Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Is Very Wrong With My Computer...internet Will Not Work.


  • This topic is locked This topic is locked
17 replies to this topic

#1 all_4_dios

all_4_dios

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 16 August 2008 - 01:30 AM

Hello,

Something is really wrong with my computer. I can't even find what might be making it act up. Mainly, Internet and Firefox won't work right. Sometimes pages load and sometimes they don't (usually don't). The links that google provides when I type something in the search box take me to alternate sites that I don't want to visit, almost like sending me to a pop-up. I admit I did download a torrent, and I removed the software for doing that, but Antivir won't detect anything wrong. ALSO, as is apparent, I am using another computer to post the logs, due to my computer's internet not working, so as a result, i can't fully use the panda antivirus software, spybot, and I can't update Ad-Adware 2008.

Here's my log, and thanks for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:31 PM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Miles\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f805302d] rundll32.exe "C:\WINDOWS\system32\vpuxoakn.dll",b
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD12AEA-BB8E-4C17-9889-87ED8F05E8A5}: NameServer = 68.105.28.11,68.105.29.11
O20 - AppInit_DLLs: wbsys.dll qqdcuy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8412 bytes


-Miles

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 23 August 2008 - 08:46 AM

Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). I am still in training, so my responses to you must be checked by a coach.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it may not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 all_4_dios

all_4_dios
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 23 August 2008 - 05:14 PM

Thanks for helping out! :thumbsup:

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 24 August 2008 - 08:36 AM

Hello all 4 dios. Sorry for the delay. We have over 300 topics waiting to be answered :thumbsup: .

Let's get started.

Diable Realtime Protection
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.

Now for Adware.
  • Right click on the Ad-Watch icon in the system tray.
  • At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
    • Active: This will turn Ad-Watch On\Off without closing it.
    • Automatic: Suspicious activity will be blocked automatically.
  • Uncheck both of those boxes.
  • (When done, you can re-enable it using the same steps but this time check both boxes.)
Install Recovery Console and Run ComboFix
Download Combofix from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System. You have Service Pack 2 installed.

Posted Image
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Download the file and save it as it's originally named onto your desktop.
  • Close any open windows, including this one.
  • Drag the setup package onto ComboFix.exe and drop it.

    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click Yes to run the full ComboFix scan.

    Posted Image
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Download, Install, and Save Log with HijackThis
We need HijackThis in a permanent location so that backups will be saved. Please delete your current version.
  • Download the installer HERE onto your desktop and double click it.
  • You may be asked for confirmation for running an executable file. Select Run.
  • You will be asked choose the install location. Please leave it at the default:
    C:\Program Files\Trend Micro\HijackThis.
  • Select Install.
  • The installation process should only take a few seconds. A shortcut named HijackThis will be created on your desktop so there will be no need to access the HijackThis program directly. The HijackThis window will pop-up after the installation.
  • Close HijackThis for now.
We need to rename HijackThis because I suspect that an infection is hiding entries from us.
  • Double click the My Computer icon on your desktop, then C: Drive, then Program Files, then Trend Mirco, then HijackThis.
  • Right click on HijackThis.exe (or just HijackThis if you don't have extensions enabled), and select Rename.
  • Input fluffybunny.exe and hit Enter.
  • Close out of the window
The shortcut on your desktop will need to be changed to point to the newly named HijackThis.
  • Right click the HijackThis icon on your desktop and select Properties.
  • In the Target box, copy in with the qoutes:
    "C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe"
  • Hit OK.
---------------
Please post back with:
-the ComboFix log
-a new HijackThis log

Also comment on how your computer is running now.

With Regards,
The Panda

#5 all_4_dios

all_4_dios
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 24 August 2008 - 10:34 AM

Unfortunately, before I do all of this, there is another problem that just arose. When I boot up my PC, it just boots up to a black screen with the mouse. I went into the setup functions at boot up and disabled "quick bootup" so I could see what the error was. Well when it booted up, it said that there was and "Error Loading OS." This happened once before in the past, but I was able to boot up in safe mode and restore my computer to an earlier time (after the hijackthis log fyi). But now, I can't seem to figure out how to do that. What should I do?? Sorry about the trouble :thumbsup:

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 24 August 2008 - 11:05 AM

Hello All 4 Dios.

