Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can I be Helped? C:\windows\system32\vtuts.exe [RESOLVE


  • This topic is locked This topic is locked

#1
blacktail4x5

blacktail4x5

    Member

  • Member
  • PipPip
  • 10 posts
I have been having issues for a while now. I have all kinds of virus scans and they all find stuff and remove it. I keep getting this after reboot. C:\windows\system32\vtuts.exe. I did a search and found this site so I thought I would give you a try before a restore. I am not totally PC illiterate but not even close to geek status so please have some patience with me. If you can help I would greatly apprecite it.
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
blacktail4x5

blacktail4x5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi! Thanks for the reply!
Here is the combo log:
ComboFix 08-02-22.3 - Mike 2008-02-22 15:13:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.468 [GMT -8:00]
Running from: C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\s?curity\
C:\WINDOWS\system32\afbbkdjc.dll
C:\WINDOWS\system32\aghkycow.dll
C:\WINDOWS\system32\awiodosv.dll
C:\WINDOWS\system32\bhfdavxu.dll
C:\WINDOWS\system32\bjhyucnq.dll
C:\WINDOWS\system32\dqydsmos.dll
C:\WINDOWS\system32\etvwahum.dll
C:\WINDOWS\system32\hejnbfmr.dll
C:\WINDOWS\system32\kdsldqcw.dll
C:\WINDOWS\system32\kjvqeiww.dll
C:\WINDOWS\system32\lnovmslw.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nautimkt.dll
C:\WINDOWS\system32\ndjiwdsv.dll
C:\WINDOWS\system32\ovncmndo.dll
C:\WINDOWS\system32\rhetbakv.dll
C:\WINDOWS\system32\sacvsybk.dll
C:\WINDOWS\system32\slqabpnq.dll
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\ykxlbmjb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTNDIS
-------\ntndis


((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-22 10:50 . 2008-02-22 14:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-22 10:50 . 2008-02-22 14:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-22 10:49 . 2008-02-22 13:31 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 10:49 . 2008-02-22 14:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 08:51 . 2008-02-22 10:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-22 08:51 . 2008-02-22 08:51 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\SUPERAntiSpyware.com
2008-02-22 08:51 . 2008-02-22 08:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-02-22 08:50 . 2008-02-22 08:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 21:13 . 2008-02-21 21:13 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Grisoft
2008-02-21 21:12 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-21 11:06 . 2008-02-21 12:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-20 11:46 . 2008-02-20 11:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-20 11:46 . 2008-02-20 11:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-15 22:28 . 2008-02-15 22:28 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\DivX
2008-02-15 22:26 . 2008-02-15 22:26 <DIR> d-------- C:\Program Files\DivX
2008-02-15 07:35 . 2008-02-22 14:57 157,424 --a------ C:\WINDOWS\BM37ccdbad.xml
2008-02-14 07:34 . 2008-02-22 15:13 21 --a------ C:\WINDOWS\pskt.ini
2008-02-05 15:33 . 2008-02-05 15:33 <DIR> d-------- C:\Program Files\Uniblue
2008-02-05 15:33 . 2008-02-05 15:33 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Uniblue
2008-02-02 20:41 . 2008-02-21 17:07 <DIR> d-------- C:\Program Files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-22 21:58 --------- d-----w C:\Program Files\McAfee
2008-02-22 21:52 --------- d-----w C:\Program Files\Absolute Poker
2008-02-22 21:51 --------- d-----w C:\Program Files\PokerFatCat
2008-02-22 21:50 --------- d-----w C:\Program Files\Coupons
2008-02-22 01:32 --------- d-----w C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\AVG7
2008-02-22 00:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-02-22 00:52 --------- d-----w C:\Program Files\iTunes
2008-02-18 20:27 --------- d-----w C:\Program Files\Vegas Poker 247
2008-02-17 08:29 --------- d-----w C:\Program Files\PokerStars
2008-02-16 06:07 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-25 02:17 --------- d-----w C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Wal-Mart Digital Photo Manager
2008-01-22 03:45 --------- d-----w C:\Program Files\QuickTime
2008-01-22 03:34 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-22 03:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-22 03:12 --------- d-----w C:\Program Files\MSN Messenger
2008-01-22 03:12 --------- d-----w C:\Program Files\Microsoft Works
2008-01-22 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 00:05 --------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-01-21 23:27 --------- d-----w C:\Program Files\Lexmark 4200 Series
2008-01-21 21:01 --------- d-----w C:\Program Files\Common Files\aolshare
2008-01-21 20:58 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-01-21 18:46 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\AVG7
2008-01-21 18:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-21 00:36 200,000 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL.000\vvqq.exe
2008-01-18 18:17 --------- d-----w C:\Program Files\UltimateBet
2008-01-17 22:50 --------- d-----w C:\Program Files\Google
2007-08-16 02:27 20 ---h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\PKP_DLec.DAT
2004-09-29 01:33 41 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\tvmcwrd.dll
2004-09-27 18:44 218,486 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\tvmknwrd.dll
2004-03-30 01:14 56,872 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\GDIPFONTCACHEV1.DAT
.
<pre>
----a-w			86,016 2008-01-21 22:27:08  C:\Mouse Suite v1.2\wh_exec .exe
----a-w			28,672 2008-01-21 22:27:04  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w		   245,760 2008-01-21 22:26:49  C:\Program Files\Creative\Shared Files\CAMTRAY .EXE
----a-w		 6,731,312 2008-02-22 08:51:16  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w		   579,072 2008-01-21 22:27:13  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w		   256,576 2008-01-21 22:26:56  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			75,520 2008-01-21 22:27:04  C:\Program Files\Java\jre1.5.0_12\bin\jusched .exe
----a-w			57,344 2008-01-21 22:26:44  C:\Program Files\Lexmark 4200 Series\lxbmbmgr .exe
----a-w		   151,552 2008-01-21 22:26:46  C:\Program Files\Lexmark 4200 Series\Fax\fm3032 .exe
----a-w			24,576 2008-01-21 22:27:16  C:\Program Files\Microsoft Works\wkfud .exe
----a-w		   331,830 2008-01-21 22:27:06  C:\Program Files\Microsoft Works\WksSb .exe
----a-w		 5,674,352 2008-01-21 22:28:06  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   679,936 2008-01-21 22:26:56  C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 10:45 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Mike.4X5BLACKTAIL\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 07:33:30 325632]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 14:06:54 24633]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-08-06 12:08:26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnml]
opnnnml.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Documents and Settings\\Mike.4X5BLACKTAIL.000\\calc.exe"=
"C:\\WINDOWS\\Explorer.exe"=
"C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-29 17:55]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;C:\WINDOWS\system32\DRIVERS\whfltr2k.sys [2007-01-25 07:45]
R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;C:\WINDOWS\system32\DRIVERS\whmice2k.sys [2004-04-25 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 20:20:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-22 22:38:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-22 23:24:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 15:21:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\DOCUME~1\MIKE4X~1.000\LOCALS~1\Temp\SSUPDATE.EXE
.
**************************************************************************
.
Completion time: 2008-02-22 15:27:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-22 23:27:00
.
2008-02-22 20:49:00 --- E O F ---



