Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TrojanDownloader, Win32:TratBHO, Win32:CTX, + Couple Others Removal He


  • This topic is locked This topic is locked

#1
ceradecke

ceradecke

    Member

  • Member
  • PipPip
  • 15 posts
Hey!

Thank you very very much first off for taking the time to read my post and for seeing if there is anything you can do to help me.

Okay so let me just run down for you what I have done in my attempt to clean up my computer:
AVG Anti-Spyware full scan; SUPERAntiSpyware full scan; combofix scan; Avast! Free antivirus full scan; vundofix scan; smitfraudfix scan; I'm pretty sure that was all of em.

To give you an idea of what I believe I have on my system:
What initially caught my attention and showed obviously that my computer was infected was a change of desktop background (with a hypertext link to do a spyware scan), along with a whole bunch of popups continually going off and my task manager being disabled (I have since regained access to my task manager, the desktop background has changed back, and popups have ceased). In addition, the scans have pointed out additional things (that I was able to quarantine) such as:
Win32:TratBHO [Trj]
Win32:Trojan-gen {UPX}
Win32:CTX
Win32:Delf-HOX [Trj]
Win32:Mudrop-U [Trj]
Win32:Wimad-C [Trj]
Trojan.IrcHole

By reading some of the other topics that I believe relate to what's infecting my computer I've seen that you have been asking for combofix logs, in addition to the hijack this log. So here go both of my most recent scans:




COMBOFIX LOG (TAKEN IN SAFEMODE**)