Try to undo any changes in the BIOS.

If your computer can boot at all:
Please try to boot your computer into normal mode. There hit Ctrl+Alt+Del to open the Task Manager. Click File>Run>Type "explorer". This should restore your desktop. If all that works, follow the instructions in my above post.

If not then we can ask for some help from another forum to get this machine starting again.

With Regards,
The Panda

#7 all_4_dios

all_4_dios
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 25 August 2008 - 02:40 PM

So my computer will not boot up. It literally boots up to a black screen with a mouse. If there is an "error with the operating system," then obviously I can't hit "ctrl + alt + del."
This happened before and I fixed it by booting up into safe mode and then restoring the comp to an earlier time, but I forgot how I got it to boot in safe mode. How do you do that, and if not, what should I do. I undid the bios things and I can't boot up normally. What should I do?

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 25 August 2008 - 02:54 PM

Hello.

but I forgot how I got it to boot in safe mode

You can refer to this page on booting into Safe Mode.

With Regards,
The Panda

#9 all_4_dios

all_4_dios
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 26 August 2008 - 05:07 PM

Thank you for your help! I EVENTUALLY got my computer booted. It took me awhile. Right now I'm running the combofix thing. I'll post back in a few minutes.

One question: Does my computer need to be connected to the Internet? I've been transferring all the downloads that you've told me to download from this computer to my desktop (the one with the problem) via a flash drive. Is that ok? Do I need to get connected to the internet?

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 26 August 2008 - 05:42 PM

Hello.

You do not require Internet connection, but please make sure ComboFix is on your desktop before running.

With Regards,
The Panda

#11 all_4_dios

all_4_dios
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 26 August 2008 - 05:51 PM

So I got connected to the Internet, so no worries.

Here is the combofix log:

