Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed fraud.xpantivirus - but still get pop ups


  • This topic is locked This topic is locked
18 replies to this topic

#1 Jin805

Jin805

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 15 February 2009 - 07:03 PM

I recently removed a bit of trojans and viruses from my computer, but for some reason im still getting random redirection pop-ups that try and take what i recently typed into my google search bar (on firefox) and opens a new window trying to connect to another site. Firefox is also slow loading and my background keeps being replaced by the default color instead of my selected wallpaper.

by the way my dds did not generate a attach.txt file



DDS (Ver_09-02-01.01) - NTFSx86
Run by Cameron Townsend at 15:52:44.20 on Sun 02/15/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2423 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Cameron Townsend\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uWindow Title = Windows Internet Explorer provided by Comcast
uSearch Bar =
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\camero~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\handspring\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &Search - ?p=ZJfox000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Slingo%20Deluxe/Images/stg_drm.ocx
DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} - file:///E:/components/hidinputmonitorx.ocx
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} - file:///E:/components/A9.ocx
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} - file:///E:/components/wmvhdrating.ocx
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Slingo%20Deluxe/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: WB - c:\progra~1\stardock\object~1\window~1\fastload.dll
AppInit_DLLs: wbsys.dll moftwg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awttrQhE

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\camero~1\applic~1\mozilla\firefox\profiles\uunngfhx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.corruptwow.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-19 24652]
S3 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]
S3 USTOR;QuickiDrive Controller;c:\windows\system32\drivers\UStork.sys [2004-11-15 20258]

=============== Created Last 30 ================

2009-02-15 12:15 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-15 12:15 1,409 a------- c:\windows\QTFont.for
2009-02-11 14:05 46,080 -------- c:\windows\system32\clickfile.exe
2009-02-11 13:56 <DIR> --d----- c:\docume~1\camero~1\applic~1\Malwarebytes
2009-02-11 13:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-11 13:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 13:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 13:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-11 13:53 2 a------- C:\-127257183
2009-02-11 11:52 125,440 a------- c:\windows\system32\moftwg.dll
2009-02-11 11:52 125,440 a------- c:\windows\system32\lwkhmuto.dll
2009-02-10 10:20 473 a------- c:\windows\system32\win32hlp.cnf
2009-02-10 10:15 24,064 a------- c:\windows\system32\998.exe
2009-02-07 14:37 529 a------- c:\windows\system32\winlogon2.exe
2009-02-04 16:21 2,204 a------- c:\windows\nrjjqpwl
2009-02-04 16:20 304,128 a------- c:\windows\system32\awttrQhE.dll.vir
2009-01-20 10:31 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2008-12-12 22:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2004-08-14 09:03 3 ---shr-- c:\windows\TD4.DAT
2008-08-22 11:34 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 15:53:40.40 ===============

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 16 February 2009 - 06:23 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Jin805

Jin805
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 16 February 2009 - 08:49 AM

thank you for your help by the way =)

also after combofix restarted my computer it just sat there with the screen saying it was generating the log file and that this window would close shortly.. stayed that way for about 20mins before i manually searched for the log file and closed the window .. i know i am suppose to let it do its thing .. but it seemed to have stalled out and there was no activity happening on my computer (no cpu usage or HDD activity) everything seems fine though except i cant open windows firewall settings..