ComboFix 08-02-18.1 - Chris LastName 2008-02-18 20:23:22.6 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Chris LastName\Desktop\Programs\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 17:28 . 2008-02-18 17:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-18 01:58 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-18 01:58 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-18 01:58 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-18 01:58 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-18 01:57 . 2008-02-18 01:57 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-18 01:57 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-18 01:57 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-18 01:57 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-18 01:57 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-18 01:35 . 2008-02-18 19:16 <DIR> d-------- C:\VundoFix Backups
2008-02-17 10:30 . 2008-02-17 10:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-17 10:30 . 2008-02-17 10:30 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-17 10:30 . 2008-02-17 10:30 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-17 10:30 . 2008-02-17 10:30 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-17 09:14 . 2008-02-17 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-17 09:13 . 2008-02-18 19:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-17 09:13 . 2008-02-17 09:13 <DIR> d-------- C:\Documents and Settings\Chris Radecke\Application Data\SUPERAntiSpyware.com
2008-02-17 09:11 . 2008-02-17 09:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 03:02 . 2008-02-17 03:02 <DIR> d-------- C:\Documents and Settings\Chris Radecke\Application Data\Grisoft
2008-02-17 03:00 . 2008-02-17 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-17 03:00 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-05 18:46 . 2008-02-05 18:46 <DIR> d-------- C:\Program Files\WinDirStat
2008-02-05 18:28 . 2008-02-05 18:34 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2008-02-05 18:22 . 2008-02-05 18:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 16:49 . 2008-02-05 16:49 90,688 --a------ C:\WINDOWS\system32\gvvtqtjc.dll
2008-02-05 16:41 . 2008-02-05 16:41 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-02-05 16:40 . 2008-02-05 17:11 <DIR> d-------- C:\Documents and Settings\Chris Radecke\Application Data\Dealio
2008-02-05 16:40 . 2008-02-05 16:40 3,791,542 --a------ C:\WINDOWS\tbKUvulAEn.exe
2008-02-05 16:39 . 2008-02-05 17:13 <DIR> d-------- C:\Program Files\Dealio
2008-02-05 16:38 . 2008-02-05 16:38 <DIR> d-------- C:\WINDOWS\kwiofcnu
2008-02-05 16:38 . 2008-02-05 16:38 181,248 --a------ C:\WINDOWS\mrujwlkj.dll
2008-02-05 16:38 . 2008-02-05 16:38 89,617 --a------ C:\WINDOWS\vazyhabm.exe
2008-02-05 16:38 . 2008-02-05 16:38 54,764 --a------ C:\WINDOWS\system32\fnhoje
2008-02-05 16:38 . 2008-02-05 16:38 39,424 --a------ C:\WINDOWS\wbubqziv.exe
2008-02-05 16:38 . 2008-02-05 16:38 2 --a------ C:\138535567
2008-02-05 16:38 . 2008-02-17 09:10 0 --a------ C:\reg.reg
2008-01-20 02:44 . 2008-02-17 14:24 <DIR> d-------- C:\Program Files\iTunes
2008-01-20 02:44 . 2008-01-20 02:44 <DIR> d-------- C:\Program Files\iPod
2008-01-20 02:42 . 2008-01-20 02:42 <DIR> d-------- C:\Program Files\QuickTime
2008-01-20 02:39 . 2008-01-20 02:39 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-20 02:39 . 2008-01-20 02:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-19 17:00 . 2008-02-12 19:33 156 --a------ C:\WINDOWS\matlab.ini
2008-01-19 16:59 . 2008-01-19 16:59 <DIR> d-------- C:\Documents and Settings\Chris Radecke\Application Data\MathWorks
2008-01-19 16:55 . 2004-03-01 21:05 407,104 --a------ C:\WINDOWS\system32\MSHFLXGD.OCX
2008-01-19 16:55 . 2004-02-11 13:37 203,976 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-01-19 16:22 . 2008-01-19 16:22 645,120 --a------ C:\WINDOWS\system32\config.gms
2008-01-19 16:06 . 2008-01-19 16:06 <DIR> d-------- C:\Program Files\MATLAB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 01:35 --------- d-----w C:\Program Files\WinXMedia
2008-02-19 01:33 --------- d-----w C:\Program Files\The Weather Channel FW
2008-02-19 01:31 --------- d-----w C:\Program Files\Trillian
2008-02-19 01:30 --------- d-----w C:\Program Files\Sony
2008-02-19 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-19 01:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 01:25 --------- d-----w C:\Program Files\Avvenu
2008-02-17 19:21 --------- d-----w C:\Program Files\Windows Defender
2008-02-17 11:02 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-17 09:55 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\Azureus
2008-02-14 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 19:38 --------- d-----w C:\Program Files\Dl_cats
2008-02-12 05:33 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\U3
2008-02-10 00:46 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\LimeWire
2008-02-06 10:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 00:31 --------- d-----w C:\Program Files\ESET
2008-01-25 22:56 --------- d-----w C:\Program Files\McAfee
2008-01-25 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-24 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-21 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-20 10:40 --------- d-----w C:\Program Files\Apple Software Update
2008-01-19 22:42 --------- d-----w C:\Program Files\EA SPORTS
2008-01-19 21:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-01-19 21:27 --------- d-----w C:\Program Files\VstPlugins
2008-01-19 21:21 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-01-18 21:07 --------- d-----w C:\Program Files\XBC
2008-01-18 18:54 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\locks online four
2008-01-16 04:00 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\ESET
2008-01-16 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-01-15 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-09 23:10 --------- d-----w C:\Program Files\LimeWire
2008-01-07 07:23 --------- d-----w C:\Program Files\Azureus
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-03-14 00:15 27,044,969 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_17_09_49_full.dmp.zip
2007-03-14 00:15 147,976 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_17_07_38_small.dmp.zip
2007-03-14 00:15 142,025 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_17_11_03_small.dmp.zip
2007-03-14 00:15 108,521 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_17_08_11_small.dmp.zip
2007-03-14 00:06 207,003 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_11_21_27_52_small.dmp.zip
2007-03-12 04:27 137,185 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_11_21_07_22_small.dmp.zip
2007-03-12 04:06 204,650 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_23_02_17_49_small.dmp.zip
2007-03-12 04:06 198,581 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_23_02_17_44_small.dmp.zip
2007-03-12 04:06 177,736 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_23_02_15_52_small.dmp.zip
2007-03-12 04:06 138,187 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_23_02_13_33_small.dmp.zip
2007-02-15 07:33 40 ----a-w C:\Documents and Settings\Chris Radecke\language.dat
2007-01-31 02:15 13,195 ----a-w C:\Documents and Settings\Chris Radecke\zguicfgw.dat
2007-03-14 20:08 1,155,832 -csha-w C:\WINDOWS\system32\ccbeg.bak1
2007-03-13 15:20 1,160,035 -csha-w C:\WINDOWS\system32\cccdd.bak1
2007-03-12 15:20 1,167,983 -csha-w C:\WINDOWS\system32\cccdd.bak2
2007-02-11 20:50 88 --sh--r C:\WINDOWS\system32\D39B572A28.sys
2007-03-15 11:34 1,155,727 -csha-w C:\WINDOWS\system32\jjkkj.bak1
2007-03-16 12:05 1,168,591 -csha-w C:\WINDOWS\system32\jjkkj.bak2
2007-03-13 22:00 1,154,870 -csha-w C:\WINDOWS\system32\jlkkj.bak1
2007-02-11 20:50 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-30 22:20 791,842 -csha-w C:\WINDOWS\system32\kjllm.bak1
2006-12-01 01:51 792,585 -csha-w C:\WINDOWS\system32\kjllm.bak2
2007-03-14 18:08 1,154,808 -csha-w C:\WINDOWS\system32\utstv.bak1
2007-03-14 18:08 353 -csha-w C:\WINDOWS\system32\utvwa.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 10:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 10:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 10:50 114688]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-07 20:55 73728]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BurnWin"= {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcc]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkhecc]
jkkhecc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjj]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklj]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxuv]
yayxxuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Avvenu Access n Share.lnk]
backup=C:\WINDOWS\pss\Avvenu Access n Share.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chris Radecke^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chris Radecke^Start Menu^Programs^Startup^PeerGuardian.lnk]
backup=C:\WINDOWS\pss\PeerGuardian.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chris Radecke^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2chkdsk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avvenu Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 13:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-14 23:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
--a------ 2005-03-11 10:59 35328 C:\Program Files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 02:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-11-01 00:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2006-12-14 12:28 2801664 C:\Program Files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-15 17:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
--a------ 2006-05-31 12:24 61440 C:\WINDOWS\HCWemMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FRAG LITE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-05-18 11:56 1831936 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 07:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 07:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-12 21:22 57344 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 16:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mySISvc]
--a------ 2007-05-04 14:59 5958965 C:\Program Files\mySI\mySI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-07-29 03:07 188416 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 03:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-16 20:26 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-15 19:12 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 17:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2005-03-09 23:18]
S1 fnhoje;fnhoje;C:\WINDOWS\system32\fnhoje [2008-02-05 16:38]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 USB28xxBGA;WinTV HVR-900;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-09-13 12:21]
S3 USB28xxOEM;WinTV OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-09-13 12:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 03:00:00 C:\WINDOWS\Tasks\857BF1E581B89DC9.job"
- c:\docume~1\chrisr~1\applic~1\lockso~1\Tool boob bore.exe
"2008-02-15 02:02:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-16 02:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D6CXNLB1-Chris Radecke).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-02-19 03:17:50 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 20:30:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 20:33:38
ComboFix-quarantined-files.txt 2008-02-19 04:33:32
ComboFix2.txt 2008-02-19 01:13:06
.
2008-02-14 19:59:28 --- E O F ---