ComboFix 08-08-26.02 - Miles 2008-08-26 15:38:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1575 [GMT -7:00]
Running from: C:\Documents and Settings\Miles\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Miles\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-26 15:29 . 2008-08-26 15:29 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\CiscoCAA
2008-08-26 15:28 . 2008-08-26 15:28 <DIR> d-------- C:\Program Files\Cisco Systems
2008-08-15 22:53 . 2008-08-15 22:53 <DIR> d-------- C:\Program Files\Sygate
2008-08-15 22:53 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-08-15 22:53 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-08-15 22:53 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-08-15 22:53 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-08-15 22:53 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-08-15 22:53 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-08-15 22:53 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-08-15 22:05 . 2008-08-15 22:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-15 22:05 . 2008-08-15 22:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-15 22:04 . 2008-08-15 22:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-15 16:01 . 2008-08-15 16:01 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\MOVAVI
2008-08-15 16:00 . 2008-08-15 16:07 <DIR> d-------- C:\Program Files\Movavi EnhanceMovie 3
2008-08-15 13:34 . 2008-08-15 13:34 <DIR> d-------- C:\Program Files\Smart Projects
2008-08-15 13:08 . 2008-08-15 13:08 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-15 13:08 . 2008-08-15 13:13 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\ImgBurn
2008-08-15 12:53 . 2008-08-15 12:53 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\DAEMON Tools
2008-08-14 22:58 . 2008-08-14 22:58 36,363 --a------ C:\WINDOWS\CSTBox.INI
2008-08-14 10:04 . 2008-08-14 10:04 <DIR> d-------- C:\Program Files\iTunes
2008-08-14 10:04 . 2008-08-14 10:04 <DIR> d-------- C:\Program Files\iPod
2008-08-13 23:45 . 2008-08-13 23:45 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\Pegasys Inc
2008-08-13 21:53 . 2008-08-15 12:54 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\uTorrent
2008-08-13 21:47 . 2008-08-15 22:34 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-08-13 11:18 . 2008-08-13 11:18 <DIR> d-------- C:\Program Files\SEC
2008-08-13 11:18 . 2003-02-24 16:20 827,392 -ra------ C:\WINDOWS\system32\Flash.ocx
2008-07-27 00:47 . 2008-07-27 00:47 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-07-27 00:24 . 2008-07-27 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 22:02 --------- d-----w C:\Documents and Settings\Miles\Application Data\OpenOffice.org2
2008-08-26 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-15 23:20 --------- d-----w C:\Program Files\DivX
2008-08-15 05:04 --------- d-----w C:\Documents and Settings\Miles\Application Data\Canon
2008-08-13 18:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 07:53 --------- d-----w C:\Documents and Settings\Miles\Application Data\Apple Computer
2008-07-26 04:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-26 00:22 --------- d-----w C:\Documents and Settings\Miles\Application Data\Download Manager
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-25 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-07-25 06:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-25 05:48 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-07-25 04:42 --------- d-----w C:\Documents and Settings\Miles\Application Data\U3
2008-07-24 20:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-23 23:30 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-23 23:06 --------- d-----w C:\Program Files\Google
2008-07-23 23:05 --------- d-----w C:\Program Files\Picasa2
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-23 13:59 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-23 07:36 --------- d-----w C:\Program Files\Stardock
2008-07-23 06:34 --------- d-----w C:\Documents and Settings\Miles\Application Data\Libronix DLS
2008-07-23 06:32 --------- d-----w C:\Program Files\Libronix DLS
2008-07-23 06:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Libronix DLS
2008-07-22 19:37 --------- d-----w C:\Program Files\Avira
2008-07-22 19:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-07-22 01:46 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-21 22:09 --------- d-----w C:\Program Files\Hewlett-Packard
2008-07-21 22:05 --------- d-----w C:\Program Files\Canon
2008-07-21 09:39 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-07-21 09:38 --------- d-----w C:\Program Files\Nero
2008-07-21 09:38 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-21 09:17 --------- d-----w C:\Program Files\AC3Filter
2008-07-21 09:11 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-07-21 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-07-21 09:00 --------- d-----w C:\Program Files\InterActual
2008-07-21 08:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2008-07-21 08:46 --------- d-----w C:\Program Files\Nero(2)
2008-07-21 08:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero(2)
2008-07-21 06:10 --------- d-----w C:\Program Files\T-Mobile Dash User Manual
2008-07-20 08:14 --------- d-----w C:\Program Files\Western Digital
2008-07-19 06:27 --------- d-----w C:\Program Files\QuickTime
2008-07-19 01:06 --------- d-----w C:\Documents and Settings\Miles\Application Data\Ahead
2008-07-19 01:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-07-16 07:34 --------- d-----w C:\Documents and Settings\Miles\Application Data\DivX
2008-07-14 18:43 --------- d-----w C:\Program Files\LucasArts
2008-07-14 18:43 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-14 09:28 --------- d-----w C:\Program Files\Ubi Soft
2008-07-14 06:52 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-07-14 06:52 --------- d-----w C:\Program Files\Java
2008-07-14 06:46 --------- d-----w C:\Program Files\Bonjour
2008-07-14 06:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-14 06:45 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-14 06:45 --------- d-----w C:\Program Files\Apple Software Update
2008-07-14 06:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-14 06:26 --------- d-----w C:\Program Files\Common Files\Java
2008-07-14 04:45 --------- d-----w C:\Program Files\Audacity
2008-07-14 04:41 --------- d-----w C:\Program Files\Xtreme Sound PCI
2008-07-14 04:40 --------- d-----w C:\Program Files\Xtreme Sound Setup Files
2008-07-13 23:09 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-07-13 23:09 --------- d-----w C:\Program Files\Realtek
2008-07-13 23:02 --------- d-----w C:\Documents and Settings\Miles\Application Data\InstallShield
2008-07-13 22:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-26_15.04.36.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 22:29:46 10,134 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\ARPPRODUCTICON.exe
+ 2008-08-26 22:29:46 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe_F1E29B0E94A44304B9934829FC2ED56C.exe
+ 2008-08-26 22:29:46 49,152 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\CCAAgent.exe1_F1E29B0E94A44304B9934829FC2ED56C.exe
+ 2008-08-26 22:29:46 45,056 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\NewShortcut2_040103006D724D54868691D884A27B5C.exe
+ 2008-08-26 22:29:46 8,854 ----a-r C:\WINDOWS\Installer\{04010300-6D72-4D54-8686-91D884A27B5C}\Uninstall_CCAAgent_I_F1E29B0E94A44304B9934829FC2ED56C.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 05:00 15360]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 17:36 455968]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-08 10:53 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-08 10:53 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 13:21 61440]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 02:25 37232]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 22:43 640376]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"nwiz"="nwiz.exe" [2008-01-08 10:53 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-26 23:20 16844800 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-02 22:22 1826816 C:\WINDOWS\SkyTel.exe]

