Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo, possibly others


  • This topic is locked This topic is locked
9 replies to this topic

#1 Aendie

Aendie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Norton, Va
  • Local time:04:22 AM

Posted 13 January 2009 - 12:43 PM

I discovered one day while browsing that suddenly I'm getting tons of pop-up windows out of the blue so I check my pop-up blocker. It's intact and seems to be functioning, so after checking all my firewalls and anti-virus I discover (to my absolute horror, mind you) that my husband has for some strange and unknown reason disconnected my computer from our network and decided to connect it directly to the cable and go on a browsing spree...unprotected.../bangsheadondesk...repeatedly.

Since then I've run McAfee, Windows OneCare & Defender; discovering in the process that whatever virus it is continuously disables those defenses as well as automatic updates. Did some more digging and uninstalled all of those in favor of Kapersky Internet Security 8.0, which has been very helpful in identifying that I seem to have more than one virus; i.e Vundo, Virtumonde, MS Juan, Win32.generic, and a host of others. (Yay me! /sigh) As per a post I read here while searching for help, I've installed and run HJT, Malwarebytes and ComboFix is installed for when it's needed. Per the prep guide before posting I've also run the DDS tool and have the logs to post below this.

I mostly use this computer for my writing, research, web browsing and mmorpgs I play (WoW, FFXI) but this is driving me insane, any and all help with cleaning this mess up would be greatly appreciated. Games I can always reinstall and update but research and my novels are a different matter, can't afford to lose those. Any recommendations per firewalls and anti-virus programs would be appreciated as well. Thank You so much, in advance.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Andi at 12:07:25.89 on Tue 01/13/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1527 [GMT -5:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andi.ANDREALW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
ustart page = hxxp://my.yahoo.com/
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {660bc48c-ff1e-465a-beaf-5a0540e4a80c} - c:\windows\system32\ddcYrpqp.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {91712fac-36ca-47da-88e9-b92299293a8d} - c:\windows\system32\khfDwvUN.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - No File
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [nForce Tray Options] sstray.exe /r
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {0262F50F-8E61-4309-9030-2061988D7D3D} = 68.87.68.162,68.87.74.162
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: ljJCuRJC - ljJCuRJC.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: wbsys.dll c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\khfDwvUN

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andi~1.and\applic~1\mozilla\firefox\profiles\46tntapw.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q=
FF - component: c:\documents and settings\andi.andrealw\application data\mozilla\firefox\profiles\46tntapw.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-1-11 227344]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-7-3 113896]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R4 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]