HiJack This Log (Reg Mode):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:18 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....my.ucdavis.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,[email protected]
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159138496674
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebcc - C:\WINDOWS\
O20 - Winlogon Notify: jkkhecc - jkkhecc.dll (file missing)
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\
O20 - Winlogon Notify: jkklj - C:\WINDOWS\
O20 - Winlogon Notify: yayxxuv - yayxxuv.dll (file missing)
O21 - SSODL: BurnWin - {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 8494 bytes





****HERE ARE SOME ADDITIONAL LOGS THAT MAY BE HELPFUL*****:

SUPERAntiSpyware Log:

SUPERAntiSpyware Scan Log
Generated 02/18/2008 at 03:37 PM

Application Version : 3.6.1000

Core Rules Database Version : 3404
Trace Rules Database Version: 1396

Scan type : Complete Scan
Total Scan Time : 14:05:28

Memory items scanned : 404
Memory threats detected : 1
Registry items scanned : 8599
Registry threats detected : 6
File items scanned : 49184
File threats detected : 7

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\PMNLM.DLL
C:\WINDOWS\SYSTEM32\PMNLM.DLL
HKLM\Software\Classes\CLSID\{8F47A633-F319-40C0-BC92-A848B54226E2}
HKCR\CLSID\{8F47A633-F319-40C0-BC92-A848B54226E2}
HKCR\CLSID\{8F47A633-F319-40C0-BC92-A848B54226E2}\InprocServer32
HKCR\CLSID\{8F47A633-F319-40C0-BC92-A848B54226E2}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8F47A633-F319-40C0-BC92-A848B54226E2}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{98663E21-9CCE-4CF6-863C-911A9523A66F}

Adware.Tracking Cookie
C:\Documents and Settings\Chris Radecke\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris Radecke\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris Radecke\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris Radecke\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris Radecke\Cookies\[email protected][1].txt

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk




Avast! Antivirus Scan:

Malware name: Win32:TratBHO [Trj]
File name: C:\VUNDOFIX BACKUPS\EQQVJQXG.DLL.BAD (deleted);
C:\VundoFix Backups\ypnthbpv.dll.bad (moved to chest)
VPS version: 080218-0, 02/18/2008

Malware name: Win32:Trojan-gen {UPX}
File name: C:\Program Files\Numark Cue\Setup.exe (moved to chest)
Type: Virus/Worm
VPS version: 080218-0, 02/18/2008

C:\WINDOWS\system32\ActiveScan\pskavs.dll (moved to chest)
Win32:CTX
Virus/Worm
080218-0, 02/18/2008

