Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Slowdown (hijack log)


  • This topic is locked This topic is locked
20 replies to this topic

#1 tonyprime

tonyprime

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 12 May 2009 - 01:10 PM

Lately ive tried to fix my friends computer but no matter what i do its slow and i dont know what else to do

here is a hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:00 PM, on 5/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060920
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 87.117.202.117 nprotect.roseonlinegame.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
O2 - BHO: (no name) - {CFEE97A3-4911-444D-8BE8-E243A23D3DE2} - (no file)
O2 - BHO: (no name) - {D61D7E1A-6613-49CA-B6F9-51DB248E209D} - \iesplg.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O3 - Toolbar: (no name) - {8113B5DE-F7EB-4154-A311-497FB80D8BD0} - (no file)
O3 - Toolbar: Internet Service - {144A6B24-0EBC-4D89-BF09-A06A718E57B5} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Nwubu] rundll32.exe "C:\WINDOWS\ozubeyitamewiga.dll",e
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QT Lite\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ierenewals.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ierenewals.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E4D10AC-60C4-4CF8-9852-7E3B8A35A569}: NameServer = 85.255.112.19,85.255.112.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E4D10AC-60C4-4CF8-9852-7E3B8A35A569}: NameServer = 85.255.112.19,85.255.112.120
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E4D10AC-60C4-4CF8-9852-7E3B8A35A569}: NameServer = 85.255.112.19,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: auditioned - {44e670f2-d57b-4815-a576-955d17dbbf2d} - (no file)
O22 - SharedTaskScheduler: epineurial - {27cb634d-c84e-4c00-9b53-f5523601dbad} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8997 bytes

BC AdBot (Login to Remove)

 


#2 tonyprime

tonyprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 13 May 2009 - 12:48 AM

oh and i dont get why when i click a link, it'll just take me to a different one.
===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 13 May 2009 - 08:02 PM.


#3 tonyprime

tonyprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 20 May 2009 - 11:37 AM

anyone?

#4 tonyprime

tonyprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 24 May 2009 - 02:39 PM

now the pc is starting to freeze

#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:46 PM

Posted 26 May 2009 - 12:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#6 tonyprime

tonyprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 27 May 2009 - 09:23 PM

here is a DDS log file


DDS (Ver_09-05-14.01) - NTFSx86
Run by Donny at 21:18:30.77 on Wed 05/27/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.496 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\PC Tools Firewall Plus\FWService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\system32\oodag.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Donny\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page =
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - No File
BHO: {53707962-6f74-2d53-2644-206d7942484f} -
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - No File
{cfee97a3-4911-444d-8be8-e243a23d3de2}
BHO: {d61d7e1a-6613-49ca-b6f9-51db248e209d} - \iesplg.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - No File
TB: {8113B5DE-F7EB-4154-A311-497FB80D8BD0} - No File
TB: Internet Service: {144a6b24-0ebc-4d89-bf09-a06a718e57b5} -
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Nwubu] rundll32.exe "c:\windows\ozubeyitamewiga.dll",e
mRun: [QuickTime Task] "c:\program files\qt lite\qttask.exe" -atboottime
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
dRunOnce: [RunNarrator] Narrator.exe
mExplorerRun: [start] c:\program files\applications\iebtm.exe
mExplorerRun: [smile] c:\program files\applications\wcs.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ierenewals.com/redirect.php
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: iesafetylist.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.19,85.255.112.120
TCP: {0E4D10AC-60C4-4CF8-9852-7E3B8A35A569} = 85.255.112.19,85.255.112.120
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {44e670f2-d57b-4815-a576-955d17dbbf2d}: auditioned
STS: {27cb634d-c84e-4c00-9b53-f5523601dbad} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli cmshant.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\donny\applic~1\mozilla\firefox\profiles\578mfmpc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: XUL Cache: {C8B15E37-603F-4950-A956-953A3F8A8434} - c:\documents and settings\donny\local settings\application data\{C8B15E37-603F-4950-A956-953A3F8A8434}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-28 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-3 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-28 107272]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-1-17 159600]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-4-28 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-4-28 231704]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-1-17 73840]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2008-3-3 146800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-8 24652]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-1-17 95640]
S3 XDva143;XDva143;\??\c:\windows\system32\xdva143.sys --> c:\windows\system32\XDva143.sys [?]