ComboFix 09-02-15.01 - Cameron Townsend 2009-02-16 5:28:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2503 [GMT -8:00]
Running from: C:\Documents and Settings\Cameron Townsend\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\998.exe
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\system32\lwkhmuto.dll
C:\WINDOWS\system32\Ultra.dll
C:\WINDOWS\system32\win32(10).dll
C:\WINDOWS\system32\win32(100).dll
C:\WINDOWS\system32\win32(101).dll
C:\WINDOWS\system32\win32(102).dll
C:\WINDOWS\system32\win32(103).dll
C:\WINDOWS\system32\win32(104).dll
C:\WINDOWS\system32\win32(105).dll
C:\WINDOWS\system32\win32(106).dll
C:\WINDOWS\system32\win32(107).dll
C:\WINDOWS\system32\win32(108).dll
C:\WINDOWS\system32\win32(109).dll
C:\WINDOWS\system32\win32(11).dll
C:\WINDOWS\system32\win32(110).dll
C:\WINDOWS\system32\win32(111).dll
C:\WINDOWS\system32\win32(12).dll
C:\WINDOWS\system32\win32(13).dll
C:\WINDOWS\system32\win32(14).dll
C:\WINDOWS\system32\win32(15).dll
C:\WINDOWS\system32\win32(16).dll
C:\WINDOWS\system32\win32(17).dll
C:\WINDOWS\system32\win32(18).dll
C:\WINDOWS\system32\win32(19).dll
C:\WINDOWS\system32\win32(2).dll
C:\WINDOWS\system32\win32(20).dll
C:\WINDOWS\system32\win32(21).dll
C:\WINDOWS\system32\win32(22).dll
C:\WINDOWS\system32\win32(23).dll
C:\WINDOWS\system32\win32(24).dll
C:\WINDOWS\system32\win32(25).dll
C:\WINDOWS\system32\win32(26).dll
C:\WINDOWS\system32\win32(27).dll
C:\WINDOWS\system32\win32(28).dll
C:\WINDOWS\system32\win32(29).dll
C:\WINDOWS\system32\win32(3).dll
C:\WINDOWS\system32\win32(30).dll
C:\WINDOWS\system32\win32(31).dll
C:\WINDOWS\system32\win32(32).dll
C:\WINDOWS\system32\win32(33).dll
C:\WINDOWS\system32\win32(34).dll
C:\WINDOWS\system32\win32(35).dll
C:\WINDOWS\system32\win32(36).dll
C:\WINDOWS\system32\win32(37).dll
C:\WINDOWS\system32\win32(38).dll
C:\WINDOWS\system32\win32(39).dll
C:\WINDOWS\system32\win32(4).dll
C:\WINDOWS\system32\win32(40).dll
C:\WINDOWS\system32\win32(41).dll
C:\WINDOWS\system32\win32(42).dll
C:\WINDOWS\system32\win32(43).dll
C:\WINDOWS\system32\win32(44).dll
C:\WINDOWS\system32\win32(45).dll
C:\WINDOWS\system32\win32(46).dll
C:\WINDOWS\system32\win32(47).dll
C:\WINDOWS\system32\win32(48).dll
C:\WINDOWS\system32\win32(49).dll
C:\WINDOWS\system32\win32(5).dll
C:\WINDOWS\system32\win32(50).dll
C:\WINDOWS\system32\win32(51).dll
C:\WINDOWS\system32\win32(52).dll
C:\WINDOWS\system32\win32(53).dll
C:\WINDOWS\system32\win32(54).dll
C:\WINDOWS\system32\win32(55).dll
C:\WINDOWS\system32\win32(56).dll
C:\WINDOWS\system32\win32(57).dll
C:\WINDOWS\system32\win32(58).dll
C:\WINDOWS\system32\win32(59).dll
C:\WINDOWS\system32\win32(6).dll
C:\WINDOWS\system32\win32(60).dll
C:\WINDOWS\system32\win32(61).dll
C:\WINDOWS\system32\win32(62).dll
C:\WINDOWS\system32\win32(63).dll
C:\WINDOWS\system32\win32(64).dll
C:\WINDOWS\system32\win32(65).dll
C:\WINDOWS\system32\win32(66).dll
C:\WINDOWS\system32\win32(67).dll
C:\WINDOWS\system32\win32(68).dll
C:\WINDOWS\system32\win32(69).dll
C:\WINDOWS\system32\win32(7).dll
C:\WINDOWS\system32\win32(70).dll
C:\WINDOWS\system32\win32(71).dll
C:\WINDOWS\system32\win32(72).dll
C:\WINDOWS\system32\win32(73).dll
C:\WINDOWS\system32\win32(74).dll
C:\WINDOWS\system32\win32(75).dll
C:\WINDOWS\system32\win32(76).dll
C:\WINDOWS\system32\win32(77).dll
C:\WINDOWS\system32\win32(78).dll
C:\WINDOWS\system32\win32(79).dll
C:\WINDOWS\system32\win32(8).dll
C:\WINDOWS\system32\win32(80).dll
C:\WINDOWS\system32\win32(81).dll
C:\WINDOWS\system32\win32(82).dll
C:\WINDOWS\system32\win32(83).dll
C:\WINDOWS\system32\win32(84).dll
C:\WINDOWS\system32\win32(85).dll
C:\WINDOWS\system32\win32(86).dll
C:\WINDOWS\system32\win32(87).dll
C:\WINDOWS\system32\win32(88).dll
C:\WINDOWS\system32\win32(89).dll
C:\WINDOWS\system32\win32(9).dll
C:\WINDOWS\system32\win32(90).dll
C:\WINDOWS\system32\win32(91).dll
C:\WINDOWS\system32\win32(92).dll
C:\WINDOWS\system32\win32(93).dll
C:\WINDOWS\system32\win32(94).dll
C:\WINDOWS\system32\win32(95).dll
C:\WINDOWS\system32\win32(96).dll
C:\WINDOWS\system32\win32(97).dll
C:\WINDOWS\system32\win32(98).dll
C:\WINDOWS\system32\win32(99).dll
C:\WINDOWS\system32\win32hlp.cnf
C:\WINDOWS\system32\winlogon2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-15 19:28 . 2009-02-15 19:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\MpEngineStore
2009-02-15 19:28 . 2009-02-15 19:28 127 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2009-02-15 17:16 . 2009-02-15 17:17 60,416 --ahs---- C:\WINDOWS\Thumbs.db
2009-02-15 17:16 . 2009-02-15 17:16 6,656 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2009-02-15 12:15 . 2009-02-16 05:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2009-02-15 12:15 . 2009-02-15 12:15 1,409 --a------ C:\WINDOWS\QTFont.for
2009-02-11 14:05 . 2009-02-11 14:05 46,080 --------- C:\WINDOWS\SYSTEM32\clickfile.exe
2009-02-11 13:56 . 2009-02-11 13:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-11 13:56 . 2009-02-11 13:56 <DIR> d-------- C:\Documents and Settings\Cameron Townsend\Application Data\Malwarebytes
2009-02-11 13:56 . 2009-02-11 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-11 13:56 . 2009-02-11 10:19 38,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-11 13:56 . 2009-02-11 10:19 15,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2009-02-11 13:53 . 2009-02-11 13:53 2 --a------ C:\-127257183