C:\WINDOWS\system32\gvvtqtjc.dll (moved to chest)
Win32:TratBHO [Trj]
Trojan Horse
080218-0, 02/18/2008

K:\My Software\Sony.Vegas.v7.0c.Incl.Keygen-SSG\keygen.exe
Win32:Delf-HOX [Trj]
Trojan Horse
080218-0, 02/18/2008

K:\My Software\Webroot Spy Sweeper\Spy Sweeper Updater 2.0.0 Beta 5000.exe
Win32:Mudrop-U [Trj]
Trojan Horse
080218-0, 02/18/2008

C:\Documents and Settings\Chris Radecke\My Documents\My Music\Mistah F.A.B. - Son of a Pimp\intro mistah son of a pimp.wm
Win32:Wimad-C [Trj]
Trojan Horse
080219-0, 02/19/2008



AVG Anti-Spyware Scan:

Trojan.IrcHole
Several Tracking Cookies
Not-A-Virus.Hoax.Win32.Renos.asa




SmitFraudFix v2.292

Scan done at 17:20:04.43, Tue 02/19/2008
Run from C:\Documents and Settings\Chris Radecke\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.87.76.178
DNS Server Search Order: 68.87.78.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9911AD09-9943-40B9-8F36-A33AEE266A97}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9911AD09-9943-40B9-8F36-A33AEE266A97}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9911AD09-9943-40B9-8F36-A33AEE266A97}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End





Sorry for the length of this post lol. I hope that it's a good thing.
Thank you very very much,

Chris (First time poster)
  • 0

Advertisements


#2
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi ceradecke,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.


I see you have LimeWire & Azureus installed on your system.
While these programs themselves are legal, most of the files downloaded with them, are not.
These programs can also be some of the major infection routes for an otherwise secure PC, because you might be unknowingly downloading infected files. See below

K:\My Software\Sony.Vegas.v7.0c.Incl.Keygen-SSG\keygen.exe
Win32:Delf-HOX [Trj]
Trojan Horse
080218-0, 02/18/2008

K:\My Software\Webroot Spy Sweeper\Spy Sweeper Updater 2.0.0 Beta 5000.exe
Win32:Mudrop-U [Trj]
Trojan Horse
080218-0, 02/18/2008

C:\Documents and Settings\Chris Radecke\My Documents\My Music\Mistah F.A.B. - Son of a Pimp\intro mistah son of a pimp.wm
Win32:Wimad-C [Trj]
Trojan Horse
080219-0, 02/19/2008

I highly recommend uninstalling LimeWire & Azureus as outlined below.


Remove P2P apps:
Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
LimeWire
Azureus

Please take note of any other programs that you don't recognise in that list, and include them in your next response


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O20 - Winlogon Notify: gebcc - C:\WINDOWS\
O20 - Winlogon Notify: jkkhecc - jkkhecc.dll (file missing)
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\
O20 - Winlogon Notify: jkklj - C:\WINDOWS\
O20 - Winlogon Notify: yayxxuv - yayxxuv.dll (file missing)
O21 - SSODL: BurnWin - {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll (file missing)

  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Create a CombFix Script:
  • Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
  • Now copy/paste the entire content of the codebox below into the Notepad window:
File::C:\WINDOWS\system32\gvvtqtjc.dllC:\WINDOWS\tbKUvulAEn.exeC:\WINDOWS\mrujwlkj.dllC:\WINDOWS\vazyhabm.exeC:\WINDOWS\system32\fnhojeC:\WINDOWS\wbubqziv.exeC:\138535567C:\reg.regC:\Documents and Settings\Chris Radecke\zguicfgw.datC:\WINDOWS\system32\ccbeg.bak1C:\WINDOWS\system32\cccdd.bak1C:\WINDOWS\system32\cccdd.bak2C:\WINDOWS\system32\D39B572A28.sysC:\WINDOWS\system32\jjkkj.bak1C:\WINDOWS\system32\jjkkj.bak2C:\WINDOWS\system32\jlkkj.bak1C:\WINDOWS\system32\KGyGaAvL.sysC:\WINDOWS\system32\kjllm.bak1C:\WINDOWS\system32\kjllm.bak2C:\WINDOWS\system32\utstv.bak1C:\WINDOWS\system32\utvwa.ini2C:\WINDOWS\Tasks\857BF1E581B89DC9.jobFolder::C:\Program Files\DealioC:\WINDOWS\kwiofcnuC:\Program Files\LimeWireC:\Program Files\AzureusDriver::fnhojeRegistry::[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]"2chkdsk"=-

  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    Posted Image
  • After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [list]
  • Combofix.txt
  • A new HijackThis log.


Cheers,

sage5
  • 0

#3
ceradecke

ceradecke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks a lot for the very quick reply.