=============== Created Last 30 ================

2009-01-13 09:09 <DIR> -cd----- c:\docume~1\andi~1.and\applic~1\Malwarebytes
2009-01-13 09:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-13 09:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 09:09 <DIR> -cd----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-01-13 09:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 09:04 <DIR> --d----- c:\program files\Trend Micro
2009-01-13 06:40 2,625 ---sh--- c:\windows\system32\pihenedo.dll
2009-01-13 06:40 2,625 ---sh--- c:\windows\system32\nuhufise.dll
2009-01-13 06:40 2,626 ---sh--- c:\windows\system32\yizodonu.dll
2009-01-12 16:46 2,626 ---sh--- c:\windows\system32\nusayuta.dll
2009-01-12 16:46 2,626 ---sh--- c:\windows\system32\dewezuwa.dll
2009-01-12 16:46 2,624 ---sh--- c:\windows\system32\miharewo.dll
2009-01-11 16:56 2,625 ---sh--- c:\windows\system32\pahiboji.dll
2009-01-11 16:56 2,625 ---sh--- c:\windows\system32\narudoku.dll
2009-01-11 15:22 <DIR> -cd----- c:\docume~1\andi~1.and\applic~1\Windows Search
2009-01-11 13:48 <DIR> --d----- c:\program files\Windows Desktop Search
2009-01-11 13:48 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-01-11 13:46 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-01-11 13:46 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-01-11 13:46 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-01-11 07:37 509 a------- c:\windows\system32\%LocalXml%
2009-01-11 07:16 96,976 a------- c:\windows\system32\drivers\klin.dat
2009-01-11 07:16 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-01-11 07:15 4,293,664 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-11 07:15 811,040 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-01-11 07:15 34,624 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-11 07:15 3,852 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-01-11 07:15 <DIR> -cd----- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab
2009-01-11 07:15 <DIR> --d----- c:\program files\Kaspersky Lab
2009-01-11 06:34 <DIR> -cd----- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab Setup Files
2009-01-09 09:38 <DIR> --d----- c:\program files\PowerISO
2009-01-04 22:03 <DIR> -cd----- c:\docume~1\andi~1.and\applic~1\BitTorrent
2009-01-04 22:03 <DIR> --d----- c:\program files\DNA
2009-01-04 22:03 <DIR> -cd----- c:\docume~1\andi~1.and\applic~1\DNA
2009-01-04 22:03 <DIR> --d----- c:\program files\BitTorrent
2009-01-02 04:58 129,784 -------- c:\windows\system32\pxafs.dll
2008-12-24 00:40 1,661,209 a--sh--- c:\windows\system32\ogajcpbl.ini
2008-12-23 18:42 <DIR> --d----- C:\d8d31f839fd144018a
2008-12-23 17:51 <DIR> -cdsh--- c:\documents and settings\andi.andrealw\PrivacIE
2008-12-23 17:51 1,661,209 a--sh--- c:\windows\system32\onumunmf.ini
2008-12-23 17:46 <DIR> --d----- c:\windows\ie8updates
2008-12-23 17:44 902,467 a--sh--- c:\windows\system32\NUvwDfhk.ini2
2008-12-23 17:44 902,467 a--sh--- c:\windows\system32\NUvwDfhk.ini
2008-12-23 16:54 81,920 a------- c:\windows\system32\ieencode.dll
2008-12-23 08:42 <DIR> --d----- c:\windows\McAfee.com
2008-12-23 06:51 1,661,209 a--sh--- c:\windows\system32\eidhclgg.ini
2008-12-23 02:05 895,305 a--sh--- c:\windows\system32\pqprYcdd.ini2
2008-12-23 02:05 895,305 a--sh--- c:\windows\system32\pqprYcdd.ini
2008-12-21 19:26 32,592 a------- c:\windows\system32\msonpmon.dll
2008-12-21 19:15 <DIR> --d----- c:\program files\Microsoft Visual Studio 8

==================== Find3M ====================

2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2006-05-22 10:23 13,824 ac------ c:\documents and settings\andi.andrealw\atwbxdet.dll

============= FINISH: 12:08:52.79 ===============


Quick Scan: completed 1/11/2009 7:29:28 AM (events: 18, objects: , time: 00:00:00)
1/11/2009 7:25:47 AM Task started
1/11/2009 7:29:28 AM Task completed
Quick Scan: completed 1/11/2009 7:29:28 AM (events: 18, objects: , time: 00:00:00)
1/11/2009 7:41:12 AM Task started
1/11/2009 8:09:19 AM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\System Volume Information\_restore{D158B778-BCB8-4E79-81D5-084F51E021CC}\RP716\ A0199010.dll
1/11/2009 8:09:19 AM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\System Volume Information\_restore{D158B778-BCB8-4E79-81D5-084F51E021CC}\RP716\ A0199009.dll
1/11/2009 8:09:24 AM Untreated Virus HEUR:Trojan.Win32.Generic High Partial File C:\System Volume Information\_restore{D158B778-BCB8-4E79-81D5-084F51E021CC}\RP716\ A0199010.dll Postponed
1/11/2009 8:09:28 AM Untreated Virus HEUR:Trojan.Win32.Generic High Partial File C:\System Volume Information\_restore{D158B778-BCB8-4E79-81D5-084F51E021CC}\RP716\ A0199009.dll Postponed
1/11/2009 11:07:24 AM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ kukolare.dll
1/11/2009 11:07:27 AM Untreated Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ kukolare.dll Postponed
1/11/2009 11:08:05 AM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ pumotozi.dll
1/11/2009 11:08:10 AM Untreated Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ pumotozi.dll Postponed
1/11/2009 11:15:50 AM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\System Volume Information\_restore{D158B778-BCB8-4E79-81D5-084F51E021CC}\RP716\ A0199009.dll
1/11/2009 11:16:22 AM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\System Volume Information\_restore{D158B778-BCB8-4E79-81D5-084F51E021CC}\RP716\ A0199010.dll
1/11/2009 11:16:46 AM Detected Virus HEUR:Trojan.Win32.Generic High Probably File C:\WINDOWS\system32\ kukolare.dll
1/11/2009 11:17:13 AM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ pumotozi.dll
1/11/2009 11:17:13 AM Task completed
Quick Scan: completed 1/11/2009 7:29:28 AM (events: 18, objects: , time: 00:00:00)
1/13/2009 12:37:50 PM Task completed
1/13/2009 12:36:50 PM Task started