2009-02-04 16:21 . 2009-02-11 14:12 2,204 --a------ C:\WINDOWS\nrjjqpwl
2009-02-04 16:20 . 2009-02-04 16:21 304,128 --a------ C:\WINDOWS\SYSTEM32\awttrQhE.dll.vir
2009-01-20 10:32 . 2009-01-20 10:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PeerNetworking
2009-01-20 10:31 . 2009-01-20 10:31 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 13:25 --------- d-----w C:\Program Files\Trillian
2009-02-15 20:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-10 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 18:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2009-02-10 07:10 --------- d-----w C:\Program Files\World of Warcraft
2009-02-07 20:44 --------- d-----w C:\Program Files\Lavasoft
2009-02-07 20:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-02-07 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-05 00:29 --------- d-----w C:\Documents and Settings\Cameron Townsend\Application Data\AdobeUM
2008-12-28 22:24 --------- d-----w C:\Documents and Settings\Cameron Townsend\Application Data\DisplayTune
2008-12-28 22:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-12-28 22:22 --------- d-----w C:\Program Files\Portrait Displays
2008-12-28 22:22 --------- d-----w C:\Program Files\Common Files\Portrait Displays
2008-12-19 21:21 67,688 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll
2008-12-19 21:21 54,368 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll
2008-12-19 21:21 34,944 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll
2008-12-19 21:21 46,712 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll
2008-12-19 21:21 172,136 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll
2008-08-22 19:34 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082220080823\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 16:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 09:16 135168]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 08:43 53248]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 07:43 57344]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-14 22:04 122933]
"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 16:22 1132056]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 14:48 32881]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 15:54 774168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-07-02 12:11 13533184]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-07-02 12:11 86016]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 12:17 694008]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 17:56 278528]
"P17Helper"="P17.dll" [2005-05-03 18:38 64512 C:\WINDOWS\SYSTEM32\P17.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-07-02 12:11 1657376 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 17:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-30 10:43:14 692224]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cameron Townsend^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Cameron Townsend\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 17:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2008-11-19 14:32:31 24652]
S3 USTOR;QuickiDrive Controller;C:\WINDOWS\SYSTEM32\DRIVERS\UStork.sys [2004-11-15 22:32:55 20258]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2008-12-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2007-10-27 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1185494861.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
MSConfigStartUp-ATIPTA - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MSConfigStartUp-mmtask - C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZJfox000
FF - ProfilePath - C:\Documents and Settings\Cameron Townsend\Application Data\Mozilla\Firefox\Profiles\uunngfhx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.corruptwow.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: C:\Program Files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 05:32:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-161439791-1901603625-1833500701-1007\Software\ASProtect]
@DACL=(02 001e)
@Denied: (Full) (S-1-5-21-161439791-1901603625-1833500701-1007)
@Denied: (Full) (Owner)
@Denied: (Full) (S-1-5-6)
@Denied: (Full) (S-1-2-0)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-2)
@Denied: (Full) (S-1-5-4)
@Denied: (Full) (Administrators)
@Denied: (Full) (Everyone)
@Denied: (Full) (AuthenticatedUsers)
@Denied: (Full) (S-1-5-21-161439791-1901603625-1833500701-1007)
@Denied: (Full) (S-1-5-21-161439791-1901603625-1833500701-1007)
@Denied: (Full) (S-1-5-21-161439791-1901603625-1833500701-1007)
@Denied: (Full) (S-1-5-21-161439791-1901603625-1833500701-1007)
@Denied: (Full) (S-1-5-21-161439791-1901603625-1833500701-1007)
@Denied: (Full) (S-1-5-21-161439791-1901603625-1833500701-1007)
@Denied: (Full) (S-1-5-21-161439791-1901603625-1833500701-1007)
@Denied: (Full) (S-1-5-21-161439791-1901603625-1833500701-1007)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_046d&Pid_c01e\6&37fa413f&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\TCPSVCS.EXE
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\ComboFix\hidec.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\dwwin.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\ComboFix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-02-16 5:36:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-16 13:35:23

