Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Virus? or other spyware


  • This topic is locked This topic is locked
8 replies to this topic

#1 NickyCee

NickyCee

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 02 February 2009 - 10:02 AM

I have had the Virtumonde.dll virus before but I believed I managed to get rid of it but then all of a sudden It started to go slow again... believing it was just my computer I never went on it and went on the laptop for the next 3 months. I switched it on yesterday to and done an anti-virus scan to see that Virtumonde was back and it had been found by AVG anti-virus. I have run the 5 anti-viruses I have on my computer to try and get rid of the problem and only Spyware doctor has found a high level threat that is a startup program but I am unable to purchase the full version in order to remove it. So if you could look through my log to see if anything unusual is there in order to get rid of this startup program that would be great

Many thanks in advance


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 14:47:29.67 on 02/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.255.55 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
c:\program files\common files\aol\1133385078\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
c:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uDefault_Page_URL = hxxp://gb10.hpwis.com/
uDefault_Search_URL = hxxp://srch-gb10.hpwis.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: {03080D16-7C2E-40C5-8601-EDFA69F09AEA} - No File
BHO: {152085DF-E8E6-481E-B8F3-43996E476834} - No File
BHO: {47D22A6E-B2D6-466E-8128-0357AE1D5F12} - No File
BHO: {71F8732B-8179-479B-8D3A-E318334F9DC1} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {90B35807-51AF-48F9-87FC-1EE106DB884B} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {a5d37a26-2d1d-4803-a204-feafa4b933d7} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: {AB115433-9AF6-4F5B-B177-B9B6B1D84390} - No File
BHO: {d5fb3236-d523-4fbf-bd8a-391194b5011a} - No File
BHO: {D61128F1-772D-4315-8120-552832E511DB} - No File
BHO: {D8BF4947-BC4D-493C-A304-798468C640EA} - No File
BHO: {D9BADC3D-024E-48B9-9449-FE32D1BD6E5C} - No File
BHO: {E79FE4B4-CB2C-4FB0-8E21-C1676DF90A37} - No File
BHO: {ECF0CEA3-E0EA-4B40-9A7F-146EFD94027E} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RecordNow!]
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Spark] c:\program files\spark\Spark.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [VTTimer] VTTimer.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [HostManager] c:\program files\common files\aol\1133385078\ee\AOLSoftware.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [View Blue Mpeg Start] c:\documents and settings\all users\application data\for bows view blue\One math.exe
mRun: [SpyHunter]
mRun: [Lexmark 3100 Series] "c:\program files\lexmark 3100 series\lxbrbmgr.exe"
mRun: [LXBRKsk] c:\progra~1\lexmar~1\LXBRKsk.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: gamewinners.com\www
Trusted Zone: killsometime.com
Trusted Zone: myspace.com\profile
Trusted Zone: youtube.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: efcDWPfF - efcDWPfF.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: bestreak - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJCrOIC
LSA: Notification Packages = scecli scecli scecli scecli

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-22 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-19 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-22 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-6-22 42376]
R3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-6-22 66952]
R3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-6-22 81288]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================


==================== Find3M ====================

2009-01-31 12:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-31 12:31 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-31 12:31 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-11-30 20:00 85,600 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2008-11-05 22:00 3,688 ac------ c:\windows\system32\d3d9caps.dat
2008-06-06 09:30 515,741 ac-sh--- c:\windows\system32\CLkSstwa.ini2
2008-06-05 11:49 521,014 ac-sh--- c:\windows\system32\hkSvCJjl.ini2
2008-06-05 16:04 498,597 ac-sh--- c:\windows\system32\IiPrCfhk.ini2
2008-06-08 18:29 496,555 ac-sh--- c:\windows\system32\Nporqtwa.ini2
2008-06-09 22:18 456 ac-sh--- c:\windows\system32\nXwayGgh.ini2
2008-06-07 08:07 456 a--sh--- c:\windows\system32\UBIkRXyb.ini2
2008-06-20 11:09 651,893 a--sh--- c:\windows\system32\vEOqWvut.ini2

============= FINISH: 14:49:23.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:22 PM

Posted 03 February 2009 - 04:34 AM

Hi,

First of all, since you didn't purchase Spyware Doctor, it won't delete anything either, so I suggest you uninstall it. This because it causes an extra slowdown since it starts up with Windows and is actually useless since it won't remove anything.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 NickyCee

NickyCee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 03 February 2009 - 07:28 PM

I have since updated my Java, Unistalled Spyware Doctor and some other programs that I havent used for a long while... mostly games etc. I downloaded ComboFix and went to run it and a message shortly comes up stating....

prep.com has encountered a problem and needs to close.
We are sorry for the inconvenience.

I have tried to download from bleepingcomputer and both other websites and all 3 files say the same... so I am unsure what to do next.

Also do I need a new Hijackhis Lg due to me unistalling certain programs and updating Java?

Regards

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:22 PM

Posted 04 February 2009 - 02:19 AM

Hi,

Did you follow the instructions how to use Combofix? It's really important that all Security Software is disabled before you download/run Combofix, because that's why you got this error since your Antivirus may block or even delete prep.com, which is a part of Combofix.

So, please try again. If you're still having the same issue, redownload Combofix again and run from Windows safe mode.

No need to post a new HijackThislog after installing / uninstalling certain programs. The Combofix log should show it as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 NickyCee

NickyCee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 04 February 2009 - 03:01 PM

I couldnt get it running in normal mode as the avg process must of not been showing even though I disabled it. I ran it in safe mode and this is the log that it gave me...
Any information as to what it was that it deleted would be great or whether is was the virus that I thought it was

Thanks


ComboFix 09-02-04.01 - Administrator 2009-02-04 19:24:08.1 - NTFSx86 NETWORK
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\BM17607aa5.txt
c:\windows\BM17607aa5.xml
c:\windows\pskt.ini
c:\windows\system32\_003892_.tmp.dll
c:\windows\system32\_003893_.tmp.dll
c:\windows\system32\_003894_.tmp.dll
c:\windows\system32\_003895_.tmp.dll
c:\windows\system32\_003902_.tmp.dll
c:\windows\system32\_003903_.tmp.dll
c:\windows\system32\_003904_.tmp.dll
c:\windows\system32\_003906_.tmp.dll
c:\windows\system32\_003907_.tmp.dll
c:\windows\system32\_003910_.tmp.dll
c:\windows\system32\_003911_.tmp.dll
c:\windows\system32\_003913_.tmp.dll
c:\windows\system32\_003914_.tmp.dll
c:\windows\system32\_003915_.tmp.dll
c:\windows\system32\_003916_.tmp.dll
c:\windows\system32\_003917_.tmp.dll
c:\windows\system32\_003920_.tmp.dll
c:\windows\system32\_003921_.tmp.dll
c:\windows\system32\_003925_.tmp.dll
c:\windows\system32\_003926_.tmp.dll
c:\windows\system32\_003928_.tmp.dll
c:\windows\system32\_003931_.tmp.dll
c:\windows\system32\_003933_.tmp.dll
c:\windows\system32\_003934_.tmp.dll
c:\windows\system32\_003935_.tmp.dll
c:\windows\system32\_003936_.tmp.dll
c:\windows\system32\_003939_.tmp.dll
c:\windows\system32\_003940_.tmp.dll
c:\windows\system32\_003941_.tmp.dll
c:\windows\system32\_003942_.tmp.dll
c:\windows\system32\_003943_.tmp.dll
c:\windows\system32\_003948_.tmp.dll
c:\windows\system32\_003950_.tmp.dll
c:\windows\system32\_006132_.tmp.dll
c:\windows\system32\_006133_.tmp.dll
c:\windows\system32\_006134_.tmp.dll
c:\windows\system32\_006135_.tmp.dll
c:\windows\system32\_006142_.tmp.dll
c:\windows\system32\_006143_.tmp.dll
c:\windows\system32\_006144_.tmp.dll
c:\windows\system32\_006145_.tmp.dll
c:\windows\system32\_006147_.tmp.dll
c:\windows\system32\_006148_.tmp.dll
c:\windows\system32\_006151_.tmp.dll
c:\windows\system32\_006152_.tmp.dll
c:\windows\system32\_006154_.tmp.dll
c:\windows\system32\_006155_.tmp.dll
c:\windows\system32\_006156_.tmp.dll
c:\windows\system32\_006157_.tmp.dll
c:\windows\system32\_006158_.tmp.dll
c:\windows\system32\_006161_.tmp.dll
c:\windows\system32\_006162_.tmp.dll
c:\windows\system32\_006166_.tmp.dll
c:\windows\system32\_006167_.tmp.dll
c:\windows\system32\_006169_.tmp.dll
c:\windows\system32\_006172_.tmp.dll
c:\windows\system32\_006174_.tmp.dll
c:\windows\system32\_006175_.tmp.dll
c:\windows\system32\_006176_.tmp.dll
c:\windows\system32\_006177_.tmp.dll
c:\windows\system32\_006178_.tmp.dll
c:\windows\system32\_006181_.tmp.dll
c:\windows\system32\_006182_.tmp.dll
c:\windows\system32\_006183_.tmp.dll
c:\windows\system32\_006184_.tmp.dll
c:\windows\system32\_006185_.tmp.dll
c:\windows\system32\_006190_.tmp.dll
c:\windows\system32\_006192_.tmp.dll
c:\windows\system32\_006193_.tmp.dll
c:\windows\system32\CIOrCJjl.ini
c:\windows\system32\CLkSstwa.ini
c:\windows\system32\CLkSstwa.ini2
c:\windows\system32\hkSvCJjl.ini
c:\windows\system32\hkSvCJjl.ini2
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\IiPrCfhk.ini
c:\windows\system32\IiPrCfhk.ini2
c:\windows\system32\lushkxjl.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\nopfdjjm.ini
c:\windows\system32\Nporqtwa.ini
c:\windows\system32\Nporqtwa.ini2
c:\windows\system32\nXwayGgh.ini
c:\windows\system32\nXwayGgh.ini2
c:\windows\system32\pmrjrxcy.ini
c:\windows\system32\UBIkRXyb.ini
c:\windows\system32\UBIkRXyb.ini2
c:\windows\system32\vEOqWvut.ini
c:\windows\system32\vEOqWvut.ini2
c:\windows\system32\xacgdcwm.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 19:20 . 2003-01-01 10:49 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-02-04 19:20 . 2003-01-01 08:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-02-04 19:20 . 2003-01-01 10:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-02-04 19:20 . 2003-01-01 11:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2009-02-04 19:20 . 2009-02-04 19:20 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 00:25 . 2009-02-03 00:24 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-02 19:21 . 2003-10-28 22:57 1,164,032 --a------ c:\windows\system32\dllcache\ati3duag.dll
2009-02-02 19:21 . 2003-10-28 22:43 853,088 --a------ c:\windows\system32\dllcache\ati3d1ag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 23:35 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-03 23:35 --------- d-----w c:\program files\iPod
2009-02-03 23:33 --------- d-----w c:\program files\Cooking Dash
2009-02-03 23:33 --------- d-----w c:\program files\Alice Greenfingers
2009-02-03 23:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 00:24 --------- d-----w c:\program files\Java
2009-01-31 12:32 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-31 12:31 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-31 12:31 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-31 12:31 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-11-30 20:00 85,600 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-22 24576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"NVIEW"="nview.dll" [2003-08-19 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-01 335872]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 139264]
"HostManager"="c:\program files\Common Files\AOL\1133385078\ee\AOLSoftware.exe" [2006-11-17 50736]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-03 136600]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-31 1601304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"nwiz"="nwiz.exe" [2003-08-19 c:\windows\system32\nwiz.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Warning homepage

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-31 12:31 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\Nicky\\Stuff\\[ PC Games ] - Age of Empires II(FULL)\\age2_x1.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133385078\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2126:TCP"= 2126:TCP:Port One
"2126:UDP"= 2126:UDP:Port Two

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-31 325128]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-01-31 107272]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-31 903960]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-31 298264]


--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AFD
*Deregistered* - agp440
*Deregistered* - ALG
*Deregistered* - AOL ACS
*Deregistered* - AOLService
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - ASCTRM
*Deregistered* - Aspi32
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8emc
*Deregistered* - avg8wd
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LmHosts
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - msloop
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - nv_agp
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - Pcouffin
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASKUTIL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SISAGP
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - upnphost
*Deregistered* - VgaSave
*Deregistered* - viaagp1
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - wanatw
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WMPNetworkSvc
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{03080D16-7C2E-40C5-8601-EDFA69F09AEA} - (no file)
BHO-{152085DF-E8E6-481E-B8F3-43996E476834} - (no file)
BHO-{47D22A6E-B2D6-466E-8128-0357AE1D5F12} - (no file)
BHO-{71F8732B-8179-479B-8D3A-E318334F9DC1} - (no file)
BHO-{90B35807-51AF-48F9-87FC-1EE106DB884B} - (no file)
BHO-{a5d37a26-2d1d-4803-a204-feafa4b933d7} - (no file)
BHO-{AB115433-9AF6-4F5B-B177-B9B6B1D84390} - (no file)
BHO-{d5fb3236-d523-4fbf-bd8a-391194b5011a} - (no file)
BHO-{D61128F1-772D-4315-8120-552832E511DB} - (no file)
BHO-{D8BF4947-BC4D-493C-A304-798468C640EA} - (no file)
BHO-{D9BADC3D-024E-48B9-9449-FE32D1BD6E5C} - (no file)
BHO-{E79FE4B4-CB2C-4FB0-8E21-C1676DF90A37} - (no file)
BHO-{ECF0CEA3-E0EA-4B40-9A7F-146EFD94027E} - (no file)
HKCU-Run-Spark - c:\program files\Spark\Spark.exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HKLM-Run-View Blue Mpeg Start - c:\documents and settings\All Users\Application Data\For Bows View Blue\One math.exe
HKLM-Run-VTTimer - VTTimer.exe
HKLM-Run-SpyHunter - (no file)
SharedTaskScheduler-bestreak - (no file)
Notify-dimsntfy - (no file)
Notify-efcDWPfF - efcDWPfF.dll
MSConfigStartUp-Acme - c:\progra~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uDefault_Search_URL = hxxp://srch-gb10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: gamewinners.com\www
Trusted Zone: killsometime.com
Trusted Zone: myspace.com\profile
Trusted Zone: youtube.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 19:35:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\wanmpsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\LimeWire\LimeWire.exe
c:\program files\Common Files\AOL\1133385078\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-04 19:51:55 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-02-04 19:51:44

Pre-Run: 77,525,729,280 bytes free
Post-Run: 77,655,986,176 bytes free

431 --- E O F --- 2009-02-02 20:06:30

Edited by NickyCee, 04 February 2009 - 03:03 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:22 PM

Posted 04 February 2009 - 03:05 PM

Hi,

This is much better - almost done.

Just one leftover we have to delete (an older active desktop Hijacker), so * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "Warning homepage" and press the delete button on the right.
Hit ok below > apply in previous window.

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33331111-1111-1111-1111-622221193458}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, please change all your passwords since they may be known.

Let me know in your next reply how things are now.

Edited by miekiemoes, 04 February 2009 - 03:07 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 NickyCee

NickyCee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 04 February 2009 - 04:33 PM

Have done the registry add-on and also unistalled ComboFix... also my AVG found a file that it found as a Trojan so I moved to vault thinking it may have something to do with ComboFix as it had restore in its name. It was called...

Trojan horse Generic11.CXI
C:\System Volume Information\_restore{E2428E38-B8A4-48ED-9563-FAC66F28201E}\RP743\A0622814.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:22 PM

Posted 04 February 2009 - 04:55 PM

Hi,

What AVG found was only a leftover in your system restore points, so nothing to worry about that. :thumbup2:
AVG already deleted it anyway.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:22 PM

Posted 05 February 2009 - 07:04 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users