And the hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:00 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxmk788YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Vegas Poker 247 NET - {16D8DF77-C364-44e2-B908-11F75427A20A} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247 NET\Vegas Poker 247 NET.lnk
O9 - Extra 'Tools' menuitem: Vegas Poker 247 NET - {16D8DF77-C364-44e2-B908-11F75427A20A} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247 NET\Vegas Poker 247 NET.lnk
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoft....com/activescan (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Vegas Poker 247 - {E913D28B-4327-4f36-B303-D08ADF847142} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247\Vegas Poker 247.lnk
O9 - Extra 'Tools' menuitem: Vegas Poker 247 - {E913D28B-4327-4f36-B303-D08ADF847142} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247\Vegas Poker 247.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1917D5C6-356D-467D-88FA-14E56FF81601} (FileMgt.FileMgtCtrl) - http://www.absherpro.../pw/FileMgt.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} - http://www.absherpro...pw/mpsPwLc7.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134630633684
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD725899-1FF9-4618-A575-ED0D0D97533B}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: opnnnml - opnnnml.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.camis.com.../gui/wa/bgd.gif

--
End of file - 9008 bytes




I eagerly await my next instructions.
Thanks
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxmk788YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O20 - Winlogon Notify: opnnnml - opnnnml.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\vvqq.exe

Folder::
C:\Program Files\Coupons

Renv::
----a-w 86,016 2008-01-21 22:27:08 C:\Mouse Suite v1.2\wh_exec .exe
----a-w 28,672 2008-01-21 22:27:04 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w 245,760 2008-01-21 22:26:49 C:\Program Files\Creative\Shared Files\CAMTRAY .EXE
----a-w 6,731,312 2008-02-22 08:51:16 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w 579,072 2008-01-21 22:27:13 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 256,576 2008-01-21 22:26:56 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 75,520 2008-01-21 22:27:04 C:\Program Files\Java\jre1.5.0_12\bin\jusched .exe
----a-w 57,344 2008-01-21 22:26:44 C:\Program Files\Lexmark 4200 Series\lxbmbmgr .exe
----a-w 151,552 2008-01-21 22:26:46 C:\Program Files\Lexmark 4200 Series\Fax\fm3032 .exe
----a-w 24,576 2008-01-21 22:27:16 C:\Program Files\Microsoft Works\wkfud .exe
----a-w 331,830 2008-01-21 22:27:06 C:\Program Files\Microsoft Works\WksSb .exe
----a-w 5,674,352 2008-01-21 22:28:06 C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w 679,936 2008-01-21 22:26:56 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#5
blacktail4x5

blacktail4x5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the log! I must say that I screwed up and had this forum page open when it started. Dont know what I was thinking but was reading instructions and forgot it needed to be closed. Seems to be OK so far. d;/(

ComboFix 08-02-22.3 - Mike 2008-02-22 16:34:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.420 [GMT -8:00]
Running from: C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\vvqq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mike.4X5BLACKTAIL.000\vvqq.exe
C:\Program Files\Coupons
C:\Program Files\Coupons\uninstall.exe
C:\Program Files\Coupons\Uninstall\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-22 15:48 . 2008-02-22 15:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 10:50 . 2008-02-22 14:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-22 10:50 . 2008-02-22 14:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-22 10:49 . 2008-02-22 13:31 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 10:49 . 2008-02-22 14:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 08:51 . 2008-02-22 10:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-22 08:51 . 2008-02-22 08:51 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\SUPERAntiSpyware.com
2008-02-22 08:51 . 2008-02-22 08:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-02-22 08:50 . 2008-02-22 08:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 21:13 . 2008-02-21 21:13 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Grisoft
2008-02-21 21:12 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-21 11:06 . 2008-02-21 12:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-20 11:46 . 2008-02-20 11:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-20 11:46 . 2008-02-20 11:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-15 22:28 . 2008-02-15 22:28 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\DivX
2008-02-15 22:26 . 2008-02-15 22:26 <DIR> d-------- C:\Program Files\DivX
2008-02-15 07:35 . 2008-02-22 14:57 157,424 --a------ C:\WINDOWS\BM37ccdbad.xml
2008-02-14 07:34 . 2008-02-22 15:13 21 --a------ C:\WINDOWS\pskt.ini
2008-02-05 15:33 . 2008-02-05 15:33 <DIR> d-------- C:\Program Files\Uniblue
2008-02-05 15:33 . 2008-02-05 15:33 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Uniblue
2008-02-02 20:41 . 2008-02-21 17:07 <DIR> d-------- C:\Program Files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 00:34 --------- d-----w C:\Program Files\MSN Messenger
2008-02-23 00:34 --------- d-----w C:\Program Files\Microsoft Works
2008-02-23 00:34 --------- d-----w C:\Program Files\Lexmark 4200 Series
2008-02-23 00:34 --------- d-----w C:\Program Files\iTunes
2008-02-22 21:58 --------- d-----w C:\Program Files\McAfee
2008-02-22 21:52 --------- d-----w C:\Program Files\Absolute Poker
2008-02-22 21:51 --------- d-----w C:\Program Files\PokerFatCat
2008-02-22 01:32 --------- d-----w C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\AVG7
2008-02-22 00:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-02-18 20:27 --------- d-----w C:\Program Files\Vegas Poker 247
2008-02-17 08:29 --------- d-----w C:\Program Files\PokerStars
2008-02-16 06:07 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-25 02:17 --------- d-----w C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Wal-Mart Digital Photo Manager
2008-01-22 03:45 --------- d-----w C:\Program Files\QuickTime
2008-01-22 03:34 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-22 03:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-22 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 00:05 --------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-01-21 21:01 --------- d-----w C:\Program Files\Common Files\aolshare
2008-01-21 20:58 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-01-21 18:46 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\AVG7
2008-01-21 18:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-18 18:17 --------- d-----w C:\Program Files\UltimateBet
2008-01-17 22:50 --------- d-----w C:\Program Files\Google
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-16 02:27 20 ---h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\PKP_DLec.DAT
2004-09-29 01:33 41 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\tvmcwrd.dll
2004-09-27 18:44 218,486 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\tvmknwrd.dll
2004-03-30 01:14 56,872 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 10:45 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Mike.4X5BLACKTAIL\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 07:33:30 325632]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 14:06:54 24633]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-08-06 12:08:26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Documents and Settings\\Mike.4X5BLACKTAIL.000\\calc.exe"=
"C:\\WINDOWS\\Explorer.exe"=
"C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-29 17:55]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;C:\WINDOWS\system32\DRIVERS\whfltr2k.sys [2007-01-25 07:45]
R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;C:\WINDOWS\system32\DRIVERS\whmice2k.sys [2004-04-25 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 20:20:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-22 23:38:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-22 23:24:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 16:36:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-22 16:38:21
ComboFix-quarantined-files.txt 2008-02-23 00:37:28
ComboFix2.txt 2008-02-22 23:27:04
.
2008-02-22 20:49:00 --- E O F ---
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looking good

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HijackThis log and tell me how your PC is running
  • 0

#7
blacktail4x5

blacktail4x5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
This is when I really wish I had high speed!! Dial up is so ssllooww!!!!
What we are doing has already helped in a hugh way!! Here is the logs.

Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 22, 2008 10:05:36 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/02/2008
Kaspersky Anti-Virus database records: 533123
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 93247
Number of viruses found: 6
Number of infected objects: 19
Number of suspicious objects: 2
Duration of the scan process: 01:31:36

Infected Object Name / Virus Name / Last Action
C:\278c827\1394bus.sys Object is locked skipped
C:\278c827\61883.sys Object is locked skipped
C:\278c827\6to4svc.dll Object is locked skipped
C:\278c827\ac97ali.sys Object is locked skipped
C:\278c827\ac97via.sys Object is locked skipped
C:\278c827\acgenral.dll Object is locked skipped
C:\278c827\aclayers.dll Object is locked skipped
C:\278c827\aclua.dll Object is locked skipped
C:\278c827\acpi.sys Object is locked skipped
C:\278c827\acspecfc.dll Object is locked skipped
C:\278c827\activ.htm Object is locked skipped
C:\278c827\activsvc.htm Object is locked skipped
C:\278c827\actlan.htm Object is locked skipped
C:\278c827\actshell.htm Object is locked skipped
C:\278c827\acverfyr.dll Object is locked skipped
C:\278c827\acxtrnal.dll Object is locked skipped
C:\278c827\adeskerr.htm Object is locked skipped
C:\278c827\admin.dll Object is locked skipped
C:\278c827\admin.exe Object is locked skipped
C:\278c827\admjoy.sys Object is locked skipped
C:\278c827\adsldp.dll Object is locked skipped
C:\278c827\adsldpc.dll Object is locked skipped
C:\278c827\adsmsext.dll Object is locked skipped
C:\278c827\adsnt.dll Object is locked skipped
C:\278c827\advapi32.dll Object is locked skipped
C:\278c827\advpack.dll Object is locked skipped
C:\278c827\aec.sys Object is locked skipped
C:\278c827\afd.sys Object is locked skipped
C:\278c827\ahui.exe Object is locked skipped
C:\278c827\alg.exe Object is locked skipped
C:\278c827\amdk6.sys Object is locked skipped
C:\278c827\amdk7.sys Object is locked skipped
C:\278c827\an983.sys Object is locked skipped
C:\278c827\apphelp.dll Object is locked skipped
C:\278c827\apphelp.sdb Object is locked skipped
C:\278c827\apps.chm Object is locked skipped
C:\278c827\appwiz.cpl Object is locked skipped
C:\278c827\arial.ttf Object is locked skipped
C:\278c827\arp1394.sys Object is locked skipped
C:\278c827\asctrls.ocx Object is locked skipped
C:\278c827\asferror.dll Object is locked skipped
C:\278c827\asfsipc.dll Object is locked skipped
C:\278c827\asms\10100\msft\windows\gdiplus\gdiplus.cat Object is locked skipped
C:\278c827\asms\10100\msft\windows\gdiplus\gdiplus.dll Object is locked skipped
C:\278c827\asms\10100\msft\windows\gdiplus\gdiplus.man Object is locked skipped
C:\278c827\asms\10100\policy\msft\windows\gdiplus\gdiplus.cat Object is locked skipped
C:\278c827\asms\10100\policy\msft\windows\gdiplus\gdiplus.man Object is locked skipped
C:\278c827\asms\60100\msft\windows\common\controls\comctl32.dll Object is locked skipped
C:\278c827\asms\60100\msft\windows\common\controls\controls.cat Object is locked skipped
C:\278c827\asms\60100\msft\windows\common\controls\controls.man Object is locked skipped
C:\278c827\asms\60100\policy\60100\comctl\comctl.cat Object is locked skipped
C:\278c827\asms\60100\policy\60100\comctl\comctl.man Object is locked skipped
C:\278c827\asms\70100\msft\windows\mswincrt\msvcirt.dll Object is locked skipped
C:\278c827\asms\70100\msft\windows\mswincrt\msvcrt.dll Object is locked skipped
C:\278c827\asms\70100\msft\windows\mswincrt\mswincrt.cat Object is locked skipped
C:\278c827\asms\70100\msft\windows\mswincrt\mswincrt.man Object is locked skipped
C:\278c827\asms\70100\policy\msft\mswincrt\mswincrt.cat Object is locked skipped
C:\278c827\asms\70100\policy\msft\mswincrt\mswincrt.man Object is locked skipped
C:\278c827\at.exe Object is locked skipped
C:\278c827\atapi.sys Object is locked skipped
C:\278c827\ati2dvaa.dll Object is locked skipped
C:\278c827\ati2dvag.dll Object is locked skipped
C:\278c827\ati2mtaa.sys Object is locked skipped
C:\278c827\ati2mtag.sys Object is locked skipped
C:\278c827\ati3d1ag.dll Object is locked skipped
C:\278c827\ati3d2ag.dll Object is locked skipped
C:\278c827\atinbtxx.sys Object is locked skipped
C:\278c827\atinmdxx.sys Object is locked skipped
C:\278c827\atinpdxx.sys Object is locked skipped
C:\278c827\atinraxx.sys Object is locked skipped
C:\278c827\atinrvxx.sys Object is locked skipped
C:\278c827\atinsnxx.sys Object is locked skipped
C:\278c827\atinttxx.sys Object is locked skipped
C:\278c827\atintuxx.sys Object is locked skipped
C:\278c827\atinxbxx.sys Object is locked skipped
C:\278c827\atinxsxx.sys Object is locked skipped
C:\278c827\atiradn1.inf Object is locked skipped
C:\278c827\ativdaxx.ax Object is locked skipped
C:\278c827\ativmvxx.ax Object is locked skipped
C:\278c827\atl.dll Object is locked skipped
C:\278c827\atmlane.sys Object is locked skipped
C:\278c827\audiosrv.dll Object is locked skipped
C:\278c827\author.dll Object is locked skipped
C:\278c827\author.exe Object is locked skipped
C:\278c827\autochk.exe Object is locked skipped
C:\278c827\autolfn.exe Object is locked skipped
C:\278c827\auupdate.exe Object is locked skipped
C:\278c827\avc.sys Object is locked skipped
C:\278c827\avifil32.dll Object is locked skipped
C:\278c827\basesrv.dll Object is locked skipped
C:\278c827\batt.dll Object is locked skipped
C:\278c827\bridge.sys Object is locked skipped
C:\278c827\browselc.dll Object is locked skipped
C:\278c827\browser.dll Object is locked skipped
C:\278c827\browseui.dll Object is locked skipped
C:\278c827\browsewm.dll Object is locked skipped
C:\278c827\cabinet.dll Object is locked skipped
C:\278c827\callcont.dll Object is locked skipped
C:\278c827\catsrvut.dll Object is locked skipped
C:\278c827\ccdecode.sys Object is locked skipped
C:\278c827\cdfs.sys Object is locked skipped
C:\278c827\cdm.dll Object is locked skipped
C:\278c827\cdrom.sys Object is locked skipped
C:\278c827\certcli.dll Object is locked skipped
C:\278c827\cewmdm.dll Object is locked skipped
C:\278c827\cfgbkend.dll Object is locked skipped
C:\278c827\cfgwiz.exe Object is locked skipped
C:\278c827\cimwin32.dll Object is locked skipped
C:\278c827\ciodm.dll Object is locked skipped
C:\278c827\classpnp.sys Object is locked skipped
C:\278c827\clipbrd.exe Object is locked skipped
C:\278c827\clusapi.dll Object is locked skipped
C:\278c827\cmbatt.sys Object is locked skipped
C:\278c827\cmdial32.dll Object is locked skipped
C:\278c827\cmdl32.exe Object is locked skipped
C:\278c827\comadmin.dll Object is locked skipped
C:\278c827\comctl32.dll Object is locked skipped
C:\278c827\comdlg32.dll Object is locked skipped
C:\278c827\compatui.dll Object is locked skipped
C:\278c827\comsvcs.dll Object is locked skipped
C:\278c827\conf.exe Object is locked skipped
C:\278c827\conime.exe Object is locked skipped
C:\278c827\copymar.exe Object is locked skipped
C:\278c827\courtney.acs Object is locked skipped
C:\278c827\credui.dll Object is locked skipped
C:\278c827\crusoe.sys Object is locked skipped
C:\278c827\crypt32.dll Object is locked skipped
C:\278c827\cryptdlg.dll Object is locked skipped
C:\278c827\cryptsvc.dll Object is locked skipped
C:\278c827\cryptui.dll Object is locked skipped
C:\278c827\cscui.dll Object is locked skipped
C:\278c827\csrsrv.dll Object is locked skipped
C:\278c827\ctfmon.exe Object is locked skipped
C:\278c827\custdial.dll Object is locked skipped
C:\278c827\d3d8.dll Object is locked skipped
C:\278c827\danim.dll Object is locked skipped
C:\278c827\dbghelp.dll Object is locked skipped
C:\278c827\dbmsadsn.dll Object is locked skipped
C:\278c827\dbmsrpcn.dll Object is locked skipped
C:\278c827\dbmsvinn.dll Object is locked skipped
C:\278c827\dbnetlib.dll Object is locked skipped
C:\278c827\dbnmpntw.dll Object is locked skipped
C:\278c827\dcache.bin Object is locked skipped
C:\278c827\dcap32.dll Object is locked skipped
C:\278c827\ddraw.dll Object is locked skipped
C:\278c827\defrag.exe Object is locked skipped
C:\278c827\desk.cpl Object is locked skipped
C:\278c827\devmgr.dll Object is locked skipped
C:\278c827\dfrgfat.exe Object is locked skipped
C:\278c827\dfrgntfs.exe Object is locked skipped
C:\278c827\dfrgsnap.dll Object is locked skipped
C:\278c827\dfrgui.dll Object is locked skipped
C:\278c827\dfsshlex.dll Object is locked skipped
C:\278c827\dgnet.dll Object is locked skipped
C:\278c827\dhcpcsvc.dll Object is locked skipped
C:\278c827\dhtmled.ocx Object is locked skipped
C:\278c827\digest.dll Object is locked skipped
C:\278c827\dinput.dll Object is locked skipped
C:\278c827\dinput8.dll Object is locked skipped
C:\278c827\disk.sys Object is locked skipped
C:\278c827\diskdump.sys Object is locked skipped
C:\278c827\dlimport.exe Object is locked skipped
C:\278c827\dmband.dll Object is locked skipped
C:\278c827\dmcompos.dll Object is locked skipped
C:\278c827\dmime.dll Object is locked skipped
C:\278c827\dmloader.dll Object is locked skipped
C:\278c827\dmscript.dll Object is locked skipped
C:\278c827\dmstyle.dll Object is locked skipped
C:\278c827\dmusic.dll Object is locked skipped
C:\278c827\dnsapi.dll Object is locked skipped
C:\278c827\docprop2.dll Object is locked skipped
C:\278c827\download\explorer.exe._p Object is locked skipped
C:\278c827\dpnet.dll Object is locked skipped
C:\278c827\dpnhpast.dll Object is locked skipped
C:\278c827\dpnhupnp.dll Object is locked skipped
C:\278c827\dpvoice.dll Object is locked skipped
C:\278c827\dpvsetup.exe Object is locked skipped
C:\278c827\dpwsockx.dll Object is locked skipped
C:\278c827\drmclien.dll Object is locked skipped
C:\278c827\drmk.sys Object is locked skipped
C:\278c827\drmkaud.sys Object is locked skipped
C:\278c827\drmstor.dll Object is locked skipped
C:\278c827\drmv2clt.dll Object is locked skipped
C:\278c827\drvmain.sdb Object is locked skipped
C:\278c827\ds32gt.dll Object is locked skipped
C:\278c827\dshowext.ax Object is locked skipped
C:\278c827\dsprop.dll Object is locked skipped
C:\278c827\dsquery.dll Object is locked skipped
C:\278c827\dssenh.dll Object is locked skipped
C:\278c827\dumprep.exe Object is locked skipped
C:\278c827\duser.dll Object is locked skipped
C:\278c827\dw.exe Object is locked skipped
C:\278c827\dwwin.exe Object is locked skipped
C:\278c827\dxdiag.exe Object is locked skipped
C:\278c827\dxg.sys Object is locked skipped
C:\278c827\dxmasf.dll Object is locked skipped
C:\278c827\dxmrtp.dll Object is locked skipped
C:\278c827\dxtmsft.dll Object is locked skipped
C:\278c827\dxtrans.dll Object is locked skipped
C:\278c827\earl.acs Object is locked skipped
C:\278c827\els.dll Object is locked skipped
C:\278c827\ersvc.dll Object is locked skipped
C:\278c827\es.dll Object is locked skipped
C:\278c827\esscli.dll Object is locked skipped
C:\278c827\essm2e.sys Object is locked skipped
C:\278c827\eudcedit.exe Object is locked skipped
C:\278c827\eventlog.dll Object is locked skipped
C:\278c827\evntrprv.dll Object is locked skipped
C:\278c827\ic\battery.inf Object is locked skipped
C:\278c827\ic\iis.inf Object is locked skipped
C:\278c827\ic\miscp.chm Object is locked skipped
C:\278c827\ic\whatnewp.chm Object is locked skipped
C:\278c827\licdll.dll Object is locked skipped
C:\278c827\licwmi.mfl Object is locked skipped
C:\278c827\lvback.gif Object is locked skipped
C:\278c827\msdtctr.mof Object is locked skipped
C:\278c827\mstsc.chm Object is locked skipped
C:\278c827\new\hscxpsp1.cab Object is locked skipped
C:\278c827\new\logo.gif Object is locked skipped
C:\278c827\new\logowin.gif Object is locked skipped
C:\278c827\new\rtcimsp.dll Object is locked skipped
C:\278c827\new\secupd.dat Object is locked skipped
C:\278c827\new\secupd.sig Object is locked skipped
C:\278c827\new\wuauhelp.chm Object is locked skipped
C:\278c827\newalert.wav Object is locked skipped
C:\278c827\newemail.wav Object is locked skipped
C:\278c827\online.wav Object is locked skipped
C:\278c827\readmesp.htm Object is locked skipped
C:\278c827\secdrv.sys Object is locked skipped
C:\278c827\spmsg.dll Object is locked skipped
C:\278c827\spuninst.exe Object is locked skipped
C:\278c827\tagfile.1 Object is locked skipped
C:\278c827\type.wav Object is locked skipped
C:\278c827\update\eula.txt Object is locked skipped
C:\278c827\update\sp1.cat Object is locked skipped
C:\278c827\update\spcustom.dll Object is locked skipped
C:\278c827\update\update.exe Object is locked skipped
C:\278c827\update\update.inf Object is locked skipped
C:\278c827\update\update.url Object is locked skipped
C:\278c827\update\update.ver Object is locked skipped
C:\278c827\winxp_logo_horiz_sm.gif Object is locked skipped
C:\278c827\xenroll.dll Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp1\spmsg.dll Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp1\spuninst.exe Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp1\update\eula.txt Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp1\update\spcustom.dll Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp1\update\update.exe Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp2\spmsg.dll Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp2\spuninst.exe Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp2\update\eula.txt Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp2\update\spcustom.dll Object is locked skipped
C:\369591634dcabff4489d225cee717540\sp2\update\update.exe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Windows Defender\Support\MPLog-02022008-204201.log Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mike.4X5BLACKTAIL.000\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\137F414D.tmp/[From Mail Delivery System<[email protected]>][Date Sun,17 Aug 2003 11:36:32 PM]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\137F414D.tmp/[From Mail Delivery System<[email protected]>][Date Sun,17 Aug 2003 11:36:32 PM]/true Infected: Email-Worm.Win32.Lentin.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\137F414D.tmp Mail: infected - 1, suspicious - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\137F414D.tmp Crypt.Quarantine: infected - 1, suspicious - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\13E556DD.tmp/[From screensaverforu<[email protected]>][Date Sun,17 Aug 2003 15:06:42 PM]/bullshitscr.scr Infected: Email-Worm.Win32.Lentin.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\13E556DD.tmp Mail: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\13E556DD.tmp Crypt.Quarantine: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\143A1A80.tmp/[From blueyesburk<[email protected]>][Date Sun,17 Aug 2003 18:18:21 PM]/truelovers.scr Infected: Email-Worm.Win32.Lentin.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\143A1A80.tmp Mail: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\143A1A80.tmp Crypt.Quarantine: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\5AA52670.tmp/[From Mail Delivery System<[email protected]>][Date Sun,17 Aug 2003 11:36:32 PM]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\5AA52670.tmp/[From Mail Delivery System<[email protected]>][Date Sun,17 Aug 2003 11:36:32 PM]/true Infected: Email-Worm.Win32.Lentin.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\5AA52670.tmp Mail: infected - 1, suspicious - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\5AA52670.tmp Crypt.Quarantine: infected - 1, suspicious - 1 skipped
C:\sti.log Object is locked skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP792\A0082392.exe Object is locked skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP820\A0083038.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP820\A0083038.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP823\A0083285.dll Object is locked skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP823\A0083286.exe/WISE0008.BIN/WISE0001.BIN Infected: Trojan-Downloader.Win32.TSUpdate.a skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP823\A0083286.exe/WISE0008.BIN Infected: Trojan-Downloader.Win32.TSUpdate.a skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP823\A0083286.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.b skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP823\A0083286.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP828\A0083587.dll Object is locked skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP828\A0083590.dll Object is locked skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP828\A0083591.dll Object is locked skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP828\A0083594.dll Object is locked skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP828\A0083595.dll Object is locked skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP828\A0083597.dll Object is locked skipped
C:\System Volume Information\_restore{2B57DBAB-B9C3-4AC1-9A0C-7AC73E323C7A}\RP829\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Lucent Win Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.






and the new Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:22 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Vegas Poker 247 NET - {16D8DF77-C364-44e2-B908-11F75427A20A} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247 NET\Vegas Poker 247 NET.lnk
O9 - Extra 'Tools' menuitem: Vegas Poker 247 NET - {16D8DF77-C364-44e2-B908-11F75427A20A} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247 NET\Vegas Poker 247 NET.lnk
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoft....com/activescan (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Vegas Poker 247 - {E913D28B-4327-4f36-B303-D08ADF847142} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247\Vegas Poker 247.lnk
O9 - Extra 'Tools' menuitem: Vegas Poker 247 - {E913D28B-4327-4f36-B303-D08ADF847142} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247\Vegas Poker 247.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1917D5C6-356D-467D-88FA-14E56FF81601} (FileMgt.FileMgtCtrl) - http://www.absherpro.../pw/FileMgt.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} - http://www.absherpro...pw/mpsPwLc7.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134630633684
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD725899-1FF9-4618-A575-ED0D0D97533B}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.camis.com.../gui/wa/bgd.gif

--
End of file - 8531 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\i

Folder::
C:\WINDOWS\system32\i


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Nearly done now
  • 0

#9
blacktail4x5

blacktail4x5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
You are the Man\Woman d;/)

Here is a hijack log. Didnt know if you wanted another or not.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:06 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Vegas Poker 247 NET - {16D8DF77-C364-44e2-B908-11F75427A20A} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247 NET\Vegas Poker 247 NET.lnk
O9 - Extra 'Tools' menuitem: Vegas Poker 247 NET - {16D8DF77-C364-44e2-B908-11F75427A20A} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247 NET\Vegas Poker 247 NET.lnk
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoft....com/activescan (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Vegas Poker 247 - {E913D28B-4327-4f36-B303-D08ADF847142} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247\Vegas Poker 247.lnk
O9 - Extra 'Tools' menuitem: Vegas Poker 247 - {E913D28B-4327-4f36-B303-D08ADF847142} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247\Vegas Poker 247.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1917D5C6-356D-467D-88FA-14E56FF81601} (FileMgt.FileMgtCtrl) - http://www.absherpro.../pw/FileMgt.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} - http://www.absherpro...pw/mpsPwLc7.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134630633684
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD725899-1FF9-4618-A575-ED0D0D97533B}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.camis.com.../gui/wa/bgd.gif

--
End of file - 8474 bytes



And the combofix log

ComboFix 08-02-22.3 - Mike 2008-02-23 8:42:29.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.434 [GMT -8:00]
Running from: C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\i
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\i
C:\WINDOWS\system32\i\

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-22 16:55 . 2008-02-22 16:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-22 16:55 . 2008-02-22 16:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-02-22 15:48 . 2008-02-22 15:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 10:50 . 2008-02-22 14:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-22 10:50 . 2008-02-22 14:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-22 10:49 . 2008-02-22 13:31 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 10:49 . 2008-02-22 14:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 08:51 . 2008-02-23 08:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-22 08:51 . 2008-02-22 08:51 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\SUPERAntiSpyware.com
2008-02-22 08:51 . 2008-02-22 08:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-02-22 08:50 . 2008-02-22 08:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 21:13 . 2008-02-21 21:13 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Grisoft
2008-02-21 21:12 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-21 11:06 . 2008-02-21 12:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-20 11:46 . 2008-02-20 11:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-20 11:46 . 2008-02-20 11:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-15 22:28 . 2008-02-15 22:28 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\DivX
2008-02-15 22:26 . 2008-02-15 22:26 <DIR> d-------- C:\Program Files\DivX
2008-02-15 07:35 . 2008-02-22 14:57 157,424 --a------ C:\WINDOWS\BM37ccdbad.xml
2008-02-14 07:34 . 2008-02-22 15:13 21 --a------ C:\WINDOWS\pskt.ini
2008-02-05 15:33 . 2008-02-05 15:33 <DIR> d-------- C:\Program Files\Uniblue
2008-02-05 15:33 . 2008-02-05 15:33 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Uniblue
2008-02-02 20:41 . 2008-02-21 17:07 <DIR> d-------- C:\Program Files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 16:00 --------- d-----w C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\AVG7
2008-02-23 00:34 --------- d-----w C:\Program Files\MSN Messenger
2008-02-23 00:34 --------- d-----w C:\Program Files\Microsoft Works
2008-02-23 00:34 --------- d-----w C:\Program Files\Lexmark 4200 Series
2008-02-23 00:34 --------- d-----w C:\Program Files\iTunes
2008-02-22 21:58 --------- d-----w C:\Program Files\McAfee
2008-02-22 21:52 --------- d-----w C:\Program Files\Absolute Poker
2008-02-22 21:51 --------- d-----w C:\Program Files\PokerFatCat
2008-02-22 00:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-02-18 20:27 --------- d-----w C:\Program Files\Vegas Poker 247
2008-02-17 08:29 --------- d-----w C:\Program Files\PokerStars
2008-02-16 06:07 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-25 02:17 --------- d-----w C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Wal-Mart Digital Photo Manager
2008-01-22 03:45 --------- d-----w C:\Program Files\QuickTime
2008-01-22 03:34 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-22 03:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-22 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 00:05 --------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-01-21 21:01 --------- d-----w C:\Program Files\Common Files\aolshare
2008-01-21 20:58 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-01-21 18:46 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\AVG7
2008-01-21 18:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-18 18:17 --------- d-----w C:\Program Files\UltimateBet
2008-01-17 22:50 --------- d-----w C:\Program Files\Google
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-16 02:27 20 ---h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\PKP_DLec.DAT
2004-09-29 01:33 41 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\tvmcwrd.dll
2004-09-27 18:44 218,486 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\tvmknwrd.dll
2004-03-30 01:14 56,872 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 10:45 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Mike.4X5BLACKTAIL\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 07:33:30 325632]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 14:06:54 24633]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-08-06 12:08:26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Documents and Settings\\Mike.4X5BLACKTAIL.000\\calc.exe"=
"C:\\WINDOWS\\Explorer.exe"=
"C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-29 17:55]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;C:\WINDOWS\system32\DRIVERS\whfltr2k.sys [2007-01-25 07:45]
R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;C:\WINDOWS\system32\DRIVERS\whmice2k.sys [2004-04-25 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 20:20:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-23 16:38:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-23 09:53:34 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 08:47:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-23 8:49:23
ComboFix-quarantined-files.txt 2008-02-23 16:48:32
ComboFix2.txt 2008-02-23 00:38:22
ComboFix3.txt 2008-02-22 23:27:04
.
2008-02-22 20:49:00 --- E O F ---




The PC still seems a little slow however it is much much faster then it was and those doggone pop ups are gone! You are a lifesaver! And on the weekends too!!!! Now I know I have to get a paypal account. I owe you d;/)
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

Advertisements


#11
blacktail4x5

blacktail4x5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
In the add and remove for jave (JRE) there is nothing for java. I know there is so I did a search of files and folders and there are 91 of them. They just dont show up in the add and remove section. Shall I start deleting??

I still have alot of tasks to do from your list but didnt know if that needed to be done first.
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No don't go deleting anything

If there are no old java versions in Add or Remove Programs then just continue on with the rest of the steps

Let me know how it goes
  • 0

#13
blacktail4x5

blacktail4x5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey rorschach112

I didnt delete any of them and I had a hard time finding a java download from that page but I did find one although I dont think it is the latest. I was able to run most everything . I think I am still missing one of the spyware downloads. I have so many of them now that I am thinking of deleting a couple. Is it possible to have to many? I removed ALOT of stuff from my PC last night to free up a little space. You have solved my problems with the boot up error and the pop ups and I feel like I have my pc back. Thanks again! Cant say that enough d;/)

I ran the spyblaster (I think it was). It still had like 16 viruses or something. I couldnt get a report to post so I just hit the fix button.

Here is a hijack I just ran as well as another combo fix log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:07 AM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoft....com/activescan (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Vegas Poker 247 - {E913D28B-4327-4f36-B303-D08ADF847142} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247\Vegas Poker 247.lnk
O9 - Extra 'Tools' menuitem: Vegas Poker 247 - {E913D28B-4327-4f36-B303-D08ADF847142} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Vegas Poker 247\Vegas Poker 247.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1917D5C6-356D-467D-88FA-14E56FF81601} (FileMgt.FileMgtCtrl) - http://www.absherpro.../pw/FileMgt.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} - http://www.absherpro...pw/mpsPwLc7.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134630633684
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD725899-1FF9-4618-A575-ED0D0D97533B}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: (no name) - http://www.camis.com.../gui/wa/bgd.gif