Attached Files


Freedom really isn't free, it comes with a price. That price is the blood, sweat and tears of our men and women who risk their lives every day. If you want to do something special for them, say Thank You!

Sunbeam Freezing Storm ATX Mid-Tower Case, Asus M2N32-SLI Deluxe Wireless AM2 Motherboard, AMD Athlon 64x2 4400+ processor, Thermaltake CL-PO371 92mm HSF, Rosewill 550W ATX PSU, OCZ 4GB PC2 6400 Memory, Biostar GeForce 8500GT 512mb (x2 SLI) Video card, WD Caviar SE 120GB 7200rpm SATA 3.0 HDD

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 14 January 2009 - 04:03 AM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Aendie

Aendie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Norton, Va
  • Local time:04:22 AM

Posted 16 January 2009 - 01:12 PM

As requested, posting the Combo-Fix report I just finished. Below that is the newset HJT scan.

ComboFix 09-01-15.01 - Andi 2009-01-16 12:51:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1604 [GMT -5:00]
Running from: c:\documents and settings\Andi.ANDREALW\Desktop\Combo-Fix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\eidhclgg.ini
c:\windows\system32\kukolare.dll
c:\windows\system32\NUvwDfhk.ini
c:\windows\system32\NUvwDfhk.ini2
c:\windows\system32\ogajcpbl.ini
c:\windows\system32\onumunmf.ini
c:\windows\system32\pqprYcdd.ini
c:\windows\system32\pqprYcdd.ini2
c:\windows\system32\pumotozi.dll
c:\windows\system32\yuniyuzi.dll
c:\windows\Temp\tmp3.tmp

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-13 09:09 . 2009-01-13 11:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 09:09 . 2009-01-13 09:09 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\Malwarebytes
2009-01-13 09:09 . 2009-01-13 09:09 <DIR> d----c--- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-01-13 09:09 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 09:09 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 09:04 . 2009-01-13 09:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 06:40 . 2009-01-13 06:40 2,626 ---hs---- c:\windows\system32\yizodonu.dll
2009-01-13 06:40 . 2009-01-13 06:40 2,625 ---hs---- c:\windows\system32\pihenedo.dll
2009-01-13 06:40 . 2009-01-13 06:40 2,625 ---hs---- c:\windows\system32\nuhufise.dll
2009-01-12 16:46 . 2009-01-12 16:46 2,626 ---hs---- c:\windows\system32\nusayuta.dll
2009-01-12 16:46 . 2009-01-12 16:46 2,626 ---hs---- c:\windows\system32\dewezuwa.dll
2009-01-12 16:46 . 2009-01-12 16:46 2,624 ---hs---- c:\windows\system32\miharewo.dll
2009-01-11 16:56 . 2009-01-11 16:56 2,625 ---hs---- c:\windows\system32\pahiboji.dll
2009-01-11 16:56 . 2009-01-11 16:56 2,625 ---hs---- c:\windows\system32\narudoku.dll
2009-01-11 15:22 . 2009-01-11 15:22 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\Windows Search
2009-01-11 13:48 . 2009-01-11 13:48 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-01-11 13:48 . 2009-01-11 15:29 <DIR> d-------- c:\program files\Windows Desktop Search
2009-01-11 13:46 . 2008-03-07 12:02 192,000 -----c--- c:\windows\system32\dllcache\offfilt.dll
2009-01-11 13:46 . 2008-03-07 12:02 98,304 -----c--- c:\windows\system32\dllcache\nlhtml.dll
2009-01-11 13:46 . 2008-03-07 12:02 29,696 -----c--- c:\windows\system32\dllcache\mimefilt.dll
2009-01-11 07:37 . 2009-01-11 07:37 509 --a------ c:\windows\system32\%LocalXml%
2009-01-11 07:16 . 2009-01-11 07:16 96,976 --a------ c:\windows\system32\drivers\klin.dat
2009-01-11 07:16 . 2009-01-11 07:16 87,855 --a------ c:\windows\system32\drivers\klick.dat
2009-01-11 07:15 . 2009-01-11 07:15 <DIR> d-------- c:\program files\Kaspersky Lab
2009-01-11 07:15 . 2009-01-16 12:57 <DIR> d----c--- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2009-01-11 07:15 . 2009-01-16 12:55 4,293,664 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-01-11 07:15 . 2009-01-16 12:59 819,232 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-01-11 07:15 . 2009-01-16 12:55 34,624 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-01-11 07:15 . 2009-01-16 12:59 3,880 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-01-11 06:34 . 2009-01-11 06:34 <DIR> d----c--- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2009-01-09 17:04 . 2009-01-09 23:24 <DIR> d----c--- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-01-09 09:38 . 2009-01-09 09:38 <DIR> d-------- c:\program files\PowerISO
2009-01-04 22:03 . 2009-01-16 12:57 <DIR> d-------- c:\program files\DNA
2009-01-04 22:03 . 2009-01-04 22:03 <DIR> d-------- c:\program files\BitTorrent
2009-01-04 22:03 . 2009-01-16 12:57 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\DNA
2009-01-04 22:03 . 2009-01-08 05:34 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\BitTorrent
2009-01-02 04:58 . 2009-01-02 04:59 <DIR> d-------- c:\program files\Winamp
2009-01-02 04:58 . 2009-01-02 04:59 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\Winamp
2009-01-02 04:58 . 2007-03-07 18:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-23 18:42 . 2008-12-23 18:42 <DIR> d-------- C:\d8d31f839fd144018a
2008-12-23 18:17 . 2008-12-23 18:17 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-23 17:51 . 2008-12-23 17:51 <DIR> d--hsc--- c:\documents and settings\Andi.ANDREALW\PrivacIE
2008-12-23 17:46 . 2008-12-26 19:12 <DIR> d-------- c:\windows\ie8updates
2008-12-23 16:54 . 2008-04-13 19:11 81,920 --a------ c:\windows\system32\ieencode.dll
2008-12-23 08:42 . 2008-12-23 08:42 <DIR> d-------- c:\windows\McAfee.com
2008-12-21 19:26 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-12-21 19:15 . 2008-12-21 19:15 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-12-21 19:11 . 2008-12-21 19:11 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 11:53 --------- dc----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2009-01-11 11:25 --------- d-----w c:\program files\Windows Live
2009-01-10 04:24 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-10 04:07 --------- d-----w c:\program files\Lx_cats
2009-01-05 22:43 --------- d-----w c:\program files\Yahoo!
2008-12-23 11:40 --------- d-----w c:\program files\Common Files\Adobe
2008-12-22 07:19 --------- dc----w c:\documents and settings\Andi.ANDREALW\Application Data\LimeWire
2008-12-22 01:32 --------- dc----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-12-22 00:21 --------- d-----w c:\program files\MSBuild
2008-12-22 00:21 --------- d-----w c:\program files\Microsoft Works
2008-12-22 00:18 --------- d-----w c:\program files\Microsoft.NET
2008-12-22 00:06 --------- d-----w c:\program files\Microsoft SQL Server
2008-12-21 23:39 --------- d-----w c:\program files\Java
2008-12-20 05:38 --------- d-----w c:\program files\World of Warcraft
2008-12-16 22:06 --------- dc----w c:\documents and settings\All Users.WINDOWS\Application Data\yahoo!
2008-12-12 22:35 --------- d-----w c:\program files\Lexmark 2300 Series
2008-12-11 14:55 --------- dc----w c:\documents and settings\Andi\Application Data\FaxCtr
2008-12-11 14:53 --------- dc----w c:\documents and settings\All Users.WINDOWS\Application Data\FaxCtr
2008-11-28 17:35 --------- d-----w c:\program files\LimeWire
2008-11-28 17:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-17 21:10 --------- dc----w c:\documents and settings\Andi.ANDREALW\Application Data\Ventrilo
2008-11-17 20:25 --------- d-----w c:\program files\Common Files\Stardock
2008-11-17 20:18 --------- d-----w c:\program files\Ventrilo
2006-05-22 15:23 13,824 -c--a-w c:\documents and settings\Andi.ANDREALW\atwbxdet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-04 342848]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-11-11 206088]
"nForce Tray Options"="sstray.exe" [2003-10-24 c:\windows\system32\sstray.exe]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-04-29 20:58 210168 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\FINAL FANTASY XI\\ToolsUS\\polboot.exe"=
"c:\\WINDOWS\\system32\\lxcgcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"135:TCP"= 135:TCP:TCP Port 135

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-07-03 113896]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
.
- - - - ORPHANS REMOVED - - - -

BHO-{660BC48C-FF1E-465A-BEAF-5A0540E4A80C} - c:\windows\system32\ddcYrpqp.dll
BHO-{91712FAC-36CA-47DA-88E9-B92299293A8D} - c:\windows\system32\khfDwvUN.dll
Notify-ljJCuRJC - ljJCuRJC.dll


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
ustart page = hxxp://my.yahoo.com/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
TCP: {0262F50F-8E61-4309-9030-2061988D7D3D} = 68.87.68.162,68.87.74.162

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Andi.ANDREALW\Application Data\Mozilla\Firefox\Profiles\46tntapw.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q=
FF - component: c:\documents and settings\Andi.ANDREALW\Application Data\Mozilla\Firefox\Profiles\46tntapw.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 12:57:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-1645522239-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\nvidia\NetworkAccessManager\bin\nSvcIp.exe
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\nvidia\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\lxcgcoms.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-16 13:07:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 18:06:57

Pre-Run: 23,279,271,936 bytes free
Post-Run: 23,304,118,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Setup"

236 --- E O F --- 2008-12-27 22:47:40


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:15 PM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...472/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0262F50F-8E61-4309-9030-2061988D7D3D}: NameServer = 68.87.68.162,68.87.74.162
O17 - HKLM\System\CS1\Services\Tcpip\..\{0262F50F-8E61-4309-9030-2061988D7D3D}: NameServer = 68.87.68.162,68.87.74.162
O17 - HKLM\System\CS2\Services\Tcpip\..\{0262F50F-8E61-4309-9030-2061988D7D3D}: NameServer = 68.87.68.162,68.87.74.162
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 7638 bytes
Freedom really isn't free, it comes with a price. That price is the blood, sweat and tears of our men and women who risk their lives every day. If you want to do something special for them, say Thank You!

Sunbeam Freezing Storm ATX Mid-Tower Case, Asus M2N32-SLI Deluxe Wireless AM2 Motherboard, AMD Athlon 64x2 4400+ processor, Thermaltake CL-PO371 92mm HSF, Rosewill 550W ATX PSU, OCZ 4GB PC2 6400 Memory, Biostar GeForce 8500GT 512mb (x2 SLI) Video card, WD Caviar SE 120GB 7200rpm SATA 3.0 HDD

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 16 January 2009 - 01:24 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\yizodonu.dll
c:\windows\system32\pihenedo.dll
c:\windows\system32\nuhufise.dll
c:\windows\system32\nusayuta.dll
c:\windows\system32\dewezuwa.dll
c:\windows\system32\miharewo.dll
c:\windows\system32\pahiboji.dll
c:\windows\system32\narudoku.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Aendie

Aendie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Norton, Va
  • Local time:04:22 AM

Posted 16 January 2009 - 02:33 PM

Ok, next round of post results.

ComboFix 09-01-15.01 - Andi 2009-01-16 14:12:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1537 [GMT -5:00]
Running from: c:\documents and settings\Andi.ANDREALW\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Andi.ANDREALW\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\dewezuwa.dll
c:\windows\system32\miharewo.dll
c:\windows\system32\narudoku.dll
c:\windows\system32\nuhufise.dll
c:\windows\system32\nusayuta.dll
c:\windows\system32\pahiboji.dll
c:\windows\system32\pihenedo.dll
c:\windows\system32\yizodonu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dewezuwa.dll
c:\windows\system32\miharewo.dll
c:\windows\system32\narudoku.dll
c:\windows\system32\nuhufise.dll
c:\windows\system32\nusayuta.dll
c:\windows\system32\pahiboji.dll
c:\windows\system32\pihenedo.dll
c:\windows\system32\yizodonu.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-13 09:09 . 2009-01-13 11:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 09:09 . 2009-01-13 09:09 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\Malwarebytes
2009-01-13 09:09 . 2009-01-13 09:09 <DIR> d----c--- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-01-13 09:09 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 09:09 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 09:04 . 2009-01-13 09:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 15:22 . 2009-01-11 15:22 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\Windows Search
2009-01-11 13:48 . 2009-01-11 13:48 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-01-11 13:48 . 2009-01-11 15:29 <DIR> d-------- c:\program files\Windows Desktop Search
2009-01-11 13:46 . 2008-03-07 12:02 192,000 -----c--- c:\windows\system32\dllcache\offfilt.dll
2009-01-11 13:46 . 2008-03-07 12:02 98,304 -----c--- c:\windows\system32\dllcache\nlhtml.dll
2009-01-11 13:46 . 2008-03-07 12:02 29,696 -----c--- c:\windows\system32\dllcache\mimefilt.dll
2009-01-11 07:37 . 2009-01-11 07:37 509 --a------ c:\windows\system32\%LocalXml%
2009-01-11 07:16 . 2009-01-11 07:16 96,976 --a------ c:\windows\system32\drivers\klin.dat
2009-01-11 07:16 . 2009-01-11 07:16 87,855 --a------ c:\windows\system32\drivers\klick.dat
2009-01-11 07:15 . 2009-01-11 07:15 <DIR> d-------- c:\program files\Kaspersky Lab
2009-01-11 07:15 . 2009-01-16 14:19 <DIR> d----c--- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2009-01-11 07:15 . 2009-01-16 14:16 4,293,664 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-01-11 07:15 . 2009-01-16 14:16 852,000 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-01-11 07:15 . 2009-01-16 14:16 34,624 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-01-11 07:15 . 2009-01-16 14:16 3,992 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-01-11 06:34 . 2009-01-11 06:34 <DIR> d----c--- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2009-01-09 17:04 . 2009-01-09 23:24 <DIR> d----c--- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-01-09 09:38 . 2009-01-09 09:38 <DIR> d-------- c:\program files\PowerISO
2009-01-04 22:03 . 2009-01-16 14:19 <DIR> d-------- c:\program files\DNA
2009-01-04 22:03 . 2009-01-04 22:03 <DIR> d-------- c:\program files\BitTorrent
2009-01-04 22:03 . 2009-01-16 14:19 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\DNA
2009-01-04 22:03 . 2009-01-08 05:34 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\BitTorrent
2009-01-02 04:58 . 2009-01-02 04:59 <DIR> d-------- c:\program files\Winamp
2009-01-02 04:58 . 2009-01-02 04:59 <DIR> d----c--- c:\documents and settings\Andi.ANDREALW\Application Data\Winamp
2009-01-02 04:58 . 2007-03-07 18:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-23 18:42 . 2008-12-23 18:42 <DIR> d-------- C:\d8d31f839fd144018a
2008-12-23 18:17 . 2008-12-23 18:17 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-23 17:51 . 2008-12-23 17:51 <DIR> d--hsc--- c:\documents and settings\Andi.ANDREALW\PrivacIE
2008-12-23 17:46 . 2008-12-26 19:12 <DIR> d-------- c:\windows\ie8updates
2008-12-23 16:54 . 2008-04-13 19:11 81,920 --a------ c:\windows\system32\ieencode.dll
2008-12-23 08:42 . 2008-12-23 08:42 <DIR> d-------- c:\windows\McAfee.com
2008-12-21 19:26 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-12-21 19:15 . 2008-12-21 19:15 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-12-21 19:11 . 2008-12-21 19:11 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 11:53 --------- dc----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2009-01-11 11:25 --------- d-----w c:\program files\Windows Live
2009-01-10 04:24 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-10 04:07 --------- d-----w c:\program files\Lx_cats
2009-01-05 22:43 --------- d-----w c:\program files\Yahoo!
2008-12-23 11:40 --------- d-----w c:\program files\Common Files\Adobe
2008-12-22 07:19 --------- dc----w c:\documents and settings\Andi.ANDREALW\Application Data\LimeWire
2008-12-22 01:32 --------- dc----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-12-22 00:21 --------- d-----w c:\program files\MSBuild
2008-12-22 00:21 --------- d-----w c:\program files\Microsoft Works
2008-12-22 00:18 --------- d-----w c:\program files\Microsoft.NET
2008-12-22 00:06 --------- d-----w c:\program files\Microsoft SQL Server
2008-12-21 23:39 --------- d-----w c:\program files\Java
2008-12-20 05:38 --------- d-----w c:\program files\World of Warcraft
2008-12-16 22:06 --------- dc----w c:\documents and settings\All Users.WINDOWS\Application Data\yahoo!
2008-12-12 22:35 --------- d-----w c:\program files\Lexmark 2300 Series
2008-12-11 14:55 --------- dc----w c:\documents and settings\Andi\Application Data\FaxCtr
2008-12-11 14:53 --------- dc----w c:\documents and settings\All Users.WINDOWS\Application Data\FaxCtr
2008-11-28 17:35 --------- d-----w c:\program files\LimeWire
2008-11-28 17:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-17 21:10 --------- dc----w c:\documents and settings\Andi.ANDREALW\Application Data\Ventrilo
2008-11-17 20:25 --------- d-----w c:\program files\Common Files\Stardock
2008-11-17 20:18 --------- d-----w c:\program files\Ventrilo
2006-05-22 15:23 13,824 -c--a-w c:\documents and settings\Andi.ANDREALW\atwbxdet.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-16_13.05.30.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-16 19:18:25 16,384 ----atw c:\windows\temp\Perflib_Perfdata_4ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-04 342848]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-11-11 206088]
"nForce Tray Options"="sstray.exe" [2003-10-24 c:\windows\system32\sstray.exe]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-04-29 20:58 210168 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\FINAL FANTASY XI\\ToolsUS\\polboot.exe"=
"c:\\WINDOWS\\system32\\lxcgcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"135:TCP"= 135:TCP:TCP Port 135