=============== Created Last 30 ================

2009-05-21 19:19 20,320 a------- c:\windows\system32\oodbs.lor
2009-05-21 19:17 <DIR> --d----- c:\windows\system32\oodag
2009-05-21 19:14 <DIR> --d----- c:\program files\OO Software
2009-05-12 13:09 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2008-03-07 17:57 0 a------- c:\program files\temp01
2007-02-23 17:33 290 ac------ c:\docume~1\donny\applic~1\wklnhst.dat
2006-11-28 18:14 81,920 ac------ c:\docume~1\donny\applic~1\ezpinst.exe
2006-11-28 18:14 47,360 ac------ c:\docume~1\donny\applic~1\pcouffin.sys
2005-05-13 18:12 217,073 ac-shr-- c:\windows\meta4.exe
2005-10-24 12:13 66,560 ac-shr-- c:\windows\MOTA113.exe
2005-10-13 22:27 422,400 ac-shr-- c:\windows\x2.64.exe
2005-10-07 20:14 308,224 ac-shr-- c:\windows\system32\avisynth.dll
2005-07-14 13:31 27,648 ac-shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 16:32 616,448 ac-shr-- c:\windows\system32\cygwin1.dll
2005-06-21 23:37 45,568 ac-shr-- c:\windows\system32\cygz.dll
2006-04-27 11:24 2,945,024 ac-shr-- c:\windows\system32\Smab.dll
2005-02-28 14:16 240,128 ac-shr-- c:\windows\system32\x.264.exe

============= FINISH: 21:19:14.91 ===============

and an attach file attach


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/21/2006 5:57:20 PM
System Uptime: 5/27/2009 1:28:56 PM (8 hours ago)

Motherboard: Dell Inc. | | 0HJ054
Processor: Intel® Pentium® D CPU 2.66GHz | Microprocessor | 2660/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 6.81 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP846: 12/24/2008 5:36:20 AM - System Checkpoint
RP847: 12/25/2008 6:13:00 AM - System Checkpoint
RP848: 12/26/2008 6:37:49 AM - System Checkpoint
RP849: 12/27/2008 6:41:42 AM - System Checkpoint
RP850: 12/28/2008 12:42:28 PM - System Checkpoint
RP851: 12/29/2008 1:01:08 PM - System Checkpoint
RP852: 12/30/2008 5:36:21 PM - System Checkpoint
RP853: 12/31/2008 7:30:12 PM - System Checkpoint
RP854: 1/1/2009 7:41:27 PM - System Checkpoint
RP855: 1/2/2009 6:17:59 PM - Installed Yugioh Virtual Dueling
RP856: 1/3/2009 8:06:12 PM - System Checkpoint
RP857: 1/4/2009 8:25:05 PM - System Checkpoint
RP858: 1/5/2009 9:09:36 PM - System Checkpoint
RP859: 1/6/2009 11:42:35 PM - System Checkpoint
RP860: 1/8/2009 4:50:48 AM - System Checkpoint
RP861: 1/9/2009 5:00:35 AM - System Checkpoint
RP862: 1/10/2009 5:58:43 PM - System Checkpoint
RP863: 1/12/2009 12:58:41 AM - System Checkpoint
RP864: 1/13/2009 1:23:59 AM - System Checkpoint
RP865: 1/14/2009 2:48:23 AM - System Checkpoint
RP866: 1/14/2009 5:00:17 PM - Software Distribution Service 3.0
RP867: 1/15/2009 10:33:24 PM - System Checkpoint
RP868: 1/17/2009 12:39:36 AM - System Checkpoint
RP869: 1/18/2009 2:44:10 AM - System Checkpoint
RP870: 1/19/2009 4:36:07 AM - System Checkpoint
RP871: 1/20/2009 5:10:39 AM - System Checkpoint
RP872: 1/21/2009 5:11:03 AM - System Checkpoint
RP873: 1/22/2009 6:10:59 AM - System Checkpoint
RP874: 1/23/2009 7:10:48 AM - System Checkpoint
RP875: 1/24/2009 1:59:20 PM - System Checkpoint
RP876: 1/25/2009 2:09:13 PM - System Checkpoint
RP877: 1/26/2009 2:41:18 PM - System Checkpoint
RP878: 1/27/2009 3:08:59 PM - System Checkpoint
RP879: 1/28/2009 3:29:38 PM - System Checkpoint
RP880: 1/29/2009 6:13:03 PM - System Checkpoint
RP881: 1/30/2009 6:33:58 PM - System Checkpoint
RP882: 1/31/2009 9:09:19 PM - System Checkpoint
RP883: 2/1/2009 8:11:20 AM - Avg8 Update
RP884: 2/2/2009 9:29:33 AM - Avg8 Update
RP885: 2/3/2009 10:13:17 AM - System Checkpoint
RP886: 2/4/2009 9:36:13 AM - Avg8 Update
RP887: 2/5/2009 10:01:51 AM - System Checkpoint
RP888: 2/6/2009 12:02:49 PM - System Checkpoint
RP889: 2/7/2009 12:22:59 PM - System Checkpoint
RP890: 2/8/2009 2:17:50 PM - System Checkpoint
RP891: 2/9/2009 4:44:48 PM - System Checkpoint
RP892: 2/10/2009 5:24:43 PM - System Checkpoint
RP893: 2/12/2009 2:12:50 AM - System Checkpoint
RP894: 2/12/2009 5:00:17 PM - Software Distribution Service 3.0
RP895: 2/13/2009 5:41:34 PM - System Checkpoint
RP896: 2/14/2009 5:42:08 PM - System Checkpoint
RP897: 2/15/2009 9:16:13 PM - System Checkpoint
RP898: 2/16/2009 11:31:14 PM - System Checkpoint
RP899: 2/17/2009 11:57:20 PM - System Checkpoint
RP900: 2/19/2009 12:00:05 AM - System Checkpoint
RP901: 2/19/2009 6:23:26 PM - HOTLLAMA Media Player Installation
RP902: 2/20/2009 8:50:48 PM - System Checkpoint
RP903: 2/22/2009 3:48:13 AM - System Checkpoint
RP904: 2/23/2009 4:00:00 AM - System Checkpoint
RP905: 2/24/2009 5:27:15 AM - System Checkpoint
RP906: 2/25/2009 1:41:42 PM - System Checkpoint
RP907: 2/25/2009 5:00:16 PM - Software Distribution Service 3.0
RP908: 2/26/2009 6:50:38 PM - System Checkpoint
RP909: 2/27/2009 11:52:07 PM - System Checkpoint
RP910: 3/1/2009 3:14:50 AM - System Checkpoint
RP911: 3/2/2009 7:25:18 AM - System Checkpoint
RP912: 3/3/2009 7:50:57 AM - System Checkpoint
RP913: 3/4/2009 10:02:52 AM - System Checkpoint
RP914: 3/5/2009 4:38:48 PM - System Checkpoint
RP915: 3/6/2009 6:27:32 PM - System Checkpoint
RP916: 3/7/2009 7:12:10 PM - System Checkpoint
RP917: 3/9/2009 1:46:04 AM - System Checkpoint
RP918: 3/10/2009 6:11:07 AM - System Checkpoint
RP919: 3/11/2009 6:36:41 AM - System Checkpoint
RP920: 3/11/2009 4:00:16 PM - Software Distribution Service 3.0
RP921: 3/12/2009 11:36:47 PM - System Checkpoint
RP922: 3/14/2009 12:48:01 AM - System Checkpoint
RP923: 3/15/2009 2:42:56 AM - System Checkpoint
RP924: 3/15/2009 5:00:16 PM - Software Distribution Service 3.0
RP925: 3/16/2009 7:40:10 PM - System Checkpoint
RP926: 3/17/2009 10:55:06 PM - System Checkpoint
RP927: 3/19/2009 12:17:42 AM - System Checkpoint
RP928: 3/20/2009 1:16:40 AM - System Checkpoint
RP929: 3/21/2009 2:16:40 AM - System Checkpoint
RP930: 3/22/2009 2:35:20 AM - System Checkpoint
RP931: 3/23/2009 3:35:24 AM - System Checkpoint