--
End of file - 9265 bytes









ComboFix 08-02-22.3 - Mike 2008-02-24 11:28:19.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.412 [GMT -8:00]
Running from: C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Desktop\Virus&spyware Scans\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-24 00:44 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-23 12:52 . 2008-02-24 11:21 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-23 12:51 . 2008-02-23 13:06 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-23 12:51 . 2008-02-23 12:51 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\PC Tools
2008-02-23 12:51 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-23 12:51 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-23 12:51 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-23 12:51 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-22 16:55 . 2008-02-22 16:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-22 16:55 . 2008-02-22 16:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-02-22 15:48 . 2008-02-22 15:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 10:50 . 2008-02-22 14:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-22 10:50 . 2008-02-22 14:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-22 10:49 . 2008-02-22 13:31 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 10:49 . 2008-02-22 14:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 08:51 . 2008-02-23 08:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-22 08:51 . 2008-02-22 08:51 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\SUPERAntiSpyware.com
2008-02-22 08:51 . 2008-02-22 08:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-02-22 08:50 . 2008-02-22 08:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 21:13 . 2008-02-21 21:13 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Grisoft
2008-02-21 21:12 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-21 11:06 . 2008-02-21 12:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-15 22:28 . 2008-02-15 22:28 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\DivX
2008-02-15 22:26 . 2008-02-15 22:26 <DIR> d-------- C:\Program Files\DivX
2008-02-15 07:35 . 2008-02-22 14:57 157,424 --a------ C:\WINDOWS\BM37ccdbad.xml
2008-02-14 07:34 . 2008-02-22 15:13 21 --a------ C:\WINDOWS\pskt.ini
2008-02-05 15:33 . 2008-02-05 15:33 <DIR> d-------- C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 09:56 --------- d-----w C:\Program Files\Vegas Poker 247
2008-02-24 08:43 --------- d-----w C:\Program Files\Java
2008-02-24 07:34 --------- d-----w C:\Program Files\QuickTime
2008-02-24 07:30 --------- d-----w C:\Program Files\EarthLink
2008-02-24 01:23 --------- d-----w C:\Program Files\PokerStars
2008-02-24 01:02 --------- d-----w C:\Program Files\PokerStars.NET
2008-02-24 01:01 --------- d-----w C:\Program Files\Vegas Poker 247 NET
2008-02-24 00:55 --------- d-----w C:\Program Files\Real
2008-02-24 00:54 --------- d-----w C:\Program Files\PacificPoker
2008-02-24 00:51 --------- d-----w C:\Program Files\Bodog Poker
2008-02-23 19:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-23 16:00 --------- d-----w C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\AVG7
2008-02-23 00:34 --------- d-----w C:\Program Files\MSN Messenger
2008-02-23 00:34 --------- d-----w C:\Program Files\Microsoft Works
2008-02-23 00:34 --------- d-----w C:\Program Files\Lexmark 4200 Series
2008-02-23 00:34 --------- d-----w C:\Program Files\iTunes
2008-02-22 21:58 --------- d-----w C:\Program Files\McAfee
2008-02-22 21:52 --------- d-----w C:\Program Files\Absolute Poker
2008-02-22 21:51 --------- d-----w C:\Program Files\PokerFatCat
2008-02-22 00:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-02-16 06:07 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-25 02:17 --------- d-----w C:\Documents and Settings\Mike.4X5BLACKTAIL.000\Application Data\Wal-Mart Digital Photo Manager
2008-01-22 03:34 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-22 03:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-22 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 00:05 --------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-01-21 21:01 --------- d-----w C:\Program Files\Common Files\aolshare
2008-01-21 20:58 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-01-21 18:46 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\AVG7
2008-01-21 18:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-18 18:17 --------- d-----w C:\Program Files\UltimateBet
2008-01-17 22:50 --------- d-----w C:\Program Files\Google
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-16 02:27 20 ---h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\PKP_DLec.DAT
2004-09-29 01:33 41 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\tvmcwrd.dll
2004-09-27 18:44 218,486 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\tvmknwrd.dll
2004-03-30 01:14 56,872 ----a-w C:\Documents and Settings\Mike.4X5BLACKTAIL\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 10:45 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Mike.4X5BLACKTAIL\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 07:33:30 325632]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 14:06:54 24633]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-08-06 12:08:26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Documents and Settings\\Mike.4X5BLACKTAIL.000\\calc.exe"=
"C:\\WINDOWS\\Explorer.exe"=
"C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=

R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-29 17:55]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;C:\WINDOWS\system32\DRIVERS\whfltr2k.sys [2007-01-25 07:45]
R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;C:\WINDOWS\system32\DRIVERS\whmice2k.sys [2004-04-25 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 20:20:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-24 18:38:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 11:32:55
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 11:34:56
ComboFix-quarantined-files.txt 2008-02-24 19:34:50
ComboFix2.txt 2008-02-23 17:27:10
ComboFix3.txt 2008-02-23 16:49:24
ComboFix4.txt 2008-02-23 00:38:22
ComboFix5.txt 2008-02-22 23:27:04
.
2008-02-22 20:49:00 --- E O F ---






I know that something is taken up a bunch of my memory since I have put all my pics and saved downloads and music on an external drive. When I did that a few months ago I freed up like 5 or 6 gigs. I now have about a half a gig left. Any suggestions on that?

That brings me to one more question. My external drive I unplugged as I did all the scans. I unplugged it when we really started having problems and only plugged it in when we needed it. I thoought last night that I should have had it plugged in so it could be scanned or is it only the C drive I should be concerned with?
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Do this to free up some space

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


My external drive I unplugged as I did all the scans.

Nothing to worry about there, the infections would be on your C drive

Any more questions ?
  • 0

#15
blacktail4x5

blacktail4x5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Nope d;/) IOnce again I cant say enough how much I appreciate what you have done! I do plan on getting me a Pay Pal account in a few eeks and when I do I plan on making a donation. I cant say it will be a big one at this time but what you have done for me ( and my kids !) is definitly worth something.
Thank You!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP