    Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC 
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer. 
     If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run 
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it. 
    • On the dropdown box, change the setting from automatic to manual. 
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date


#15 mandan252

mandan252
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 11 July 2008 - 12:27 AM

I HAVE A PROBLEM!! I SET MY RESTORE POINT FOR JULY 9 BECAUSE SINCE LAST NIGHT THE 10TH I HAVE BEEN HAVING PROBLEMS WITH MY COMPUTER LOCKING UP EVERYTIME I TRY TO GO TO MYSPACE. IT WILL START LOADING FROM GOOGLE AND THEN JUST FREEZE OR IF I DO A STRAIGHT LINK IT WILL FREEZE. I TRIED DELETING MY COOKIES THINKING THIS WOULD HELP BUT IT HASN'T. ALSO MY CHILD HAS BEEN LOADING PICTURES FROM A CAMERA AND I THINK THE SD MEMORY CARD MAY BE INFECTED HOW IDK! MOST OF THE OTHER WEBSITE LOAD FINE. I DONT KNOW WHAT TO DO???
I HAVEN'T DONE ANYTHING WITH COMBIFIX YET BECAUSE I DIDN'T KNOW IF YOU WOULD NEED IT AGAIN. IM SORRY TO BE SUCH A BOTHER BUT NOW I FEEL THINGS MIGHT HAVE GOTTEN REINFECTED. COULD YOU PLEASE TELL ME WHAT TO DO???? SHOULD I JUST DO WHAT YHE LAST POST SAID AND GO FROM THERE OR WHAT???

Edited by mandan252, 11 July 2008 - 12:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users