==== Installed Programs ======================

Ad-Aware SE Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Advanced SystemCare 3
Ahead Nero Burning ROM
Ahead NeroVision Express
AIM 6
AOLIcon
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AutoCAD 2008 - English
AVG Free 8.0
Battle.net
Big Fish Games Client
BitLord 1.1
Brain Challenge
Browser Protection Volume
Build Your Own Net Dream (remove only)
CCleaner (remove only)
CDisplay 1.8
Combined Community Codec Pack 2007-07-22
Conexant D850 56K V.9x DFVc Modem
ConvertXtoDVD 2.1.5.173
Counter-Strike
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.2
Dell System Restore
Diablo
Digital Content Portal
Digital Line Detect
DigitalHQ
DivX Web Player
Documentation & Support Launcher
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EducateU
ELIcon
ESPNMotion
GTK+ Runtime 2.6.9 rev a (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
IEBrowse Tool
IExplorer Bar
ijji
ijji FireFox Launcher 1.0
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
InterActual Player
Internet Explorer Secure Plug-in
Internet Service Offers Launcher
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 6
Learning Essentials for Microsoft Office
Lexmark X1100 Series
LimeWire PRO 4.12.3
MapleStory
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Math
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Helper
Mozilla Firefox (2.0.0.20)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NetWaiting
O&O Defrag Professional
Octoshape add-in for Adobe Flash Player
Outspark Launcher
Pack Vista Inspirat 2 1.0
Pando Media Booster
PC Tools Firewall Plus 5.0
PictoWords (remove only)
Portal
PowerISO
Punch! Master Landscape Pro
QT Lite 1.1.1
Qualxserve Service Agreement
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Sandlot Games Client Services
Security Messenger
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Solid State ION Mozilla Plugin
Sonic Activation Module
Sonic Encoders
Steam
Tomb Raider: Underworld Demo
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE
USB Storage Driver
Ventrilo Client
VeohTV BETA
Viewpoint Media Player
Warning Center
WebFldrs XP
Winamp
Winamp Remote
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

5/25/2009 7:08:55 PM, error: Service Control Manager [7034] - The PC Tools Firewall Plus service terminated unexpectedly. It has done this 1 time(s).
5/22/2009 11:58:22 AM, error: Dhcp [1002] - The IP address lease 72.191.158.225 for the Network Card with network address 001372E5749C has been denied by the DHCP server 10.242.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:46 PM

Posted 28 May 2009 - 06:16 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 tonyprime

tonyprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 30 May 2009 - 09:01 PM

i got both programs and install but both wont open up

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:46 PM

Posted 31 May 2009 - 10:47 AM

rename mbam.exe to ncbn.exe and try to run the scan. If it still won't run, reboot to safe mode and try running it from there.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:46 PM

Posted 13 June 2009 - 11:33 PM

tonyprime, do you still need help?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 tonyprime

tonyprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 14 June 2009 - 06:00 PM

im truly sorry about not responding... ive been out for quiet a while due to personal issues, but as of now i'll be on following everything you tell me to do. right now i rename the malwarebytes program and it opens... as for CCleaner it still closes while is scans.

here is the log from Malwarebytes

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/14/2009 5:59:00 PM
mbam-log-2009-06-14 (17-59-00).txt

Scan type: Quick Scan
Objects scanned: 94825
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 11
Registry Data Items Infected: 6
Folders Infected: 5
Files Infected: 43

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DigitalHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DigitalHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\bfgtoolbar (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEBrowse Tool (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Bar (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warning Center (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{8113b5de-f7eb-4154-a311-497fb80d8bd0} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwubu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\smile (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0e4d10ac-60c4-4cf8-9852-7e3b8a35a569}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0e4d10ac-60c4-4cf8-9852-7e3b8a35a569}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0e4d10ac-60c4-4cf8-9852-7e3b8a35a569}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Donny\Application Data\bfgtoolbar (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\NewCfg (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\Sotfone (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\Start Menu\Programs\DigitalHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\DigitalHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Donny\application data\bfgtoolbar\1.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\10.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\2.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\20off.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\3.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\4.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\5.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\6.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\7.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\8.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\9.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\action.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\atlantis.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\bfgtoolbartb0500.cfg (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\bfg_greetings.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\card.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\COMBOSEARCH.acs (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\home.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\logo.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\mahjong.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\mygames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\mygamestoolbar.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\new.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\newgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\puzzle.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\search.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\topten.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\webgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\application data\bfgtoolbar\word.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\start menu\Programs\digitalhq\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\program files\digitalhq\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\documents and settings\Donny\favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:46 PM

Posted 16 June 2009 - 07:45 PM

No worries, I understand personal problems. I have been having internet problems myself. It would be nice to go thru life with no problems wouldn't it?

Ok with the problems that you showed up with in the scan, could you please update Malwarebytes' Anti-Malware and run a full scan and post the log?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 tonyprime

tonyprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 16 June 2009 - 11:14 PM

ok i updated and here is the log

Malwarebytes' Anti-Malware 1.37
Database version: 2291
Windows 5.1.2600 Service Pack 3

6/16/2009 10:57:00 PM
mbam-log-2009-06-16 (22-57-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 227434
Time elapsed: 34 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:46 PM

Posted 18 June 2009 - 02:51 PM

I think the infection is still there, so lets dig deeper.

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 tonyprime

tonyprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 24 June 2009 - 10:26 PM

ComboFix 09-06-23.01 - Donny 06/24/2009 22:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.627 [GMT -5:00]
Running from: c:\documents and settings\Donny\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Helper
c:\windows\system32\drivers\gaopdxpwuoemayuoglaquowqlwpamjkvpisflm.sys
c:\windows\system32\gaopdxnccservpendmxnhngoarowejdhwroqvu.dll
C:\Autorun.inf
c:\windows\kb913800.exe
c:\windows\system32\drivers\gaopdxpwuoemayuoglaquowqlwpamjkvpisflm.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxnccservpendmxnhngoarowejdhwroqvu.dll
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 01:21 . 2009-06-25 01:21 -------- d-----w- c:\docume~1\Donny\APPLIC~1\GlarySoft
2009-06-25 01:14 . 2009-06-25 01:14 -------- d-----w- c:\program files\Glary Utilities
2009-06-25 00:36 . 2009-06-25 00:36 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-25 00:36 . 2009-06-25 00:36 -------- d-----w- c:\program files\Reference Assemblies
2009-06-25 00:35 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-25 00:35 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-25 00:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-25 00:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-25 00:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-25 00:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-25 00:35 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-25 00:35 . 2009-06-25 00:35 -------- d-----w- C:\d40d7fc0a9cc1d0fc87f2ef40e
2009-06-25 00:34 . 2009-06-25 00:55 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-25 00:17 . 2009-06-25 00:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-25 00:15 . 2009-06-25 00:25 1472 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-06-25 00:14 . 2009-06-25 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-06-25 00:14 . 2009-06-25 00:14 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-06-25 00:14 . 2009-06-25 00:14 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-06-25 00:14 . 2009-06-25 00:14 168208 ----a-w- c:\windows\system32\guard32.dll
2009-06-25 00:14 . 2009-06-25 00:14 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-06-25 00:14 . 2009-06-25 00:14 -------- d-----w- c:\program files\COMODO
2009-06-23 18:38 . 2009-06-25 00:07 -------- d-----w- c:\program files\AIMTunes
2009-06-23 18:38 . 2009-06-23 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-06-23 05:56 . 2009-06-23 05:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-17 12:03 . 2009-06-17 12:03 -------- d-sh--w- c:\documents and settings\Donny\PrivacIE
2009-06-17 04:09 . 2009-06-17 04:09 -------- d-sh--w- c:\documents and settings\Donny\IETldCache
2009-06-17 01:15 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-17 01:15 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-06-17 01:15 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-06-17 01:15 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-17 01:15 . 2009-06-17 01:15 -------- d-----w- c:\windows\ie8updates
2009-06-17 01:15 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-17 01:13 . 2009-06-17 01:14 -------- dc-h--w- c:\windows\ie8
2009-06-15 01:40 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-06-15 01:40 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-15 01:40 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-06-15 01:40 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-15 01:40 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-06-15 01:40 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-06-15 01:40 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-15 01:40 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-06-15 01:40 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-06-15 01:39 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-15 01:39 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-06-14 22:53 . 2009-06-14 22:53 -------- d-----w- c:\docume~1\Donny\APPLIC~1\Malwarebytes
2009-06-14 22:42 . 2009-06-14 22:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-31 01:49 . 2009-05-31 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-31 01:49 . 2009-06-25 00:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 02:56 . 2009-02-07 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-06-25 02:36 . 2006-09-21 23:33 116472 -c--a-w- c:\documents and settings\Donny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 01:10 . 2008-03-24 23:49 -------- d-----w- c:\program files\Steam
2009-06-25 00:36 . 2008-11-26 01:24 -------- d-----w- c:\program files\MSBuild
2009-06-25 00:11 . 2007-12-02 18:44 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-06-25 00:05 . 2008-03-04 00:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-25 00:05 . 2008-03-04 00:32 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-06-25 00:02 . 2007-08-16 03:47 -------- d--h--w- c:\docume~1\Donny\APPLIC~1\ijjigame
2009-06-25 00:01 . 2007-04-23 15:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-23 18:38 . 2007-10-08 19:41 1144808 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
2009-06-23 18:38 . 2006-09-20 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-23 18:38 . 2006-09-20 18:34 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-06-23 18:38 . 2007-10-08 19:39 -------- d-----w- c:\program files\AIM6
2009-05-13 05:15 . 2005-08-16 09:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 18:09 . 2009-05-12 18:09 -------- d-----w- c:\program files\Trend Micro
2009-05-07 15:32 . 2005-08-16 09:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 09:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 21:57 . 2009-04-14 21:22 408 ----a-w- c:\windows\Cbiluyiro.dat
2009-04-15 14:51 . 2005-08-16 09:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-07 22:57 . 2008-03-07 22:57 0 ----a-w- c:\program files\temp01
2007-08-09 18:08 . 2006-09-22 03:13 8784 -c--a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10 . 2006-09-22 03:13 245408 -c--a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2005-05-13 23:12 . 2005-05-13 23:12 217073 -csha-r- c:\windows\meta4.exe
2005-10-24 17:13 . 2005-10-24 17:13 66560 -csha-r- c:\windows\MOTA113.exe
2005-10-14 03:27 . 2005-10-14 03:27 422400 -csha-r- c:\windows\x2.64.exe
2005-10-08 01:14 . 2005-10-08 01:14 308224 -csha-r- c:\windows\system32\avisynth.dll
2005-07-14 18:31 . 2005-07-14 18:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 21:32 . 2005-06-26 21:32 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2005-06-22 04:37 45568 -csha-r- c:\windows\system32\cygz.dll
2006-04-27 16:24 . 2006-04-27 16:24 2945024 -csha-r- c:\windows\system32\Smab.dll
2005-02-28 19:16 . 2005-02-28 19:16 240128 -csha-r- c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-06-25 1794320]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Donny^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Donny^Start Menu^Programs^Startup^RocketDock.lnk]
backup=c:\windows\pss\RocketDock.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nwubu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\steamapps\\tonyprime\\team fortress 2\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17801:TCP"= 17801:TCP:*:Disabled:SolidNetworkManager
"17801:UDP"= 17801:UDP:*:Disabled:SolidNetworkManager
"17081:TCP"= 17081:TCP:*:Disabled:SolidNetworkManager
"17081:UDP"= 17081:UDP:*:Disabled:SolidNetworkManager
"56557:TCP"= 56557:TCP:*:Disabled:SolidNetworkManager
"56557:UDP"= 56557:UDP:*:Disabled:SolidNetworkManager
"56265:TCP"= 56265:TCP:Pando Media Booster
"56265:UDP"= 56265:UDP:Pando Media Booster
"57236:TCP"= 57236:TCP:Pando Media Booster
"57236:UDP"= 57236:UDP:Pando Media Booster

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [6/24/2009 7:14 PM 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/24/2009 7:14 PM 24096]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/8/2007 2:40 PM 24652]
S0 vfotpgax;vfotpgax;c:\windows\system32\drivers\daprknor.sys --> c:\windows\system32\drivers\daprknor.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-06-25 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-06-25 16:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: iesafetylist.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 22:17
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="092C697BEE308F6A0A901F4AD902AE78A8AFC0155904C1AA303525CDCA8FE14E65A91AC2FD81A409A4294811EAFE6505C4A8D99ACDBB55B4524E77107F6062A719561A8E2BF16BE8FB8820C54A56437697413FB7785E0A40FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808A6171C11EC38DE3DA6171C11EC38DE3DD7D9D5737113BDA339F95C99052283F20690278FA6295933E9B49730C2DF0EA1307541122242AC9769D9D4463524528465FCDB1BB6C7D00AFE32C7021B972795AD3CCBEDD1D74199F2128BD5D4FE11CC113896BD8991ED7D1624B44DF18ECEF130B50181AD6DC960D8BB5B5EC5B16AE9CE0B9EC2D48459B4D924B13AF2E3C90867EB61ECF3634682F2F01019FD7ABEDCBA41AC1DE45EEEB94C4F8612DCF8930A5C6E61F37B5DEFFDEBD26AE2065D200C452C6F6415A83FFAC248EB4582F4588E65CFE780AAC031B2C184213BFBA458BEB12009CFDAA98ECBE4B394E4CCC07913B225529B7E3B2664472D5B499059E0A398760FBFB870D6E0AF3C20A9358B8D75C40A6EF707B9A33BA3F8B654094FE9CCE38A8B34CCCB4355F48FA76ECBC7DCF9729E8266696F2F45D11744C9BE96572ED43E7D5443D1B4A8D75EB4B0342A65C76403C561DB5504719FBB893A1F8ABFA2FE76D568DDDD403BD15F4894A42DD86998DFE4042CA58F15B11FFEDA2B46EFE54A1A7A60F38AAD5530CAD360E9111D4F61DD7E0EBBDEF5E7FC7B9284F8A8669BF217464DF0B8792013DFBEFEE1D4CACC642EA762FBC30C07CC1024B3B0D7574686DD07E4508F55AAEEDE637F804131981B81680B775EDDF13FA2880A10BB2952EA637E81A67624678E8E92944D5FCECFD30F3BB24AF5A88D49F9894CE87F798BD7A0E120989C7FAC8C388D96637CDB6F2F929329231DDE23AFE0E4631F9396A358105D63627033B4D9290DFDF02CC15C2548D1E3C72529DC8EA84ADBAD2C83AFCCB58D115029C09DBC33B9EA3AC41C5EFC74CFF78FA4DF4C53A3DE66A0C17829E7930513C5BFDBE94D2CB42197DEBD1FD5DD5923E7789167C1A83DD8991160ED33B3497838716E8077ED118571D92DAFA0CF2EC4D03F8205EF16702B4E985B3F88A15470333D932B7C55D3A54A57A183251703E15D5BA760C949F9FA071D3DC119ED14D2D36B9B197145F92E34BD0AEF7A86FEA0B6F42C9C0C275089A2270D00E6AFEB99CD038BDBBE2371F1D4B688B21076BECD1AF56EBCCB96DABA90830767CCFB3061E4529CEA22D71EE96931F06AA7C0D2D9D40F81A86E83F69657C098C773F2ABEDF5693A1FAA50562FC05FCD1AD643BD58CEB1AAADAF5D764C10B467D85DB29C236E9D85B7BE0065813EB65CA987E1787F7E96E47B9C189CABE7F54BB1DB60B30DCF0A5358"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\MapleStory\npkcmsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-25 22:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 03:21

Pre-Run: 13,000,228,864 bytes free
Post-Run: 12,923,850,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

252 --- E O F --- 2009-06-25 01:02




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users