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-07-03 113896]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
ustart page = hxxp://my.yahoo.com/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
TCP: {0262F50F-8E61-4309-9030-2061988D7D3D} = 68.87.68.162,68.87.74.162

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Andi.ANDREALW\Application Data\Mozilla\Firefox\Profiles\46tntapw.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q=
FF - component: c:\documents and settings\Andi.ANDREALW\Application Data\Mozilla\Firefox\Profiles\46tntapw.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 14:18:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-1645522239-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1312)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\nvidia\NetworkAccessManager\bin\nSvcIp.exe
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\nvidia\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\lxcgcoms.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-16 14:28:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 19:28:00
ComboFix2.txt 2009-01-16 18:07:04

Pre-Run: 23,247,052,800 bytes free
Post-Run: 23,279,616,000 bytes free

222 --- E O F --- 2008-12-27 22:47:40


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:53 PM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...472/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0262F50F-8E61-4309-9030-2061988D7D3D}: NameServer = 68.87.68.162,68.87.74.162
O17 - HKLM\System\CS1\Services\Tcpip\..\{0262F50F-8E61-4309-9030-2061988D7D3D}: NameServer = 68.87.68.162,68.87.74.162
O17 - HKLM\System\CS2\Services\Tcpip\..\{0262F50F-8E61-4309-9030-2061988D7D3D}: NameServer = 68.87.68.162,68.87.74.162
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 7655 bytes
Freedom really isn't free, it comes with a price. That price is the blood, sweat and tears of our men and women who risk their lives every day. If you want to do something special for them, say Thank You!

Sunbeam Freezing Storm ATX Mid-Tower Case, Asus M2N32-SLI Deluxe Wireless AM2 Motherboard, AMD Athlon 64x2 4400+ processor, Thermaltake CL-PO371 92mm HSF, Rosewill 550W ATX PSU, OCZ 4GB PC2 6400 Memory, Biostar GeForce 8500GT 512mb (x2 SLI) Video card, WD Caviar SE 120GB 7200rpm SATA 3.0 HDD

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 16 January 2009 - 02:43 PM

A lot better.. Lets do an online scan to make sure we got them all..


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


How's the computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Aendie

Aendie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Norton, Va
  • Local time:04:22 AM

Posted 16 January 2009 - 06:55 PM

Scan results: No threats found.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3772 (20090116)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=8c54276c0520ff4099526956b501da8c
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-16 11:46:40
# local_time=2009-01-16 06:46:40 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=285546
# found=0
# scan_time=5061


Ran another HJT as well:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:27 PM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...472/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0262F50F-8E61-4309-9030-2061988D7D3D}: NameServer = 68.87.68.162,68.87.74.162
O17 - HKLM\System\CS1\Services\Tcpip\..\{0262F50F-8E61-4309-9030-2061988D7D3D}: NameServer = 68.87.68.162,68.87.74.162
O17 - HKLM\System\CS2\Services\Tcpip\..\{0262F50F-8E61-4309-9030-2061988D7D3D}: NameServer = 68.87.68.162,68.87.74.162
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 7752 bytes

Runs oh, so much better now! *dances with joy* Thank you so very much! Any recommendations on a better anti-virus, firewall, malware setup?
Freedom really isn't free, it comes with a price. That price is the blood, sweat and tears of our men and women who risk their lives every day. If you want to do something special for them, say Thank You!

Sunbeam Freezing Storm ATX Mid-Tower Case, Asus M2N32-SLI Deluxe Wireless AM2 Motherboard, AMD Athlon 64x2 4400+ processor, Thermaltake CL-PO371 92mm HSF, Rosewill 550W ATX PSU, OCZ 4GB PC2 6400 Memory, Biostar GeForce 8500GT 512mb (x2 SLI) Video card, WD Caviar SE 120GB 7200rpm SATA 3.0 HDD

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 17 January 2009 - 01:52 AM

Any recommendations on a better anti-virus, firewall, malware setup?


You already have Kaspersky Internet Security 2009... Just couple it with Malwarebytes'... I won't recommend anything tops that :thumbsup:


Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Aendie

Aendie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Norton, Va
  • Local time:04:22 AM

Posted 17 January 2009 - 04:49 AM

Everything seems to be running great now, no more popups or errors so far and Kapersky is only notifying me about serurity website certificates now.
Appreciate all the help and hard work, thank you very much! :thumbsup:
Freedom really isn't free, it comes with a price. That price is the blood, sweat and tears of our men and women who risk their lives every day. If you want to do something special for them, say Thank You!

Sunbeam Freezing Storm ATX Mid-Tower Case, Asus M2N32-SLI Deluxe Wireless AM2 Motherboard, AMD Athlon 64x2 4400+ processor, Thermaltake CL-PO371 92mm HSF, Rosewill 550W ATX PSU, OCZ 4GB PC2 6400 Memory, Biostar GeForce 8500GT 512mb (x2 SLI) Video card, WD Caviar SE 120GB 7200rpm SATA 3.0 HDD

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 17 January 2009 - 05:08 AM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users