I removed my peer2peer applications and here is a list of programs on my computer that I do not entirely recognize:

725plc32
CinepPlayer 30 Update
Cleaner 5 EZ
Desktop Doctor
EarthLink setup files
EducateU
Learn2 Player
Microsoft SQL Server Desktop Engine (Sony_MediaMGR)
Modem Helper
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
SXML 6.0 Parser (KB933579)
NetWaiting
PACE System Files
SmartSound Quicktracks Plugin
Viewpoint Media Player
WinPcap 3.1
XBC 5.1





And here are the new combofix and hijack this logs:


ComboFix 08-02-18.1 - Chris Radecke 2008-02-20 11:51:12.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.643 [GMT -8:00]
Running from: C:\Documents and Settings\Chris Radecke\Desktop\Programs\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris Radecke\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\138535567
C:\Documents and Settings\Chris Radecke\zguicfgw.dat
C:\reg.reg
C:\WINDOWS\mrujwlkj.dll
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.bak2
C:\WINDOWS\system32\D39B572A28.sys
C:\WINDOWS\system32\fnhoje
C:\WINDOWS\system32\gvvtqtjc.dll
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\Tasks\857BF1E581B89DC9.job
C:\WINDOWS\tbKUvulAEn.exe
C:\WINDOWS\vazyhabm.exe
C:\WINDOWS\wbubqziv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fnhoje
C:\138535567
C:\Documents and Settings\Chris Radecke\zguicfgw.dat
C:\Program Files\Azureus
C:\Program Files\Azureus\AzureusUpdater.exe
C:\Program Files\Azureus\hs_err_pid884.log
C:\Program Files\Azureus\msvcr71.dll
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.1.1.jar
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.1.4.jar
C:\Program Files\Azureus\plugins\azrating\azrating_1.3.1.jar
C:\Program Files\Azureus\plugins\azupdater\azupdater_1.8.5.zip
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.3.jar
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.5.jar
C:\Program Files\Azureus\plugins\azupdater\plugin.properties
C:\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.5
C:\Program Files\Azureus\plugins\azupdater\Updater.jar
C:\Program Files\Azureus\plugins\azupdater\Updater.jar.bak
C:\Program Files\Azureus\swt-awt-win32-3318.dll
C:\Program Files\Azureus\swt-gdip-win32-3318.dll
C:\Program Files\Azureus\swt-wgl-win32-3318.dll
C:\Program Files\Azureus\swt-win32-3318.dll
C:\Program Files\Azureus\Uninstall.exe
C:\Program Files\Dealio
C:\Program Files\LimeWire
C:\Program Files\LimeWire\hs_err_pid3972.log
C:\Program Files\LimeWire\lib\jl011.jar
C:\Program Files\LimeWire\lib\MessagesBundles.jar
C:\Program Files\LimeWire\lib\mp3sp14.jar
C:\Program Files\LimeWire\lib\vorbis.jar
C:\Program Files\LimeWire\Thumbs.db
C:\reg.reg
C:\WINDOWS\kwiofcnu
C:\WINDOWS\kwiofcnu\1.png
C:\WINDOWS\kwiofcnu\2.png
C:\WINDOWS\kwiofcnu\3.png
C:\WINDOWS\kwiofcnu\4.png
C:\WINDOWS\kwiofcnu\5.png
C:\WINDOWS\kwiofcnu\6.png
C:\WINDOWS\kwiofcnu\7.png
C:\WINDOWS\kwiofcnu\8.png
C:\WINDOWS\kwiofcnu\9.png
C:\WINDOWS\kwiofcnu\bottom-rc.gif
C:\WINDOWS\kwiofcnu\config.png
C:\WINDOWS\kwiofcnu\content.png
C:\WINDOWS\kwiofcnu\download.gif
C:\WINDOWS\kwiofcnu\frame-bg.gif
C:\WINDOWS\kwiofcnu\frame-bottom-left.gif
C:\WINDOWS\kwiofcnu\frame-h1bg.gif
C:\WINDOWS\kwiofcnu\head.png
C:\WINDOWS\kwiofcnu\icon.png
C:\WINDOWS\kwiofcnu\indexwp.html
C:\WINDOWS\kwiofcnu\main.css
C:\WINDOWS\kwiofcnu\memory-prots.png
C:\WINDOWS\kwiofcnu\net.png
C:\WINDOWS\kwiofcnu\pc-mag.gif
C:\WINDOWS\kwiofcnu\pc.gif
C:\WINDOWS\kwiofcnu\poloska1.png
C:\WINDOWS\kwiofcnu\poloska2.png
C:\WINDOWS\kwiofcnu\poloska3.png
C:\WINDOWS\kwiofcnu\promowp1.html
C:\WINDOWS\kwiofcnu\promowp2.html
C:\WINDOWS\kwiofcnu\promowp3.html
C:\WINDOWS\kwiofcnu\promowp4.html
C:\WINDOWS\kwiofcnu\promowp5.html
C:\WINDOWS\kwiofcnu\reg.png
C:\WINDOWS\kwiofcnu\repair.png
C:\WINDOWS\kwiofcnu\scr-1.png
C:\WINDOWS\kwiofcnu\scr-2.png
C:\WINDOWS\kwiofcnu\start.png
C:\WINDOWS\kwiofcnu\styles.css
C:\WINDOWS\kwiofcnu\Thumbs.db
C:\WINDOWS\kwiofcnu\top-rc.gif
C:\WINDOWS\kwiofcnu\vline.gif
C:\WINDOWS\kwiofcnu\wp.png
C:\WINDOWS\mrujwlkj.dll
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.bak2
C:\WINDOWS\system32\D39B572A28.sys
C:\WINDOWS\system32\fnhoje
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\Tasks\857BF1E581B89DC9.job
C:\WINDOWS\tbKUvulAEn.exe
C:\WINDOWS\wbubqziv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\fnhoje