C:\Documents and Settings\Miles\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 17:12:50 28672]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2008-08-13 11:18:16 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-07-10 16:02 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ed3a8fd-5771-11dd-be55-000f66175a01}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{299f6c2b-69bc-11dd-be69-000f66175a01}]
\Shell\AutoRun\command - G:\wdsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-08-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Miles\Application Data\Mozilla\Firefox\Profiles\e8gakprx.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 15:39:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-26 15:40:02
ComboFix-quarantined-files.txt 2008-08-26 22:40:00
ComboFix2.txt 2008-08-26 22:05:01

Pre-Run: 422,796,144,640 bytes free
Post-Run: 422,786,461,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

209 --- E O F --- 2008-08-15 03:54:34





and the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:09 PM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Miles\Desktop\fluffybunny.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD12AEA-BB8E-4C17-9889-87ED8F05E8A5}: NameServer = 68.105.28.11,68.105.29.11
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8154 bytes

#12 all_4_dios

all_4_dios
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 26 August 2008 - 06:41 PM

Oh, and also, it's running alot better right now. The Internet is now free of pop-ups and it is actually working. Thanks! I'm not sure if there are any other infections on the computer or not, but I'm sure you will be able to tell. Again, thanks so much for your help!! Next step?

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 27 August 2008 - 08:01 AM

Hello All 4 Dios.

It looks like you ran ComboFix twice. I want to see the first report located here:
C:\qoobox\ComboFix2.txt
Please copy that into your next reply.

If you don't mind my asking, do you live in Louisiana? I ask because your IP traces back to there.

From the looks of those logs, we are almost done. I want to do some updating and run a scan to check our work.

Update Java to Version 6 Update 7
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please then install the latest Java from this page. Follow the prompts and select the appropriate settings for your machine. Click on the "Required File" jdk-6u7-windows-i586-p.exe to download the installer. Double click the installer to run. Delete the installer after use.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

------------
Please post back with:
-the old ComboFix log
-the Kaspersky scan results
-a new HijackTHis log

Are there other problems?

With Regards,
The Panda

#14 all_4_dios

all_4_dios
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 28 August 2008 - 02:49 AM

KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 28, 2008 06:55:50
Records in database: 1153664
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 106928
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:37:56

No malware has been detected. The scan area is clean.
The selected area was scanned.



ComboFix 08-08-26.01 - Miles 2008-08-26 14:54:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1599 [GMT -7:00]
Running from: C:\Documents and Settings\Miles\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Miles\Application Data\macromedia\Flash Player\#SharedObjects\TK77GD7F\bin.clearspring.com
C:\Documents and Settings\Miles\Application Data\macromedia\Flash Player\#SharedObjects\TK77GD7F\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Miles\Application Data\macromedia\Flash Player\#SharedObjects\TK77GD7F\interclick.com
C:\Documents and Settings\Miles\Application Data\macromedia\Flash Player\#SharedObjects\TK77GD7F\interclick.com\ud.sol
C:\Documents and Settings\Miles\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Miles\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Miles\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Miles\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\aauivxea.dll
C:\WINDOWS\system32\byXPIxuS.dll
C:\WINDOWS\system32\efcAPHYS.dll
C:\WINDOWS\system32\jebowqyx.ini
C:\WINDOWS\system32\lgmnjojm.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJDUMGW.dll
C:\WINDOWS\system32\nkaoxupv.ini
C:\WINDOWS\system32\qqdcuy.dll
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\vpuxoakn.dll
C:\WINDOWS\system32\WGMUDJlm.ini
C:\WINDOWS\system32\WGMUDJlm.ini2
C:\WINDOWS\system32\wwndkr.dll
C:\WINDOWS\system32\xyqwobej.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-15 22:53 . 2008-08-15 22:53 <DIR> d-------- C:\Program Files\Sygate
2008-08-15 22:53 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-08-15 22:53 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-08-15 22:53 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-08-15 22:53 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-08-15 22:53 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-08-15 22:53 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-08-15 22:53 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-08-15 22:05 . 2008-08-15 22:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-15 22:05 . 2008-08-15 22:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-15 22:04 . 2008-08-15 22:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-15 16:01 . 2008-08-15 16:01 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\MOVAVI
2008-08-15 16:00 . 2008-08-15 16:07 <DIR> d-------- C:\Program Files\Movavi EnhanceMovie 3
2008-08-15 13:34 . 2008-08-15 13:34 <DIR> d-------- C:\Program Files\Smart Projects
2008-08-15 13:08 . 2008-08-15 13:08 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-15 13:08 . 2008-08-15 13:13 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\ImgBurn
2008-08-15 12:53 . 2008-08-15 12:53 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\DAEMON Tools
2008-08-14 22:58 . 2008-08-14 22:58 36,363 --a------ C:\WINDOWS\CSTBox.INI
2008-08-14 10:04 . 2008-08-14 10:04 <DIR> d-------- C:\Program Files\iTunes
2008-08-14 10:04 . 2008-08-14 10:04 <DIR> d-------- C:\Program Files\iPod
2008-08-13 23:45 . 2008-08-13 23:45 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\Pegasys Inc
2008-08-13 21:53 . 2008-08-15 12:54 <DIR> d-------- C:\Documents and Settings\Miles\Application Data\uTorrent
2008-08-13 21:47 . 2008-08-15 22:34 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-08-13 11:18 . 2008-08-13 11:18 <DIR> d-------- C:\Program Files\SEC
2008-08-13 11:18 . 2003-02-24 16:20 827,392 -ra------ C:\WINDOWS\system32\Flash.ocx
2008-07-27 00:47 . 2008-07-27 00:47 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-07-27 00:24 . 2008-07-27 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 21:53 --------- d-----w C:\Documents and Settings\Miles\Application Data\OpenOffice.org2
2008-08-26 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-15 23:20 --------- d-----w C:\Program Files\DivX
2008-08-15 05:04 --------- d-----w C:\Documents and Settings\Miles\Application Data\Canon
2008-08-13 18:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 07:53 --------- d-----w C:\Documents and Settings\Miles\Application Data\Apple Computer
2008-07-26 04:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-26 00:22 --------- d-----w C:\Documents and Settings\Miles\Application Data\Download Manager
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-25 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-07-25 06:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-25 05:48 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-07-25 04:42 --------- d-----w C:\Documents and Settings\Miles\Application Data\U3
2008-07-24 20:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-23 23:30 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-23 23:06 --------- d-----w C:\Program Files\Google
2008-07-23 23:05 --------- d-----w C:\Program Files\Picasa2
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-23 13:59 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-23 07:36 --------- d-----w C:\Program Files\Stardock
2008-07-23 06:34 --------- d-----w C:\Documents and Settings\Miles\Application Data\Libronix DLS
2008-07-23 06:32 --------- d-----w C:\Program Files\Libronix DLS
2008-07-23 06:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Libronix DLS
2008-07-22 19:37 --------- d-----w C:\Program Files\Avira
2008-07-22 19:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-07-22 01:46 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-21 22:09 --------- d-----w C:\Program Files\Hewlett-Packard
2008-07-21 22:05 --------- d-----w C:\Program Files\Canon
2008-07-21 09:39 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-07-21 09:38 --------- d-----w C:\Program Files\Nero
2008-07-21 09:38 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-21 09:17 --------- d-----w C:\Program Files\AC3Filter
2008-07-21 09:11 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-07-21 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-07-21 09:00 --------- d-----w C:\Program Files\InterActual
2008-07-21 08:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2008-07-21 08:46 --------- d-----w C:\Program Files\Nero(2)
2008-07-21 08:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero(2)
2008-07-21 06:10 --------- d-----w C:\Program Files\T-Mobile Dash User Manual
2008-07-20 08:14 --------- d-----w C:\Program Files\Western Digital
2008-07-19 06:27 --------- d-----w C:\Program Files\QuickTime
2008-07-19 01:06 --------- d-----w C:\Documents and Settings\Miles\Application Data\Ahead
2008-07-19 01:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-07-16 07:34 --------- d-----w C:\Documents and Settings\Miles\Application Data\DivX
2008-07-14 18:43 --------- d-----w C:\Program Files\LucasArts
2008-07-14 18:43 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-14 09:28 --------- d-----w C:\Program Files\Ubi Soft
2008-07-14 06:52 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-07-14 06:52 --------- d-----w C:\Program Files\Java
2008-07-14 06:46 --------- d-----w C:\Program Files\Bonjour
2008-07-14 06:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-14 06:45 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-14 06:45 --------- d-----w C:\Program Files\Apple Software Update
2008-07-14 06:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-14 06:26 --------- d-----w C:\Program Files\Common Files\Java
2008-07-14 04:45 --------- d-----w C:\Program Files\Audacity
2008-07-14 04:41 --------- d-----w C:\Program Files\Xtreme Sound PCI
2008-07-14 04:40 --------- d-----w C:\Program Files\Xtreme Sound Setup Files
2008-07-13 23:09 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-07-13 23:09 --------- d-----w C:\Program Files\Realtek
2008-07-13 23:02 --------- d-----w C:\Documents and Settings\Miles\Application Data\InstallShield
2008-07-13 22:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 05:00 15360]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 17:36 455968]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-08 10:53 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-08 10:53 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 13:21 61440]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 02:25 37232]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 22:43 640376]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"nwiz"="nwiz.exe" [2008-01-08 10:53 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-26 23:20 16844800 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-02 22:22 1826816 C:\WINDOWS\SkyTel.exe]

C:\Documents and Settings\Miles\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2008-08-13 11:18:16 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-07-10 16:02 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ed3a8fd-5771-11dd-be55-000f66175a01}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{299f6c2b-69bc-11dd-be69-000f66175a01}]
\Shell\AutoRun\command - G:\wdsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-08-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CmPCIaudio - CMICNFG3.CPL


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Miles\Application Data\Mozilla\Firefox\Profiles\e8gakprx.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 15:00:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-26 15:05:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 22:04:55

Pre-Run: 422,848,061,440 bytes free
Post-Run: 422,923,829,248 bytes free

242 --- E O F --- 2008-08-15 03:54:34


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:05 AM, on 8/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Miles\Desktop\fluffybunny.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD12AEA-BB8E-4C17-9889-87ED8F05E8A5}: NameServer = 68.105.28.11,68.105.29.11
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8640 bytes


Thanks so much! Hope this helps! My computer seems to be running fine now! Internet is working and all. Running fast again. Let me know if there is anything else on my sytem that is causing it to slow. Thanks!
-Miles

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 28 August 2008 - 09:51 AM

Hello All 4 Dios. Your computer is clean :thumbsup: . Thanks to the Coach Shaba for supervising our work.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: I recommend you regularly visit the Windows Update Site .
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates separately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Start Menu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select at least one of the three .
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for choosing Bleeping Computer as you malware removal source. Be sure to tell your friends about us!
-------------------
If you issues have since been resolved, say so we can close this topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users