Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Comp's Running Real Slowly, Think It's Still Infected


  • This topic is locked This topic is locked
16 replies to this topic

#1 mdk5000000

mdk5000000

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 17 September 2008 - 04:19 PM

Hey, I have no idea what to do about my comp. So, before I did everything in the prep guide on the forums, my comp had been running slowly (system resources spiking to 100), explorer.exe doesn't run on startup, and I would keep getting a blue screen every so often that prompted me to reset my comp (pressing any key would bring me back to desktop).

So I ran through the prep guide, did a scan with kaspersky and got the log, and the blue screens have stopped, but the resources are still spiking and explorer.exe still doesn't run on startup. No idea what else to do, I'm hoping this problem is workable. Here are my Hijackthis and kaspersky scanner logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:56 PM, on 9/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: {c1d8388c-d8f0-1f99-d5b4-645f36600176} - {67100663-f546-4b5d-99f1-0f8dc8838d1c} - C:\WINDOWS\system32\ksvvdd.dll
O2 - BHO: (no name) - {7464E5F6-2545-4F9D-89BC-8C920203F31C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8517A4F2-18AD-4728-9627-341224EFD36C} - (no file)
O2 - BHO: (no name) - {8AF7B16F-3BA3-49E8-A079-B86E5E5A7364} - (no file)
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll (file missing)
O2 - BHO: (no name) - {91930200-8B19-4C61-87CA-8C97BF98E471} - (no file)
O2 - BHO: (no name) - {9653C155-8967-4F34-A074-98E0EA792A9D} - (no file)
O2 - BHO: (no name) - {B6485038-4169-4F7C-9C87-FE740FC87F31} - C:\WINDOWS\system32\byXPFXnM.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - (no file)
O2 - BHO: (no name) - {D60E0AA3-0AE2-4029-8C8F-BEC7E0419F4d} - C:\WINDOWS\system32\hfjyliru.dll (file missing)
O3 - Toolbar: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O3 - Toolbar: fdkowvbp - {EF4940D2-F131-4412-BB03-4E40FCE06EC7} - C:\WINDOWS\fdkowvbp.dll (file missing)
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [50a2187a] rundll32.exe "C:\WINDOWS\system32\kdhctyrt.dll",b
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137900862734
O20 - AppInit_DLLs: ksvvdd.dll
O20 - Winlogon Notify: fccdcax - fccdcax.dll (file missing)
O21 - SSODL: eqvwamkl - {8CF1733A-69A7-44E1-82B6-762FE98826FF} - C:\WINDOWS\eqvwamkl.dll (file missing)
O21 - SSODL: wnslvxtf - {F02D7F97-4F20-4FA0-AE0D-42717F4A9CFB} - C:\WINDOWS\wnslvxtf.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
O23 - Service: WLANKEEPER - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9389 bytes


KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 16, 2008 19:17:59
Records in database: 1242200
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
F:\
Scan statistics
Files scanned 64676
Threat name 22
Infected objects 104
Suspicious objects 0
Duration of the scan 14:31:08

File name Threat name Threats count
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\10.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\11.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\12.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\13.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\14.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\15.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\16.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\17.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\18.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\19.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1A.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1B.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1D.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1E.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1F.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\20.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\21.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\22.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\23.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\24.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\25.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\26.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\27.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\28.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\29.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2A.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2B.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2C.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2D.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2E.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2F.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\3.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\30.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\31.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\32.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\33.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\34.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\35.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\36.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\37.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\38.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\39.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\4.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\6.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\7.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\8.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\A.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\aifasoii.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\aqsmfrqn.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aema 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\B.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\biflkkut.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\C.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\cmlgpdue.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\cscqdlmu.dll.bac_a00648 Infected: Trojan.Win32.Monder.bmc 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\D.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\dmpjsrqx.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\E.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\eckliqdk.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\encllxkf.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\epgckz.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\ewjcsklq.dll.bac_a00648 Infected: Trojan.Win32.Monder.bcb 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\F.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\fanysheu.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeud 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\fjqccots.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\fucfyj.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeue 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\fxaxwljs.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\gnocfnem.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\hfjyliru.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cgs 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\igenacta.dll.bac_a00648 Infected: Trojan.Win32.Monder.awj 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\iyatercs.dll.bac_a00648 Infected: Trojan.Win32.Monder.bde 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\jgplphoo.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\jrbcwwgs.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\kdhctyrt.dll.bac_a00648 Infected: Trojan.Win32.Monder.cep 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\kqscxatf.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\lphc9dcj0e5a9.exe.bac_a00648 Infected: Trojan-Downloader.Win32.Small.yqe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\ndyhjtuh.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\nyhjmqaa.dll.bac_a00648 Infected: Trojan.Win32.Monder.bbw 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\oduxtchg.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\oespnqox.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\ogxistiw.dll.bac_a00648 Infected: Trojan.Win32.Monder.bmc 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\pphc9dcj0e5a9.exe.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\pvdikskq.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\pzhbxq.dll.bac_a00648 Infected: Trojan.Win32.Monder.awg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\QdrDrive9.dll.bac_a03552 Infected: not-a-virus:AdWare.Win32.AdBand.h 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\rljumacl.dll.bac_a00648 Infected: Trojan.Win32.Monder.awm 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\rvjryasy.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cqy 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\sjohnccs.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\styxnm.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeud 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\swrpmi.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeuc 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\syybuaxm.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeue 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\tnreqthr.dll.bac_a00648 Infected: Trojan.Win32.Monder.awg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\uiehsdso.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\upbrrcrn.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\vkdnss.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\vslhxx.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aema 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\warfuegg.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\wlibdxiv.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\xnomlrfo.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeuc 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\yumqctsd.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\yyoyfceu.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\zfjeao.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cqy 1
C:\WINDOWS\system32\ksvvdd.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
The selected area was scanned.