Pre-Run: 12,448,567,296 bytes free
Post-Run: 12,420,235,264 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4,5
338 --- E O F --- 2009-02-16 03:28:49










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:45, on 2009-02-16
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\ComboFix\hidec.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\ComboFix\Catchme.tmp
C:\WINDOWS\explorer.exe
C:\ComboFix\NirCmd.cfexe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Deluxe/Images/stg_drm.ocx
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///E:/components/hidinputmonitorx.ocx
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///E:/components/A9.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///E:/components/wmvhdrating.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Deluxe/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8732 bytes

Attached Files


Edited by Jin805, 16 February 2009 - 09:08 AM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 16 February 2009 - 10:38 AM

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\WINDOWS\SYSTEM32\clickfile.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\-127257183
C:\WINDOWS\nrjjqpwl
C:\WINDOWS\SYSTEM32\awttrQhE.dll.vir

RegLock::
[HKEY_USERS\S-1-5-21-161439791-1901603625-1833500701-1007\Software\ASProtect]
[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_046d&Pid_c01e\6&37fa413f&0&0000\LogConf]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • VirScan.org report.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Jin805

Jin805
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 16 February 2009 - 11:03 AM

when i drag the script onto combofix it starts up looking normal .. but stalls out on the please wait .. combo fix is preparing to run screen

Edit: i tryed it again after rebooting my computer and just letting it sit ... took a long long time but it finally came thru


ComboFix 09-02-15.01 - Cameron Townsend 2009-02-16 9:51:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2657 [GMT -8:00]
Running from: c:\documents and settings\Cameron Townsend\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cameron Townsend\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\-127257183
c:\windows\nrjjqpwl
c:\windows\SYSTEM32\awttrQhE.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-127257183
c:\windows\nrjjqpwl
c:\windows\SYSTEM32\awttrQhE.dll.vir
.
---- Previous Run -------
.
c:\windows\SYSTEM32\998.exe
c:\windows\system32\command.pif
c:\windows\system32\init32.exe
c:\windows\system32\lwkhmuto.dll
c:\windows\system32\Ultra.dll
c:\windows\system32\win32(10).dll
c:\windows\system32\win32(100).dll
c:\windows\system32\win32(101).dll
c:\windows\system32\win32(102).dll
c:\windows\system32\win32(103).dll
c:\windows\system32\win32(104).dll
c:\windows\system32\win32(105).dll
c:\windows\system32\win32(106).dll
c:\windows\system32\win32(107).dll
c:\windows\system32\win32(108).dll
c:\windows\system32\win32(109).dll
c:\windows\system32\win32(11).dll
c:\windows\system32\win32(110).dll
c:\windows\system32\win32(111).dll
c:\windows\system32\win32(12).dll
c:\windows\system32\win32(13).dll
c:\windows\system32\win32(14).dll
c:\windows\system32\win32(15).dll
c:\windows\system32\win32(16).dll
c:\windows\system32\win32(17).dll
c:\windows\system32\win32(18).dll
c:\windows\system32\win32(19).dll
c:\windows\system32\win32(2).dll
c:\windows\system32\win32(20).dll
c:\windows\system32\win32(21).dll
c:\windows\system32\win32(22).dll
c:\windows\system32\win32(23).dll
c:\windows\system32\win32(24).dll
c:\windows\system32\win32(25).dll
c:\windows\system32\win32(26).dll
c:\windows\system32\win32(27).dll
c:\windows\system32\win32(28).dll
c:\windows\system32\win32(29).dll
c:\windows\system32\win32(3).dll
c:\windows\system32\win32(30).dll
c:\windows\system32\win32(31).dll
c:\windows\system32\win32(32).dll
c:\windows\system32\win32(33).dll
c:\windows\system32\win32(34).dll
c:\windows\system32\win32(35).dll
c:\windows\system32\win32(36).dll
c:\windows\system32\win32(37).dll
c:\windows\system32\win32(38).dll
c:\windows\system32\win32(39).dll
c:\windows\system32\win32(4).dll
c:\windows\system32\win32(40).dll
c:\windows\system32\win32(41).dll
c:\windows\system32\win32(42).dll
c:\windows\system32\win32(43).dll
c:\windows\system32\win32(44).dll
c:\windows\system32\win32(45).dll
c:\windows\system32\win32(46).dll
c:\windows\system32\win32(47).dll
c:\windows\system32\win32(48).dll
c:\windows\system32\win32(49).dll
c:\windows\system32\win32(5).dll
c:\windows\system32\win32(50).dll
c:\windows\system32\win32(51).dll
c:\windows\system32\win32(52).dll
c:\windows\system32\win32(53).dll
c:\windows\system32\win32(54).dll
c:\windows\system32\win32(55).dll
c:\windows\system32\win32(56).dll
c:\windows\system32\win32(57).dll
c:\windows\system32\win32(58).dll
c:\windows\system32\win32(59).dll
c:\windows\system32\win32(6).dll
c:\windows\system32\win32(60).dll
c:\windows\system32\win32(61).dll
c:\windows\system32\win32(62).dll
c:\windows\system32\win32(63).dll
c:\windows\system32\win32(64).dll
c:\windows\system32\win32(65).dll
c:\windows\system32\win32(66).dll
c:\windows\system32\win32(67).dll
c:\windows\system32\win32(68).dll
c:\windows\system32\win32(69).dll
c:\windows\system32\win32(7).dll
c:\windows\system32\win32(70).dll
c:\windows\system32\win32(71).dll
c:\windows\system32\win32(72).dll
c:\windows\system32\win32(73).dll
c:\windows\system32\win32(74).dll
c:\windows\system32\win32(75).dll
c:\windows\system32\win32(76).dll
c:\windows\system32\win32(77).dll
c:\windows\system32\win32(78).dll
c:\windows\system32\win32(79).dll
c:\windows\system32\win32(8).dll
c:\windows\system32\win32(80).dll
c:\windows\system32\win32(81).dll
c:\windows\system32\win32(82).dll
c:\windows\system32\win32(83).dll
c:\windows\system32\win32(84).dll
c:\windows\system32\win32(85).dll
c:\windows\system32\win32(86).dll
c:\windows\system32\win32(87).dll
c:\windows\system32\win32(88).dll
c:\windows\system32\win32(89).dll
c:\windows\system32\win32(9).dll
c:\windows\system32\win32(90).dll
c:\windows\system32\win32(91).dll
c:\windows\system32\win32(92).dll
c:\windows\system32\win32(93).dll
c:\windows\system32\win32(94).dll
c:\windows\system32\win32(95).dll
c:\windows\system32\win32(96).dll
c:\windows\system32\win32(97).dll
c:\windows\system32\win32(98).dll
c:\windows\system32\win32(99).dll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winlogon2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-15 19:28 . 2009-02-15 19:28 <DIR> d-------- c:\windows\SYSTEM32\MpEngineStore
2009-02-15 19:28 . 2009-02-15 19:28 127 --a------ c:\windows\SYSTEM32\MRT.INI
2009-02-15 17:16 . 2009-02-15 17:17 60,416 --ahs---- c:\windows\Thumbs.db
2009-02-15 17:16 . 2009-02-15 17:16 6,656 --ahs---- c:\windows\SYSTEM32\Thumbs.db
2009-02-15 12:15 . 2009-02-16 09:56 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-15 12:15 . 2009-02-15 12:15 1,409 --a------ c:\windows\QTFont.for
2009-02-11 14:05 . 2009-02-11 14:05 46,080 --------- c:\windows\SYSTEM32\clickfile.exe
2009-02-11 13:56 . 2009-02-11 13:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 13:56 . 2009-02-11 13:56 <DIR> d-------- c:\documents and settings\Cameron Townsend\Application Data\Malwarebytes
2009-02-11 13:56 . 2009-02-11 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-11 13:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-11 13:56 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-20 10:32 . 2009-01-20 10:32 <DIR> d-------- c:\documents and settings\LocalService\Application Data\PeerNetworking
2009-01-20 10:31 . 2009-01-20 10:31 <DIR> d-------- c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 16:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-16 16:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-16 14:15 --------- d-----w c:\program files\World of Warcraft
2009-02-16 13:25 --------- d-----w c:\program files\Trillian
2009-02-15 20:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-07 20:44 --------- d-----w c:\program files\Lavasoft
2009-02-07 20:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-07 20:44 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-05 00:29 --------- d-----w c:\documents and settings\Cameron Townsend\Application Data\AdobeUM
2008-12-28 22:24 --------- d-----w c:\documents and settings\Cameron Townsend\Application Data\DisplayTune
2008-12-28 22:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 22:22 --------- d-----w c:\program files\Portrait Displays
2008-12-28 22:22 --------- d-----w c:\program files\Common Files\Portrait Displays
2008-12-19 21:21 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 21:21 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 21:21 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 21:21 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 21:21 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-22 19:34 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082220080823\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-16_ 5.34.24.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-16 12:38:58 54,822 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
+ 2009-02-16 16:13:29 54,822 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
- 2009-02-16 12:38:58 384,510 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
+ 2009-02-16 16:13:29 384,510 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-14 122933]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-02 13533184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-02 86016]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\SYSTEM32\P17.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-07-02 c:\windows\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-07-30 692224]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cameron Townsend^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Cameron Townsend\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 17:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-19 24652]
S3 USTOR;QuickiDrive Controller;c:\windows\SYSTEM32\DRIVERS\UStork.sys [2004-11-15 20258]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2008-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2007-10-27 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1185494861.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZJfox000
FF - ProfilePath - c:\documents and settings\Cameron Townsend\Application Data\Mozilla\Firefox\Profiles\uunngfhx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.corruptwow.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 09:56:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Executive Software\DiskeeperLite\DKService.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\TCPSVCS.EXE
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\Java\j2re1.4.2_03\bin\jucheck.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-02-16 9:59:56 - machine was rebooted [Cameron Townsend]
ComboFix-quarantined-files.txt 2009-02-16 17:59:54

Pre-Run: 12,483,514,368 bytes free
Post-Run: 12,467,122,176 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4,5
323 --- E O F --- 2009-02-16 03:28:49








VirSCAN.org Scanned Report :
Scanned time : 2009/02/16 07:44:04 (PST)
Scanner results: 41% Scanner(15/37) found malware!
File Name : clickfile.exe
File Size : 46080 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3b1dd5d969084c7f6d2a7ab543bcfbec
SHA1 : dc76d7da98368b09d514912dcf3cd59d468742a6
Online report : http://virscan.org/report/7b160cd2aa63cc8f...1b1da3a6ab.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20090216231831 2009-02-16 2.28 -
AhnLab V3 2009.02.16.01 2009.02.16 2009-02-16 1.06 -
AntiVir 7.9.0.79 7.1.2.31 2009-02-16 1.79 TR/Dldr.Boltolog.CD
Antiy 2.0.18 20090216.2186924 2009-02-16 0.12 -
Authentium 5.1.1 200902161225 2009-02-16 1.10 -
AVAST! 3.0.1 090215-0 2009-02-15 0.01 -
AVG 7.5.52.442 270.10.25/1955 2009-02-16 1.93 SHeur2.QBT
BitDefender 7.81008.2670175 7.23705 2009-02-16 2.49 Gen:Trojan.Heur.564E44
CA (VET) 9.0.0.143 31.6.6360 2009-02-16 7.40 -
ClamAV 0.94.2 8995 2009-02-16 0.01 -
Comodo 3.0 978 2009-02-15 1.14 -
CP Secure 1.1.0.715 2009.02.16 2009-02-16 7.06 -
Dr.Web 4.44.0.9170 2009.02.16 2009-02-16 4.04 -
F-Prot 4.4.4.56 20090216 2009-02-16 1.14 -
F-Secure 5.51.6100 2009.02.16.10 2009-02-16 0.05 Trojan-Downloader.Win32.Boltolog.cd [AVP]
Fortinet 2.81-3.117 10.46 2009-02-16 0.54 W32/Boltolog.CD!tr.dldr
GData 19.3132/19.226 20090216 2009-02-16 3.21 Trojan-Downloader.Win32.Boltolog.cd [Engine:A]
ViRobot 20090214 2009.02.14 2009-02-14 0.41 -
Ikarus T3.1.01.45 2009.02.16.72308 2009-02-16 3.68 -
JiangMin 11.0.706 2009.02.16 2009-02-16 1.49 -
Kaspersky 5.5.10 2009.02.16 2009-02-16 0.04 Trojan-Downloader.Win32.Boltolog.cd
KingSoft 2008.9.8.18 2009.2.16.18 2009-02-16 0.65 -
McAfee 5.3.00 5527 2009-02-15 3.23 -
Microsoft 1.4306 2009.02.16 2009-02-16 5.77 -
mks_vir 2.01 2009.02.16 2009-02-16 2.66 Heur.W32
Norman 6.00.02 6.00.00 2009-02-13 8.01 -
Panda 9.05.01 2009.02.14 2009-02-14 5.25 Suspicious file
Trend Micro 8.700-1004 5.848.03 2009-02-15 0.03 -
Quick Heal 10.00 2009.02.16 2009-02-16 0.91 Suspicious - DNAScan
Rising 20.0 21.16.60.00 2009-02-15 0.80 -
Sophos 2.83.3 4.38 2009-02-16 2.44 -
Sunbelt 4809 4809 2009-02-11 3.10 VIPRE.Suspicious
Symantec 1.3.0.24 20090215.002 2009-02-15 0.11 Suspicious.MH690
nProtect 20090216.02 3155787 2009-02-16 4.47 Gen:Trojan.Heur.564E44
The Hacker 6.3.2.2 v00258 2009-02-16 0.58 Trojan/Downloader.Boltolog.cd
VBA32 3.12.8.12 20090215.1437 2009-02-15 1.65 Trojan-Downloader.Win32.Boltolog.cd
VirusBuster 4.5.11.10 10.101.15/904334 2009-02-16 1.14 -

Edited by Jin805, 16 February 2009 - 01:20 PM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 16 February 2009 - 01:28 PM

The file you scanned (C:\WINDOWS\SYSTEM32\clickfile.exe) is bad, please delete it manually..


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Jin805

Jin805
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 16 February 2009 - 01:38 PM

ok i deleted the file .. went to start IE and it will come up but not connect to any sites and will eventually freeze up .. i also have problems running other programs such as trillian.. still cant open up windows fire wall.. its giving me a unidentifiable problem while trying to load message.. =\

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 16 February 2009 - 11:36 PM

Ok.. first question.. can that computer connected to the internet? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Jin805

Jin805
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 17 February 2009 - 02:38 AM

yes .. i have only been using the infected computer .. i only use firefox though .. but a thought did occur to me when i was driving home tonight .. i might not have the right connection settings on IE .. i will try and fix that after this post .. is there anything else you want me to include in my next post?

Edit: so yeah i can't even get to the IE options to check before it freezes up and craps out on me.. seems most programs i try to run will freeze up or never even start at this point .. firefox has seem to be the only thing that works .. along side most of the programs you have instructed me to use =\

Edited by Jin805, 17 February 2009 - 02:40 AM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 17 February 2009 - 04:25 AM

Lets do an alternative scans...


Please download Dr.Web CureIt to the Desktop:
  • Please reboot into Safe Mode
  • Once you are in Safe Mode, double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Jin805

Jin805
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 17 February 2009 - 05:21 PM

ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Cameron Townsend\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Cameron Townsend\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Cameron Townsend\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Cameron Townsend\Desktop;Container contains infected objects;Moved.;
Flobots-Happy Together.mp3;C:\Documents and Settings\Cameron Townsend\Desktop\share\new music;Trojan.WMALoader;Cured.;
Patcher.exe;C:\Documents and Settings\Cameron Townsend\Shared\Super DVD Ripper v 1.89 Copy DVD to CD or DIVX with working crack!\ls_superdv;Tool.ASEye.2;Incurable.Moved.;
pak010.pk4\textures/common_floors/c_p4_floor_1_hit.tga;C:\Program Files\id Software\Quake 4\q4base\pak010.pk4;Modification of Trojan.Kaskad.245;;
pak010.pk4;C:\Program Files\id Software\Quake 4\q4base;Archive contains infected objects;Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.;
998.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Fakealert.3952;Deleted.;
awttrQhE.dll.vir.vir;C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32;Probably Trojan.Packed.213;Incurable.Moved.;
lwkhmuto.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32;Probably Trojan.Packed.213;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0032238.des;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP51;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0043664.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP95;Trojan.MulDrop.30268;Deleted.;
A0043666.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP95;Trojan.DownLoad.28002;Deleted.;
A0043667.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP95;Trojan.DownLoad.28002;Deleted.;
A0043771.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97;Probably Trojan.Packed.213;Incurable.Moved.;
A0043989.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98;Trojan.Fakealert.3952;Deleted.;
A0043990.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98;Probably Trojan.Packed.213;Incurable.Moved.;
A0044001.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98;Probably BATCH.Virus;Incurable.Moved.;
A0044024.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98\A0044024.exe/data002;Probably BATCH.Virus;;
A0044024.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98\A0044024.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98;Archive contains infected objects;;
A0044024.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98;Container contains infected objects;Moved.;
A0045126.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98;Probably BATCH.Virus;Incurable.Moved.;
A0046075.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98;Probably BATCH.Virus;Incurable.Moved.;
A0046192.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98;Probably BATCH.Virus;Incurable.Moved.;
A0046262.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99;Program.PsExec.170;Incurable.Moved.;
A0046273.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99;Probably BATCH.Virus;Incurable.Moved.;
A0046293.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99;Program.PsExec.170;Incurable.Moved.;
A0046390.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99\A0046390.exe/data002;Probably BATCH.Virus;;
A0046390.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99\A0046390.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99;Archive contains infected objects;;
A0046390.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99;Container contains infected objects;Moved.;
gsda.dll;C:\WINDOWS\Downloaded Program Files;Adware.GameSpy;Incurable.Moved.;
96502.exe\data019;C:\WINDOWS\Resources\Themes\96502.exe;Adware.Gator;;
96502.exe;C:\WINDOWS\Resources\Themes;Archive contains infected objects;Moved.;
cderahed.exe;C:\WINDOWS\SYSTEM32;Trojan.Siggen.183;Deleted.;
lsp[1].exe;C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H;Trojan.DownLoad.28002;Deleted.;

Attached Files



#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 18 February 2009 - 01:28 AM

Ok.. so, how's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Jin805

Jin805
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 18 February 2009 - 11:17 AM

still having problems loading certain windows and/or settings .. im pretty sure any virus or trojan is gone .. but im not sure why im having problems loading programs ..for example .. loading task bar options or windows security window .. or even my IM program trillian .. was there maybe a dll that got deleted that wasnt suppose to?

Edit: about 15mins after i booted up other things started to load .. like my windows security finally popped up .. along with some other things .. seems to be working fine for now..

Edited by Jin805, 18 February 2009 - 11:35 AM.


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 18 February 2009 - 11:44 AM

about 15mins after i booted up other things started to load ..


About 15 minutes?.. How many programs are running in the background?.. :thumbup2:

Please use the computer for a couple of days and then tell me more about it.. :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Jin805

Jin805
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 18 February 2009 - 12:02 PM

im kinda ocd about having useless crap running on my computer so i dont have much running .. only what i need... so thats why i thought it odd .. i will use it for a few days and then update you .. oh .. and IE works now .. just wont display images .. and neither will my HP display settings window .. but anyways .. thank you for all the help and bearing through this with me =)

Edit: ok fixed the image problem .. some how the "show picture" setting got unchecked in my IE settings.. so everything on that front works =)

Edited by Jin805, 18 February 2009 - 12:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users