((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 17:20 . 2008-02-19 17:20 2,168 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-18 21:31 . 2008-02-18 21:35 <DIR> d-------- C:\Documents and Settings\Chris Radecke\.SunDownloadManager
2008-02-18 17:28 . 2008-02-18 17:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-18 01:58 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-18 01:58 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-18 01:58 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-18 01:58 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-18 01:57 . 2008-02-18 01:57 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-18 01:57 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-18 01:57 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-18 01:57 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-18 01:57 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-18 01:35 . 2008-02-19 01:15 <DIR> d-------- C:\VundoFix Backups
2008-02-17 10:30 . 2008-02-19 01:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-17 10:30 . 2008-02-17 10:30 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-17 10:30 . 2008-02-17 10:30 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-17 10:30 . 2008-02-17 10:30 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-17 09:14 . 2008-02-17 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-17 09:13 . 2008-02-18 20:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-17 09:13 . 2008-02-17 09:13 <DIR> d-------- C:\Documents and Settings\Chris Radecke\Application Data\SUPERAntiSpyware.com
2008-02-17 09:11 . 2008-02-17 09:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 03:02 . 2008-02-17 03:02 <DIR> d-------- C:\Documents and Settings\Chris Radecke\Application Data\Grisoft
2008-02-17 03:00 . 2008-02-17 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-17 03:00 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-05 18:46 . 2008-02-05 18:46 <DIR> d-------- C:\Program Files\WinDirStat
2008-02-05 18:28 . 2008-02-05 18:34 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2008-02-05 18:22 . 2008-02-05 18:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 16:41 . 2008-02-05 16:41 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-02-05 16:40 . 2008-02-05 17:11 <DIR> d-------- C:\Documents and Settings\Chris Radecke\Application Data\Dealio
2008-01-20 02:44 . 2008-02-17 14:24 <DIR> d-------- C:\Program Files\iTunes
2008-01-20 02:44 . 2008-01-20 02:44 <DIR> d-------- C:\Program Files\iPod
2008-01-20 02:42 . 2008-01-20 02:42 <DIR> d-------- C:\Program Files\QuickTime
2008-01-20 02:39 . 2008-01-20 02:39 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-20 02:39 . 2008-01-20 02:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 09:10 --------- d-----w C:\Program Files\Numark Cue
2008-02-19 01:35 --------- d-----w C:\Program Files\WinXMedia
2008-02-19 01:33 --------- d-----w C:\Program Files\The Weather Channel FW
2008-02-19 01:31 --------- d-----w C:\Program Files\Trillian
2008-02-19 01:30 --------- d-----w C:\Program Files\Sony
2008-02-19 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-19 01:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 01:25 --------- d-----w C:\Program Files\Avvenu
2008-02-17 19:21 --------- d-----w C:\Program Files\Windows Defender
2008-02-17 11:02 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-17 09:55 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\Azureus
2008-02-14 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 19:38 --------- d-----w C:\Program Files\Dl_cats
2008-02-12 05:33 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\U3
2008-02-10 00:46 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\LimeWire
2008-02-06 10:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 00:31 --------- d-----w C:\Program Files\ESET
2008-01-25 22:56 --------- d-----w C:\Program Files\McAfee
2008-01-25 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-24 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-21 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-20 10:40 --------- d-----w C:\Program Files\Apple Software Update
2008-01-20 00:59 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\MathWorks
2008-01-20 00:06 --------- d-----w C:\Program Files\MATLAB
2008-01-19 22:42 --------- d-----w C:\Program Files\EA SPORTS
2008-01-19 21:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-01-19 21:27 --------- d-----w C:\Program Files\VstPlugins
2008-01-19 21:21 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-01-18 21:07 --------- d-----w C:\Program Files\XBC
2008-01-18 18:54 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\locks online four
2008-01-16 04:00 --------- d-----w C:\Documents and Settings\Chris Radecke\Application Data\ESET
2008-01-16 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-01-15 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-02-15 07:33 40 ----a-w C:\Documents and Settings\Chris Radecke\language.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 10:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 10:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 10:50 114688]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-07 20:55 73728]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Avvenu Access n Share.lnk]
backup=C:\WINDOWS\pss\Avvenu Access n Share.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chris Radecke^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chris Radecke^Start Menu^Programs^Startup^PeerGuardian.lnk]
backup=C:\WINDOWS\pss\PeerGuardian.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chris Radecke^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2chkdsk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avvenu Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 13:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-14 23:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
--a------ 2005-03-11 10:59 35328 C:\Program Files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 02:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-11-01 00:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2006-12-14 12:28 2801664 C:\Program Files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-15 17:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
--a------ 2006-05-31 12:24 61440 C:\WINDOWS\HCWemMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FRAG LITE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-05-18 11:56 1831936 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 07:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 07:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-12 21:22 57344 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 16:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mySISvc]
--a------ 2007-05-04 14:59 5958965 C:\Program Files\mySI\mySI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-07-29 03:07 188416 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 03:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-16 20:26 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-15 19:12 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 17:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2005-03-09 23:18]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 USB28xxBGA;WinTV HVR-900;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-09-13 12:21]
S3 USB28xxOEM;WinTV OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-09-13 12:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 02:02:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-16 02:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D6CXNLB1-Chris Radecke).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-02-20 20:13:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 14:22:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-20 14:34:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 22:34:35
ComboFix2.txt 2008-02-19 04:33:39
ComboFix3.txt 2008-02-19 01:13:06
.
2008-02-20 01:18:14 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:37 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....my.ucdavis.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,[email protected]
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159138496674
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 7562 bytes
  • 0

#4
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi ceradecke,


Remove folders & files:
  • Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
    725plc32
    CinepPlayer 30 Update
    Cleaner 5 EZ
    Desktop Doctor
    EarthLink setup files
    EducateU
    Learn2 Player
    Microsoft SQL Server Desktop Engine (Sony_MediaMGR)
    Modem Helper
    NetWaiting
    PACE System Files
    SmartSound Quicktracks Plugin
    Viewpoint Media Player
    WinPcap 3.1
    XBC 5.1

    Please take note of any other programs that you don't recognise in that list, and include them in your next response
  • Using Windows Explorer, (to get there right-click your Start button and go to "Explore"), delete these folders, (if present):
    C:\Documents and Settings\Chris Radecke\Application Data\Azureus
    C:\Documents and Settings\Chris Radecke\Application Data\LimeWire
    C:\Program Files\ESET
    C:\Documents and Settings\Chris Radecke\Application Data\locks online four
    C:\Documents and Settings\Chris Radecke\Application Data\ESET
    C:\Documents and Settings\All Users\Application Data\ESET


Clean up Registry with a Reg file:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"2chkdsk"=-

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"mySISvc"=-
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry


Shut down & Reboot normally:

Run HijackThis again:
  • Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
Please include a note to tell me how your PC is running now.

Cheers,

sage5
  • 0

#5
ceradecke

ceradecke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Uninstalled all of the programs.
Deleted all of the files/folders using explorer.
Cleaned up the registry (in addition to copying and pasting the regedit script I ran a scan using Wise Registry Cleaner).
Rebooted the computer....
...and everything seems to be running fine. My internet connection is looking like it's back to original form (a lot quicker).
I also read in a bunch of threads that one should have the latest java rte so I updated that and deleted the old updates.




Here's the newest hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:27 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....my.ucdavis.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,[email protected]
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159138496674
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe

--
End of file - 6741 bytes




Thanks!

Chris
  • 0

#6
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi ceradecke,


Let's update & run a scan with AVG Anti-Spyware:

Update AVG Anti-Spyware:
  • Double-click the AVG icon on the desktop to launch the program.
  • On the main screen select Update then select the Update now link.
    • Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
  • Once in the Settings screen click on Recommended actions and then select Quarantine.
  • Under Reports
    • Select Do no automatically generate report
    • Un-Select Only if threats were found
  • Reboot your computer into SafeMode.
    • Restart your computer and tap the F8 key, repeatedly until a menu appears.
    • Use your up arrow key to highlight SafeMode then hit Enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select Apply all actions
    • Next select the Reports icon at the top.
    • Select the Save report as button in the lower left hand of the screen and save it as C:\avg_as.txt
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode


Paste the text from C:\avg_as.txt as well as a fresh HijackThis log as your next reply.

