Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, 2009 Antivirus, Ms Antivirus


  • This topic is locked This topic is locked
7 replies to this topic

#1 debbie2160

debbie2160

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 18 September 2008 - 07:29 AM

Grrrr I don't know which one I have but I know they are a major pain.

I posted a hijack this log on the spybot help forum last night and went to bed but still no answer this morning. Do I need to do another one? Weirdo things happened on startup this morning. Any and all help is appreciated. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:58 PM, on 9/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [8ce79cdd] rundll32.exe "C:\Users\DEBBIE~1\AppData\Local\Temp\vdsiinxp.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\DEBBIE~1\AppData\Local\Temp\mlJArpOe.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programs\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programs\PartyGaming.Net\PartyPokerNet\RunPF.exe
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.download.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9098 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 18 September 2008 - 04:16 PM

Hi debbie

Thanks for telling us you have posted on another forum, I have locked your thread at spybot's forum.

It wastes helpers time if you are being helped on one forum & then a helper answers your thread on another forum... it can also cause bigger problems for you if you follow advice from 2 forums at the same time :thumbsup:

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 debbie2160

debbie2160
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 18 September 2008 - 07:33 PM

Thanks steamwiz, for your response. I'm a bit impatient, which is why I posted on two different forums, but I'm smart enough to know NOT to do anything on my own or mix two sets of advice. Wherever I got a solution first I would have taken the advice and posted on the other that I had. Your closing that thread saved me that trouble. I appreciate it. I followed your advice except I must confess that when I tried to download the malwarebytes program I downloaded a different one, rminstall.exe by PC Tools, and ran it. I hope I didn't mess anything up. I ran malwarebytes after that and then the combofix (I hope I had all my virus scanners closed). I also would like to report that I got an error message on the restart:

EDIT AT 7AM NEXT DAY: (Friday morning) My AVG kicked in automatically this morning but then stopped and said my log file was corrupt. THe details say "scan log was repaired". I think it fixed itself. Is this something I need to worry about? I manually started another scan and it seems so far to be running okay.....

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 19
BCP1: 00000020
BCP2: 8678B358
BCP3: 8678B7D8
BCP4: 18900014
OS Version: 6_0_6001
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini091808-01.dmp
C:\Users\Debbie and Eric\AppData\Local\Temp\WER-52260-0.sysdata.xml
C:\Users\Debbie and Eric\AppData\Local\Temp\WERC4F.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409

anywho, I've been on here like 10 minutes and I haven't had a popup thingy yet, so things are looking up. Requested logs are as follows. I look forward to hearing your good report that I did everything okay. :thumbsup: Also, please let me know if I should uninstall all those programs I downloaded (hijack, malwarebytes, etc) or if I should keep them on my computer.

Malwarebytes' Anti-Malware 1.28
Database version: 1171
Windows 6.0.6001 Service Pack 1

9/18/2008 6:29:05 PM
mbam-log-2008-09-18 (18-29-05).txt

Scan type: Quick Scan
Objects scanned: 38763
Time elapsed: 1 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8ce79cdd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Debbie and Eric\AppData\Local\Temp\vdsiinxp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Debbie and Eric\AppData\Local\Temp\fwtqdiar.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Debbie and Eric\Local Settings\Temporary Internet Files\pse_300_enu.exe (Trojan.Agent) -> Quarantined and deleted successfully.


ComboFix 08-09-16.05 - Debbie and Eric 2008-09-18 18:57:04.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2506 [GMT -5:00]
Running from: C:\Users\Debbie and Eric\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\jusched.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
.

2008-09-18 18:26 . 2008-09-18 18:26 <DIR> d-------- C:\Users\Debbie and Eric\AppData\Roaming\Malwarebytes
2008-09-18 18:26 . 2008-09-18 18:26 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-18 18:26 . 2008-09-18 18:26 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-18 18:26 . 2008-09-18 18:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 18:26 . 2008-09-10 00:08 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-18 18:26 . 2008-09-10 00:08 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-18 18:20 . 2008-09-18 18:39 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-18 18:20 . 2008-09-18 18:39 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-18 18:19 . 2004-03-09 00:00 1,081,616 --a------ C:\Windows\System32\MSCOMCTL.OCX
2008-09-18 18:19 . 2004-08-04 07:00 506,368 --a------ C:\Windows\System32\msxml.dll
2008-09-17 18:45 . 2008-09-17 18:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-17 17:23 . 2008-09-17 17:33 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-09-17 17:23 . 2008-09-17 17:33 <DIR> d-------- C:\ProgramData\Lavasoft
2008-09-17 17:23 . 2008-09-17 17:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-17 17:14 . 2008-09-17 17:33 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-09-17 17:14 . 2008-09-17 17:33 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-09-17 17:14 . 2008-09-17 17:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-16 21:28 . 2008-09-16 21:28 <DIR> d-------- C:\Users\All Users\Gogii
2008-09-16 21:28 . 2008-09-16 21:28 <DIR> d-------- C:\ProgramData\Gogii
2008-09-16 20:25 . 2008-09-16 20:25 <DIR> d-------- C:\Users\All Users\SpinTop Games
2008-09-16 20:25 . 2008-09-16 20:25 <DIR> d-------- C:\ProgramData\SpinTop Games
2008-09-15 22:31 . 2008-09-15 22:31 <DIR> d-------- C:\Users\Debbie and Eric\AppData\Roaming\ViquaSoft
2008-09-14 19:47 . 2008-09-14 19:47 <DIR> d-------- C:\Users\Debbie and Eric\AppData\Roaming\Righteous Kill
2008-09-10 22:39 . 2008-09-10 22:39 <DIR> d-------- C:\Users\All Users\Playrix Entertainment
2008-09-10 22:39 . 2008-09-10 22:39 <DIR> d-------- C:\ProgramData\Playrix Entertainment
2008-09-09 19:27 . 2008-07-30 20:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 19:27 . 2008-07-30 22:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-09 19:23 . 2008-08-01 20:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 19:23 . 2008-06-25 22:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 19:23 . 2008-06-25 22:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 19:23 . 2008-05-08 14:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 19:23 . 2008-05-19 21:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 19:23 . 2008-06-25 22:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 19:23 . 2008-08-01 22:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-04 23:17 . 2008-09-04 23:17 <DIR> d-------- C:\Users\All Users\MythPeople
2008-09-04 23:17 . 2008-09-04 23:17 <DIR> d-------- C:\ProgramData\MythPeople
2008-08-30 07:38 . 2008-08-30 07:38 <DIR> d-------- C:\Users\Debbie and Eric\AppData\Roaming\ITTNord
2008-08-29 07:18 . 2008-08-29 07:44 <DIR> d-------- C:\Users\All Users\FarmFrenzy2
2008-08-29 07:18 . 2008-08-29 07:44 <DIR> d-------- C:\ProgramData\FarmFrenzy2
2008-08-28 22:16 . 2008-09-18 07:00 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-26 12:31 . 2008-07-19 00:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 12:31 . 2008-07-18 22:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 12:31 . 2008-07-19 00:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 12:31 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 12:31 . 2008-07-18 22:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 12:31 . 2008-07-19 00:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 12:31 . 2008-07-19 00:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 12:31 . 2008-07-19 00:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 12:31 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-23 11:02 . 2008-08-23 11:02 <DIR> d-------- C:\Users\Debbie and Eric\AppData\Roaming\RealArcade
2008-08-21 21:35 . 2008-09-18 15:11 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-08-21 21:35 . 2008-08-21 21:35 <DIR> d-------- C:\Users\All Users\avg8
2008-08-21 21:35 . 2008-08-21 21:35 <DIR> d-------- C:\ProgramData\avg8
2008-08-21 21:35 . 2008-08-21 21:35 <DIR> d-------- C:\Program Files\AVG
2008-08-21 21:35 . 2008-08-28 22:16 97,928 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-08-21 21:35 . 2008-08-21 21:35 69,128 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-08-21 21:35 . 2008-08-21 21:35 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-08-20 19:04 . 2008-08-17 14:25 3,883,008 --a------ C:\Windows\System32\Tropix2.scr
2008-08-20 19:04 . 2008-07-17 00:05 258,352 --a------ C:\Windows\System32\unicows.dll
2008-08-18 19:49 . 2008-08-18 19:49 <DIR> d-------- C:\Users\Debbie and Eric\AppData\Roaming\Gamelab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 23:36 --------- d-----w C:\ProgramData\Google Updater
2008-09-17 22:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-17 02:26 --------- d-----w C:\Program Files\RealArcade
2008-08-22 02:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-22 02:28 --------- d-----w C:\ProgramData\Symantec
2008-08-18 03:14 --------- d-----w C:\ProgramData\Yahoo! Companion
2008-08-17 02:04 --------- d-----w C:\ProgramData\Logishrd
2008-08-17 02:00 --------- d-----w C:\ProgramData\Logitech
2008-08-17 02:00 --------- d-----w C:\Program Files\Logitech
2008-08-17 02:00 --------- d-----w C:\Program Files\Common Files\logishrd
2008-08-17 00:41 --------- d-----w C:\Program Files\Google
2008-08-16 23:42 --------- d-----w C:\Users\Debbie and Eric\AppData\Roaming\Southwest Airlines
2008-08-16 23:42 --------- d-----w C:\Program Files\Southwest Airlines
2008-08-16 12:57 --------- d-----w C:\Users\Debbie and Eric\AppData\Roaming\Ancient Quest of Saqqarah__real
2008-08-13 10:20 --------- d-----w C:\Program Files\Windows Mail
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-31 03:08 --------- d-----w C:\Users\Debbie and Eric\AppData\Roaming\iWin
2008-07-26 02:47 --------- d-----w C:\ProgramData\FreshGames
2008-07-24 03:36 --------- d-----w C:\Program Files\MSN Messenger
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-19 03:31 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-20 21:23 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-20 21:25 125952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 21:25 202240]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RMTray.exe" [2008-07-03 10:37 812952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 10:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 06:59 118784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-12 03:20 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-12 03:20 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-12 03:20 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 05:56 132760]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-28 22:16 1235736]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 06:26 4874240 C:\Windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=C:\Windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Debbie and Eric^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DING!.lnk]
path=C:\Users\Debbie and Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DING!.lnk
backup=C:\Windows\pss\DING!.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 19:24 54840 c:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2008-01-18 21:21 942080 C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 2007-04-18 10:01 65536 c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-07-25 16:02 563984 C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-07-25 16:06 2027792 C:\Program Files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-05 19:46 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EFA1520E-E2F4-443E-8209-F1681FA2EAEA}"= c:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{354037D2-7FD1-4C73-9235-6A62312CD156}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{975D5866-2837-489F-B2ED-2A733386FD14}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{79A163F1-91D6-40FD-A971-95D9766990CB}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5800F1CB-69D1-4DA3-BD04-D568ED0DBFC6}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4BFA0F81-5C25-45D3-80FF-3E2377E537B1}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{DD9BCBCE-9702-47AE-A93B-289F0D996BC2}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2AF200BD-794C-46FA-B498-055132095A9F}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2EB63E24-C75B-4F10-865E-F1B9387235A6}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F3831E87-EAF4-4D70-9572-200878057C98}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{27F191A9-FC30-4F5C-B907-F7A82B1A5ADF}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
"{EC525052-6C54-4C0B-8DA5-6A62AC466D8F}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{746F0EDE-2F88-47DF-AE94-4BE00FD2C5AF}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{AEBC589F-45C4-45D0-AD51-0458D73A046B}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-08-28 22:16 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 22:16 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 22:16 231704]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-08-21 21:35 69128]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;C:\Windows\system32\DRIVERS\netr73.sys [2007-09-24 06:09 464384]
S3 GameConsoleService;GameConsoleService;C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2007-07-23 18:33 181800]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-20 21:23 6656]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-20 21:23 386616]
S4 nvrd32;NVIDIA nForce RAID Driver;C:\Windows\system32\drivers\nvrd32.sys [2007-12-07 10:28 131616]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Gamevance - C:\Program Files\Gamevance\gamevance32.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.comcast.net/a/
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
O9 -: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 -: {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programs\PartyGaming.Net\PartyPokerNet\RunPF.exe
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 19:09:53
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Edited by debbie2160, 19 September 2008 - 07:42 AM.


#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 19 September 2008 - 04:33 PM

Hi debbie

I don't trust any registry cleaners, therefore I would never ask you to download that program, let's hope it didn't delete something it shouldn't have done ... no-one has ever accidentally clicked on that link before, but I can see where it is misleading, I shall not send anyone to that page again ... I shall use a different download location ...

I would go to ADD/remove programs in the Control Panel & uninstall Registry Mechanic, if you haven't already.

Back in the days of win98 the windows registry would become bloated and slow down the computer, but since XP the registry works differently, it doesn't matter how many hundreds/thousands of orphan registry keys you have now, it will have NO effect on the computers performance ... it's better to have lots of orphan entries in the registry, than let a registry cleaner loose to delete whatever it wants to ...

It may well have been Registry Mechanic that caused the blue screen ... let me know if you get any more ...

Your logs are clean now :thumbsup: so if your computer is running OK, then you can delete hijackthis & malwarebytes ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

This will uninstall Combofix, delete any of its related folders and files (Qoobox, VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

If you are still having problems then hold off uninstalling the programs for now & let me know :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 debbie2160

debbie2160
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 19 September 2008 - 05:28 PM

Leave it to me to do something accidently that nobody has done before LOL. I hope also everything is okay. The AVG scan was still running when I left for work this morning but when I got home tonight it scanned okay and no infections :thumbsup: My husband said he had no problems this afternoon, no popups or anything.

I'm going to uninstall the malwarebytes and hijack this, I deleted the registry program last night. I also deleted spybot since it was asking me questions that I didn't know the answer to. Hopefully AVG free and my Windows Defender program will be sufficient for protection. My clock is still showing military time even after I uninstalled combofix but maybe it will be okay when I restart the computer. I'll let you know.

EDIT: Nope, didn't reset from military time. I uninstalled those programs and restarted...System restore seems okay. LOL My husband just came in and asked if I could get that "military time" off the computer and back to normal.

Please accept the small token that I can give to your paypal account. I really appreciate your timely and accurate help.

Debbie

Edited by debbie2160, 19 September 2008 - 05:41 PM.


#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 19 September 2008 - 06:43 PM

Hi Debbie

Glad everything is OK now .... sorry about the time format, Combofix should have fixed that for you ...

You can change it back like this :-

Start > Control Panel > Date, Time, Language & Regional options > Change the format of numbers, dates, times >

Click the "customise" button > click the drop down arrow next to "time format"

You now have four different time display options to choose from, two are 12 hour time formats and two are 24 hour (military) type formats.

Choose the h:mm:ss tt select to change to the default windows format. Then click on Apply or OK to finalise your selection.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 debbie2160

debbie2160
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 19 September 2008 - 07:09 PM

Appreciate the directions greatly :thumbsup:

Hopefully I'll never need you guys again, but I really appreciate knowing that you're here when I screw up (or somebody else does). I'll bookmark this site just in case.

Thanks again

Deb

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 20 September 2008 - 02:26 PM

Hi

You're very welcome :thumbsup:

As this thread is resolved, :) it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users