Everything else hadn't picked up what popped up on kaspersky, so I guess those're missed infections? Anyways, I hope this is workable, and I await a reply. Thank you for your time, and I hope to hear a reply soon.

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 21 September 2008 - 09:40 PM

Hello mdk5000000,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mdk5000000

mdk5000000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 22 September 2008 - 01:37 PM

Thank you for the reply SifuMike. Ok, so I ran that program you asked me to, and here's the malwarebytes log:

Malwarebytes' Anti-Malware 1.28
Database version: 1193
Windows 5.1.2600 Service Pack 2

9/22/2008 11:07:55 AM
mbam-log-2008-09-22 (11-07-55).txt

Scan type: Quick Scan
Objects scanned: 51558
Time elapsed: 1 hour(s), 12 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 31
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 15
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\byXPFXnM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ksvvdd.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67100663-f546-4b5d-99f1-0f8dc8838d1c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{67100663-f546-4b5d-99f1-0f8dc8838d1c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecc0476c-8957-4617-a2fe-4a0503d8bbac} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ecc0476c-8957-4617-a2fe-4a0503d8bbac} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\bndblock4.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1fe2ebe5-42ff-4586-a144-ca420c84ff6a} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f9e2be3-766d-4831-bb0e-766d5b819995} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca4f0d8d-5f2b-4f16-838a-8d52249eab21} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d4a714f6-af40-4425-b708-ff03cbbc0a84} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8f9e2be3-766d-4831-bb0e-766d5b819995} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca4f0d8d-5f2b-4f16-838a-8d52249eab21} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1fe2ebe5-42ff-4586-a144-ca420c84ff6a} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndBlock4.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.bdnp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\50a2187a (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\eqvwamkl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wnslvxtf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\byxpfxnm -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\byxpfxnm -> Delete on reboot.

Folders Infected:
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\rhccdcj0e5a9\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ksvvdd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\byXPFXnM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\MnXFPXyb.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\MnXFPXyb.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\kwd.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM53912be6.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM53912be6.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


And here's the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:26 AM, on 9/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: (no name) - {7464E5F6-2545-4F9D-89BC-8C920203F31C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8517A4F2-18AD-4728-9627-341224EFD36C} - (no file)
O2 - BHO: (no name) - {8AF7B16F-3BA3-49E8-A079-B86E5E5A7364} - (no file)
O2 - BHO: (no name) - {91930200-8B19-4C61-87CA-8C97BF98E471} - (no file)
O2 - BHO: (no name) - {9653C155-8967-4F34-A074-98E0EA792A9D} - (no file)
O2 - BHO: (no name) - {D60E0AA3-0AE2-4029-8C8F-BEC7E0419F4d} - C:\WINDOWS\system32\hfjyliru.dll (file missing)
O3 - Toolbar: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O3 - Toolbar: fdkowvbp - {EF4940D2-F131-4412-BB03-4E40FCE06EC7} - C:\WINDOWS\fdkowvbp.dll (file missing)
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137900862734
O20 - AppInit_DLLs: ksvvdd.dll
O20 - Winlogon Notify: fccdcax - fccdcax.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
O23 - Service: WLANKEEPER - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8788 bytes


Also, so I'm not receiving anymore error messages that would pop up on startup, and explorer.exe now runs on startup. But, system resources are still spiking in general. Hopefully the reason pops up in these logs? thanks for your help though, and I hope to hear back soon.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 22 September 2008 - 02:21 PM

Hi mdk5000000,

Please reboot your computer and run MalwareBytes again. Then post the MalwareBytes report.

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVAST Antivirus before running ComboFix, as it will prevent it from running.

AVAST will cause BSOD unless you disable it like this:
Posted Image


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mdk5000000

mdk5000000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 22 September 2008 - 05:08 PM

ok, so I re-ran malwarebytes, and here's the log:

Malwarebytes' Anti-Malware 1.28
Database version: 1193
Windows 5.1.2600 Service Pack 2

9/22/2008 2:33:07 PM
mbam-log-2008-09-22 (14-33-07).txt

Scan type: Quick Scan
Objects scanned: 51357
Time elapsed: 20 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Then I followed the instructions for the combofix use and running. Here's the log for that as well:

ComboFix 08-09-20.05 - Kevin 2008-09-22 14:37:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.616 [GMT -7:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\security toolbar
C:\Program Files\security toolbar\Uninstall.bat
C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\daoaxcmq.ini
C:\WINDOWS\system32\ecbifjnl.ini
C:\WINDOWS\system32\fdkjlmyh.ini
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\joxvjmlm.ini
C:\WINDOWS\system32\liqeebqc.ini
C:\WINDOWS\system32\mrhexusn.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\trytchdk.ini
C:\WINDOWS\system32\yjnhcvjv.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-22 09:46 . 2008-09-22 09:46 <DIR> d----c--- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-09-22 09:44 . 2008-09-22 09:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 09:44 . 2008-09-22 09:44 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 09:44 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-22 09:44 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-13 19:17 . 2008-09-13 19:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-13 19:17 . 2008-09-13 19:24 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-13 18:59 . 2008-09-13 18:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 17:07 --------- d-----w C:\Program Files\Lx_cats
2008-09-15 04:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 04:00 --------- d-----w C:\Program Files\RegCleaner
2008-09-15 02:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-15 01:53 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-14 22:59 --------- d-----w C:\Program Files\Wesnoth
2008-09-14 22:58 --------- d-----w C:\Program Files\WC3Banlist
2008-09-14 22:56 --------- d-----w C:\Program Files\Telltale Games
2008-07-30 04:12 --------- d-----w C:\Program Files\ZyX
2008-07-30 04:10 --------- d-----w C:\Program Files\free-downloads.net
2008-07-28 02:05 --------- dc----w C:\Documents and Settings\Kevin\Application Data\Azureus
2008-07-27 23:07 --------- d-----w C:\Program Files\Total Video Converter
2008-07-23 05:07 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-23 05:04 --------- dc----w C:\Documents and Settings\Kevin\Application Data\Orbit
2008-07-22 06:33 --------- d-----w C:\Program Files\AviSynth 2.5
2008-07-22 06:20 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-07-22 06:20 --------- d-----w C:\Program Files\AVS4YOU
2008-07-22 05:55 --------- dc----w C:\Documents and Settings\Kevin\Application Data\AVS4YOU
2008-07-22 05:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-22 05:13 --------- dc----w C:\Documents and Settings\Kevin\Application Data\GrabPro
2008-06-25 03:45 39,352 -c--a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
2006-06-28 05:44 13,142 -c--a-w C:\Documents and Settings\Kevin\ZGUICFGW.DAT
2008-01-22 04:57 430,209 -csha-w C:\WINDOWS\system32\ihhkj.ini2
.
<pre>
-c--a-w			67,112 2007-12-31 07:42:37  C:\Program Files\AIM\aim .exe
-c--a-w		   219,520 2007-12-31 07:42:22  C:\Program Files\Alcohol Soft\Alcohol 120\axcmd .exe
----a-w			79,224 2008-01-22 02:48:17  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
-c--a-w			81,920 2008-01-22 02:47:56  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
-c--a-w		 1,115,728 2008-01-20 12:17:56  C:\Program Files\Comodo\Firewall\CPF .exe
-c--a-w		   106,496 2008-01-22 02:48:01  C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
-c--a-w		   332,800 2008-01-21 21:46:33  C:\Program Files\Dell Support\DSAgnt .exe
-c--a-w		   460,784 2008-01-22 02:48:36  C:\Program Files\DellSupport\DSAgnt .exe
-c--a-w		   385,024 2008-01-22 02:47:49  C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
-c--a-w		   132,496 2008-01-22 02:48:00  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
-c--a-w			61,440 2007-12-31 07:41:15  C:\Program Files\Lexmark 4300 Series\ezprint .exe
-c--a-w		   192,512 2007-12-31 07:41:13  C:\Program Files\Lexmark 4300 Series\lxcemon .exe
-c--a-w		   299,008 2007-12-31 07:41:23  C:\Program Files\Lexmark Fax Solutions\fm3032 .exe
-c--a-w		   110,592 2007-12-31 06:50:55  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
-c--a-w		   110,592 2007-12-31 04:34:04  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
-c--a-w		 1,121,280 2007-12-31 07:42:00  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
-c--a-w		 1,694,208 2008-01-22 02:48:32  C:\Program Files\Messenger\msmsgs .exe
-c--a-w		 1,460,560 2008-01-04 21:45:52  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
-c--a-w		   729,178 2008-01-22 02:47:56  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
-c--a-w			67,584 2008-01-06 07:05:35  C:\WINDOWS\ehome\ehtray .exe
-c--a-w		   158,208 2008-01-20 09:07:41  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-21 21:37:22  C:\WINDOWS\system32\ctfmon .exe
-c--a-w			77,824 2008-01-18 17:24:01  C:\WINDOWS\system32\hkcmd .exe
-c--a-w		   114,688 2008-01-20 08:59:21  C:\WINDOWS\system32\igfxpers .exe
-c--a-w			94,208 2008-01-20 08:59:16  C:\WINDOWS\system32\igfxtray .exe
-c--a-w		   122,941 2008-01-20 08:58:59  C:\WINDOWS\system32\dla\tfswctrl .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-10 218032]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [N/A]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-10 86960]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 385024]
"lxcjmon.exe"="C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]
"EzPrint"="C:\Program Files\Lexmark 8300 Series\ezprint.exe" [2006-04-19 94208]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 114688]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-03-22 69632]
"LXCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 73728]

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-05-23 1806336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ksvvdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=C:\WINDOWS\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seekmo

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\50a2187a]
C:\WINDOWS\system32\tvnumduv.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-03-20 09:46 217544 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM53912be6]
C:\WINDOWS\system32\lgquagss.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2008-04-24 03:05 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 15:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-07-19 09:10 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-07-19 09:09 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc9dcj0e5a9]
C:\WINDOWS\system32\lphc9dcj0e5a9.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhccdcj0e5a9]
C:\Program Files\rhccdcj0e5a9\rhccdcj0e5a9.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcemon.exe]
[N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-06-21 08:33 393216 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"iPodService"=3 (0x3)
"aawservice"=2 (0x2)
"SSIRuntimeService"=2 (0x2)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3128:TCP"= 3128:TCP:library access : port 3128
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 75856]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-08-20 33952]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 20560]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-04-22 98488]
R2 WebUpdate4;Web Update Wizard Service V4;C:\WINDOWS\system32\WebUpdateSvc4.exe [2007-05-18 229856]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
S4 SSIRuntimeService;SSIRuntimeService;C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [2007-09-17 45056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bd797e6-df30-11dc-b7e0-0014228f7367}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21a9e1d8-10af-11dc-b5e7-00038a000015}]
\Shell\AutoRun\command - LinksysConnectPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4667552d-2e60-11dc-b633-00038a000015}]
\Shell\AutoRun\command - G:\LinksysConnectPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46d18b98-cffd-11db-b54a-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
BHO-{7464E5F6-2545-4F9D-89BC-8C920203F31C} - (no file)
BHO-{8517A4F2-18AD-4728-9627-341224EFD36C} - (no file)
BHO-{8AF7B16F-3BA3-49E8-A079-B86E5E5A7364} - (no file)
BHO-{91930200-8B19-4C61-87CA-8C97BF98E471} - (no file)
BHO-{9653C155-8967-4F34-A074-98E0EA792A9D} - (no file)
BHO-{D60E0AA3-0AE2-4029-8C8F-BEC7E0419F4d} - C:\WINDOWS\system32\hfjyliru.dll
Toolbar-{ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
WebBrowser-{ECDEE021-0D17-467F-A1FF-C7A115230949} - (no file)
Notify-fccdcax - fccdcax.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\1a06mj2b.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\GameTap\bin\Release\npgametaptool.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 14:48:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wuaueng.dll.wusetup.632343.bak 1712984 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\lxcecoms.exe
.
**************************************************************************
.
Completion time: 2008-09-22 14:57:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-22 21:57:47

Pre-Run: 45,901,553,664 bytes free
Post-Run: 45,826,527,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

311 --- E O F --- 2008-07-22 08:00:38



Laptop is still spiking on resources, but not as badly as before. well, that's everything, and I hope to hear from you again soon. Thank you.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 22 September 2008 - 06:02 PM

Hi mdk5000000,


The following is referring to RegCleaner.

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.

If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.



Close/disable your AVAST anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\tvnumduv.dll 
C:\WINDOWS\system32\lgquagss.dll 
C:\WINDOWS\system32\lphc9dcj0e5a9.exe 
C:\Program Files\rhccdcj0e5a9\rhccdcj0e5a9.exe

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\50a2187a]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM53912be6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc9dcj0e5a9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhccdcj0e5a9]

RenV:: 
-c--a-w67,112 2007-12-31 07:42:37C:\Program Files\AIM\aim .exe
-c--a-w 219,520 2007-12-31 07:42:22C:\Program Files\Alcohol Soft\Alcohol 120\axcmd .exe
----a-w79,224 2008-01-22 02:48:17C:\Program Files\Alwil Software\Avast4\ashDisp .exe
-c--a-w81,920 2008-01-22 02:47:56C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
-c--a-w 1,115,728 2008-01-20 12:17:56C:\Program Files\Comodo\Firewall\CPF .exe
-c--a-w 106,496 2008-01-22 02:48:01C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
-c--a-w 332,800 2008-01-21 21:46:33C:\Program Files\Dell Support\DSAgnt .exe
-c--a-w 460,784 2008-01-22 02:48:36C:\Program Files\DellSupport\DSAgnt .exe
-c--a-w 385,024 2008-01-22 02:47:49C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
-c--a-w 132,496 2008-01-22 02:48:00C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
-c--a-w61,440 2007-12-31 07:41:15C:\Program Files\Lexmark 4300 Series\ezprint .exe
-c--a-w 192,512 2007-12-31 07:41:13C:\Program Files\Lexmark 4300 Series\lxcemon .exe
-c--a-w 299,008 2007-12-31 07:41:23C:\Program Files\Lexmark Fax Solutions\fm3032 .exe
-c--a-w 110,592 2007-12-31 06:50:55C:\Program Files\McAfee\SpamKiller\MskAgent .exe
-c--a-w 110,592 2007-12-31 04:34:04C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
-c--a-w 1,121,280 2007-12-31 07:42:00C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
-c--a-w 1,694,208 2008-01-22 02:48:32C:\Program Files\Messenger\msmsgs .exe
-c--a-w 1,460,560 2008-01-04 21:45:52C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
-c--a-w 729,178 2008-01-22 02:47:56C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
-c--a-w67,584 2008-01-06 07:05:35C:\WINDOWS\ehome\ehtray .exe
-c--a-w 158,208 2008-01-20 09:07:41C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w15,360 2008-01-21 21:37:22C:\WINDOWS\system32\ctfmon .exe
-c--a-w77,824 2008-01-18 17:24:01C:\WINDOWS\system32\hkcmd .exe
-c--a-w 114,688 2008-01-20 08:59:21C:\WINDOWS\system32\igfxpers .exe
-c--a-w94,208 2008-01-20 08:59:16C:\WINDOWS\system32\igfxtray .exe
-c--a-w 122,941 2008-01-20 08:58:59C:\WINDOWS\system32\dla\tfswctrl .exe


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mdk5000000

mdk5000000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 22 September 2008 - 06:48 PM

Alrighty then, I followed the latest instructions, so here's the combofix log first:

ComboFix 08-09-20.05 - Kevin 2008-09-22 16:30:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.554 [GMT -7:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\CFScript.txt

FILE ::
C:\Program Files\rhccdcj0e5a9\rhccdcj0e5a9.exe
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\lgquagss.dll
C:\WINDOWS\system32\lphc9dcj0e5a9.exe
C:\WINDOWS\system32\tvnumduv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ihhkj.ini2

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-22 15:17 . 2008-09-22 15:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-22 15:17 . 2008-09-22 15:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-22 14:53 . 2008-09-22 14:59 <DIR> d-------- C:\WINDOWS\LastGood
2008-09-22 09:46 . 2008-09-22 09:46 <DIR> d----c--- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-09-22 09:44 . 2008-09-22 09:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 09:44 . 2008-09-22 09:44 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 09:44 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-22 09:44 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-13 19:17 . 2008-09-13 19:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-13 19:17 . 2008-09-13 19:24 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-13 18:59 . 2008-09-13 18:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 23:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-22 23:31 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-09-22 23:31 --------- d-----w C:\Program Files\Lexmark 4300 Series
2008-09-22 23:31 --------- d-----w C:\Program Files\DellSupport
2008-09-22 23:31 --------- d-----w C:\Program Files\Dell Support
2008-09-22 23:30 --------- d-----w C:\Program Files\AIM
2008-09-16 17:07 --------- d-----w C:\Program Files\Lx_cats
2008-09-15 04:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 04:00 --------- d-----w C:\Program Files\RegCleaner
2008-09-15 01:53 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-14 22:59 --------- d-----w C:\Program Files\Wesnoth
2008-09-14 22:58 --------- d-----w C:\Program Files\WC3Banlist
2008-09-14 22:56 --------- d-----w C:\Program Files\Telltale Games
2008-09-01 06:09 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-30 04:12 --------- d-----w C:\Program Files\ZyX
2008-07-30 04:10 --------- d-----w C:\Program Files\free-downloads.net
2008-07-28 02:05 --------- dc----w C:\Documents and Settings\Kevin\Application Data\Azureus
2008-07-27 23:07 --------- d-----w C:\Program Files\Total Video Converter
2008-07-23 05:07 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-23 05:04 --------- dc----w C:\Documents and Settings\Kevin\Application Data\Orbit
2008-07-22 06:33 --------- d-----w C:\Program Files\AviSynth 2.5
2008-07-22 06:20 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-07-22 06:20 --------- d-----w C:\Program Files\AVS4YOU
2008-07-22 05:55 --------- dc----w C:\Documents and Settings\Kevin\Application Data\AVS4YOU
2008-07-22 05:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-22 05:13 --------- dc----w C:\Documents and Settings\Kevin\Application Data\GrabPro
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-13 16:56 50,546 -c--a-w C:\WINDOWS\system32\wuwuninst.exe
2008-06-25 03:45 39,352 -c--a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
2006-06-28 05:44 13,142 -c--a-w C:\Documents and Settings\Kevin\ZGUICFGW.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-09-22_14.56.54.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-06 07:05:35 67,584 -c--a-w C:\WINDOWS\ehome\ehtray.exe
+ 2007-07-31 02:19:20 92,504 ----a-w C:\WINDOWS\LastGood\system32\cdm.dll
+ 2007-07-31 02:19:36 549,720 ----a-w C:\WINDOWS\LastGood\system32\wuapi.dll
+ 2007-07-31 02:19:16 53,080 ----a-w C:\WINDOWS\LastGood\system32\wuauclt.exe
+ 2007-07-31 02:19:42 1,712,984 ----a-w C:\WINDOWS\LastGood\system32\wuaueng.dll
+ 2007-07-31 02:19:32 325,976 ----a-w C:\WINDOWS\LastGood\system32\wucltui.dll
+ 2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\LastGood\system32\wups.dll
+ 2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\LastGood\system32\wups2.dll
+ 2007-07-31 02:19:28 203,096 ----a-w C:\WINDOWS\LastGood\system32\wuweb.dll
- 2004-08-10 11:00:00 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
+ 2008-01-20 09:07:41 158,208 -c--a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
- 2004-08-10 11:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2008-01-21 21:37:22 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
- 2008-04-24 10:05:12 122,941 -c--a-w C:\WINDOWS\system32\dla\tfswctrl.exe
+ 2008-01-20 08:58:59 122,941 -c--a-w C:\WINDOWS\system32\dla\tfswctrl.exe
- 2004-08-10 11:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-01-21 21:37:22 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
- 2004-08-10 11:00:00 158,208 -c--a-w C:\WINDOWS\system32\dllcache\msconfig.exe
+ 2008-01-20 09:07:41 158,208 ----a-w C:\WINDOWS\system32\dllcache\msconfig.exe
- 2005-07-19 16:06:12 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2008-01-18 17:24:01 77,824 -c--a-w C:\WINDOWS\system32\hkcmd.exe
- 2005-07-19 16:10:06 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
+ 2008-01-20 08:59:21 114,688 -c--a-w C:\WINDOWS\system32\igfxpers.exe
- 2005-07-19 16:09:26 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2008-01-20 08:59:16 94,208 -c--a-w C:\WINDOWS\system32\igfxtray.exe
+ 2008-07-19 05:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-19 05:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-21 15360]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-10 218032]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-31 219520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-21 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 385024]
"lxcjmon.exe"="C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]
"EzPrint"="C:\Program Files\Lexmark 8300 Series\ezprint.exe" [2006-04-19 94208]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-18 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-20 114688]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-03-22 69632]
"LXCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 73728]

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-05-23 1806336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=C:\WINDOWS\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seekmo

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a--c--- 2007-12-31 00:42 219520 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-21 14:37 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2008-01-20 01:58 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 15:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2008-01-06 00:05 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2008-01-20 01:59 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2008-01-20 01:59 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-06-21 08:33 393216 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"iPodService"=3 (0x3)
"aawservice"=2 (0x2)
"SSIRuntimeService"=2 (0x2)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3128:TCP"= 3128:TCP:library access : port 3128
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 75856]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-08-20 33952]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 20560]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-04-22 98488]
R2 WebUpdate4;Web Update Wizard Service V4;C:\WINDOWS\system32\WebUpdateSvc4.exe [2007-05-18 229856]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
S4 SSIRuntimeService;SSIRuntimeService;C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [2007-09-17 45056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bd797e6-df30-11dc-b7e0-0014228f7367}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21a9e1d8-10af-11dc-b5e7-00038a000015}]
\Shell\AutoRun\command - LinksysConnectPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4667552d-2e60-11dc-b633-00038a000015}]
\Shell\AutoRun\command - G:\LinksysConnectPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46d18b98-cffd-11db-b54a-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSPM Startup - C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
MSConfigStartUp-lxcemon - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 16:34:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-22 16:36:48
ComboFix-quarantined-files.txt 2008-09-22 23:36:24
ComboFix2.txt 2008-09-22 21:57:59

Pre-Run: 45,700,112,384 bytes free
Post-Run: 45,712,723,968 bytes free

259 --- E O F --- 2008-07-22 08:00:38

and here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:38 PM, on 9/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137900862734
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
O23 - Service: WLANKEEPER - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7224 bytes


Resource spiking still persists, with periodic "freezes" with those spikes. Again, thanks for taking the time to help me with my laptop, and I hope to hear soon on anything else I can do to fix this comp.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 22 September 2008 - 10:39 PM

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u7-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Resource spiking still persists, with periodic "freezes" with those spikes.


Right-click an empty space on the system bar (bottom of the screen) and select Task Manager.
When in task manager, click on the Processes tab and click on the and click on the Show Processes from all users button.

This should show all processes running on your system.
Click on the CPU label in the CPU utilization column till all the processes are sorted by the amount of CPU that is being used.
Which processes are using the CPU?
Note that it is normal for System Idle Process to be very high as that is your free RAM (memory).

Edited by SifuMike, 22 September 2008 - 10:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 mdk5000000

mdk5000000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 22 September 2008 - 10:58 PM

Lol, I was considering mentioning this previously too. d'oh. Anyways, currently it's System and Explorer.exe that are fluctuating from 0 to 3 % of resource use every second (update speed set to high). Is that normal? I can't tell if any other process is running that's doing the same. So my logs are clean? might this be a hardware problem? Would Mem delta be a helpful bit of information to divulge as well?

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 22 September 2008 - 11:34 PM

Lol, I was considering mentioning this previously too. d'oh. Anyways, currently it's System and Explorer.exe that are fluctuating from 0 to 3 % of resource use every second (update speed set to high). Is that normal? I can't tell if any other process is running that's doing the same. So my logs are clean? might this be a hardware problem? Would Mem delta be a helpful bit of information to divulge as well?



0 and 3% for System and Explorer is normal. Did you click on CPU column twice to sort it so at that highest CPU is at the top?

Resource spiking still persists, with periodic "freezes" with those spikes. Again, thanks for taking the time to help me with my laptop, and I hope to hear soon on anything else I can do to fix this comp.


What resource spikes? Where are you seeing that? :thumbsup: Your Task Manager sounds normal.

Where is the Kaspersky Online Scan?

Edited by SifuMike, 22 September 2008 - 11:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 mdk5000000

mdk5000000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 23 September 2008 - 08:34 AM

Yep, clicked twice. Here's the kapersky scan log:

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 23, 2008 06:21:39
Records in database: 1250361
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
F:\
Scan statistics
Files scanned 63478
Threat name 22
Infected objects 103
Suspicious objects 0
Duration of the scan 04:27:17

File name Threat name Threats count
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\10.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\11.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\12.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\13.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\14.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\15.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\16.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\17.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\18.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\19.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1A.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1B.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1D.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1E.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\1F.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\20.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\21.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\22.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\23.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\24.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\25.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\26.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\27.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\28.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\29.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2A.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2B.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2C.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2D.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2E.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\2F.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\3.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\30.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\31.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\32.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\33.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\34.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\35.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\36.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\37.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\38.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\39.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\4.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\6.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\7.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\8.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\A.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\aifasoii.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\aqsmfrqn.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aema 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\B.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\biflkkut.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\C.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\cmlgpdue.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\cscqdlmu.dll.bac_a00648 Infected: Trojan.Win32.Monder.bmc 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\D.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\dmpjsrqx.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\E.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\eckliqdk.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\encllxkf.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\epgckz.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\ewjcsklq.dll.bac_a00648 Infected: Trojan.Win32.Monder.bcb 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\F.tmp.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\fanysheu.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeud 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\fjqccots.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\fucfyj.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeue 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\fxaxwljs.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\gnocfnem.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\hfjyliru.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cgs 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\igenacta.dll.bac_a00648 Infected: Trojan.Win32.Monder.awj 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\iyatercs.dll.bac_a00648 Infected: Trojan.Win32.Monder.bde 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\jgplphoo.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\jrbcwwgs.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\kdhctyrt.dll.bac_a00648 Infected: Trojan.Win32.Monder.cep 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\kqscxatf.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\lphc9dcj0e5a9.exe.bac_a00648 Infected: Trojan-Downloader.Win32.Small.yqe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\ndyhjtuh.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\nyhjmqaa.dll.bac_a00648 Infected: Trojan.Win32.Monder.bbw 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\oduxtchg.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\oespnqox.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\ogxistiw.dll.bac_a00648 Infected: Trojan.Win32.Monder.bmc 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\pphc9dcj0e5a9.exe.bac_a00648 Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\pvdikskq.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\pzhbxq.dll.bac_a00648 Infected: Trojan.Win32.Monder.awg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\QdrDrive9.dll.bac_a03552 Infected: not-a-virus:AdWare.Win32.AdBand.h 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\rljumacl.dll.bac_a00648 Infected: Trojan.Win32.Monder.awm 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\rvjryasy.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cqy 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\sjohnccs.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\styxnm.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeud 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\swrpmi.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeuc 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\syybuaxm.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeue 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\tnreqthr.dll.bac_a00648 Infected: Trojan.Win32.Monder.awg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\uiehsdso.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\upbrrcrn.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\vkdnss.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\vslhxx.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aema 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\warfuegg.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\wlibdxiv.exe.bac_a03552 Infected: Trojan-Downloader.Win32.Agent.gwe 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\xnomlrfo.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.Virtumonde.aeuc 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\yumqctsd.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\yyoyfceu.dll.bac_a03552 Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Kevin\.housecall6.6\Quarantine\zfjeao.dll.bac_a00648 Infected: not-a-virus:AdWare.Win32.SuperJuan.cqy 1
The selected area was scanned.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 23 September 2008 - 10:05 AM

You did not answer:

What resource spikes? Where are you seeing that? Your Task Manager sounds normal.



Kaspersky online scan looks good. It found only items in quarentine.

I see no malware on this computer. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 mdk5000000

mdk5000000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 23 September 2008 - 07:50 PM

Ah, sounds good, thanks for all you've done with my computer cleanup.

And, to answer that question, to be honest I can't tell. But, I'm seeing the resource usage hit 97% under processes on the task manager, and under the performance tab I can see a spike on the CPU usage history coinciding with it. but, I can't tell what program is spiking, cause at that point the computer kind of freezes for a moment, then continues functioning. This doesn't occur so often now, probably spikes every 2 mins or so. Not sure how to approach this problem. Is there anything else I should look at?

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 23 September 2008 - 08:49 PM

It may be hardware, software, memory or driver causing the problem.

HijackThis forum does not have the capability to analyze performance, hardware or application issues.

For the type of issue(s) you describe I would suggest posting to the Windows XP forum. The techs in that forum specialize in matters pertaining to Windows issues. Let them know that you have been to this forum and that no malware was found.

When posting to any other forum, do not post a HijackThis log or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the techs can analyze the issue and make any recommendations for resolving it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 mdk5000000

mdk5000000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 23 September 2008 - 09:11 PM

K, I'll go and do that. And again, thank you SifuMike for helping me with my laptop. Your help was very much appreciated, thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users