Cheers,

sage5

Edited by sage5, 21 February 2008 - 03:59 PM.

  • 0

#7
ceradecke

ceradecke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I've been trying to get into safe mode at start up but a screen comes up after the loading screen that shows the words "keyboard failure." I have had this problem before and for some reason it went away but now it is back again.
Do you know how to resolve this?
  • 0

#8
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Are you using a wireless keyboard?
If so, can you get hold of a "wired" one temporarily?
  • 0

#9
ceradecke

ceradecke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Actually its just a regular usb keyboard. A buddy has some type of a usb to something-something converter that he said would give the keyboard power before the os loads. I just don't know why it works sometimes but not others.
I'll try to get my hands on the converter tonight....unless there is another way that I could get it working.
  • 0

#10
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
That's right, you need a USB - PS2 adapter, because USB devices often do not work correctly in Safe Mode.
If you cannot get an adapter, see if you can borrow a PS2 format keyboard, older style round purple colored plug.
  • 0

Advertisements


#11
ceradecke

ceradecke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay. I'm going to get the converter today and then I will run the AVG scan and reply with that report and the new hijack this log.
  • 0

#12
ceradecke

ceradecke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I couldn't get a hold of the adapter today and I am going back home for the weekend (computer is at my place at school). So I will be unable to perform any scans until Sunday evening. I'm really sorry for the will-be delay for my post. I understand if you cannot help me further, however, I will be sure to post the logs in my reply sunday evening.
Thanks,
Chris
  • 0

#13
ceradecke

ceradecke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here are the results of the AVG AntiSpyware Scan (The program did find several infections, including a bunch of cookies and something called "Downloader Agent"):



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:58:34 AM 2/25/2008

+ Scan result:



C:\QooBox\Quarantine\catchme2008-02-20_142241.06.zip/fnhoje -> Downloader.Agent.ind : Cleaned.
:mozilla.78:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.79:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.80:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.81:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.82:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.83:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.84:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.85:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.46:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.58:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.59:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.60:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.61:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.62:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.63:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.64:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.77:C:\Documents and Settings\Chris Radecke\Application Data\Mozilla\Firefox\Profiles\xxha5rnp.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.


::Report end


Thanks,

Chris
  • 0

#14
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi ceradecke,


Apart from the cookies, that file is in one of the quarantine folders set up by Combofix, so not a problem.
We will deal with all them in the last post.


You don't appear to be running a 3rd party firewall. These are essential to protect from trojans, viruses, spyware etc.

You should check out:- Comodo Firewall Pro or Sunbelt Personal Firewall

User manuals are available for both:
Comodo's manual is built in and accessable from the Help Menu.

Sunbelt Manual Here

Both are simple to install & free to use.
Please install only 1


I need you to post me a fresh HijackThis log to confirm correct installation of the Anti-virus and Firewall programs.

Run HijackThis:
  • Select the Run a system scan and save a logfile option. The logfile opens in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
  • Also paste me the text from C:\avscan.txt

Cheers,

sage5
  • 0

#15
ceradecke

ceradecke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I installed the comodo firewall app but upon running it it says that there is a problem with the network firewall. I clicked run diagnostics as it instructed too and it responded saying that it found no errors in installation.

Here are the logs from hjt and from the comodo scan.....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:38 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\COMODO\Firewall\cfp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....my.ucdavis.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,[email protected]
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159138496674
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe

--
End of file - 6765 bytes




Unknown Malware (Dirty)(ID = 0x4b543) C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.1\inst.exe
Unknown Malware (Dirty)(ID = 0x4a655) C:\Documents and Settings\All Users\Start Menu\3 Months Free NetZero.exe
not-a-virus_RiskTool.Win32.Reboot.f(ID = 0x51537) C:\Documents and Settings\Chris Radecke\Desktop\Programs\SmitfraudFix\Reboot.exe
Unknown Malware (Dirty)(ID = 0x4a655) C:\Program Files\Dell\Launcher\files\3 Months Free NetZero.exe
Virus identified Obfustat.RPQ(ID = 0x5b718) C:\Program Files\Image-Line\FL Studio 7\crack.exe
Application.Win32.Adware.SecToolbar(ID = 0x18e9b) C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir
Unknown Malware (Dirty)(ID = 0x4edaf) C:\WINDOWS\_MSRSTRT.EXE
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP