Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected with Virtumonde (or worse) [RESOLVED]


  • This topic is locked This topic is locked

#1
RMohr

RMohr

    Member

  • Member
  • PipPip
  • 14 posts
I seem to have picked up some malware. This happened once before last october, but Geeks helped me get rid of it all. I need help again. I've followed the list of "to do's" from the You Must Read This page. I've used Malwarebyte's Anti-Malware and SuperAntiSpyware and when I thought that between the two I flushed it all out my AVG was still flagging a dll which I would move to the Virus vault. But, it seems this is one that changes it's file name.

I've run both Panda ActiveScan and Hijack this, the logs are pasted below:

ActiveScan:


;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-02 15:56:38
PROTECTIONS: 2
MALWARE: 7
SUSPECTS: 1
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG 7.5.516 7.5.516 Yes Yes
ViRobot Expert Ver 4.0 VERSION Yes No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00055522 Eicar.Mod Virus No 0 No No C:\Program Files\PestPatrol\Help.chm[/HowCanITestDetection.html]
00159860 Application/Psshutdown.A HackTools No 0 Yes No C:\Documents and Settings\Randy\Local Settings\Temp\shutdown1208294107.exe
00159881 Application/Pskill.A HackTools No 0 Yes No D:\PGCedit\PgcEdit.exe[Tcl/work/PGCEDIT/bin/pskill.exe]
00159881 Application/Pskill.A HackTools No 0 Yes No D:\PGCedit\bin\pskill.exe
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Randy\Cookies\[email protected]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Randy\Cookies\[email protected][1].txt
02572886 Generic Trojan Virus/Trojan No 0 Yes No D:\CloneDVD Mobile\CloneDVDmobile\CloneDVDmobile1.1.x.xPatch.exe
02936969 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP225\A0043025.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location \
;===============================================================================
=================================================================================
===================
No C:\Documents and Settings\Randy\Local Settings\Temporary Internet Files\Content.IE5\ALX7MH76\tocs[1].js
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description \
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:58 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\Support.com\bin\tgcmd.exe
D:\JawsPDF Create\PDFClient.exe
C:\PROGRA~1\Grisoft\avgcc.exe
D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\avgamsvr.exe
C:\PROGRA~1\Grisoft\avgupsvc.exe
C:\PROGRA~1\Grisoft\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {0BB6EF78-FFC8-4F7A-BD2C-09DA1169A4B5} - C:\WINDOWS\system32\byXNeEVO.dll (file missing)
O2 - BHO: {83dfd23a-f19a-1edb-5f74-871e7d4a7844} - {4487a4d7-e178-47f5-bde1-a91fa32dfd38} - C:\WINDOWS\system32\vxcsgumu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [PDFCreatorClient] D:\JawsPDF Create\PDFClient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] D:\Olympus\Monitor.exe -NoStart
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S1C1.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: ColorVisionStartup.lnk = D:\Pantone\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://cc.liquidviewer.com
O15 - Trusted Zone: http://my.msn.com
O15 - Trusted Zone: www.wolfgangsvault.com
O15 - Trusted Zone: http://www.wolfgangsvault.com
O15 - Trusted IP range: http://66.28.204.187
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103834206219
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byXNeEVO - byXNeEVO.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DirectX Service (DirectCihk) - Unknown owner - C:\WINDOWS\system32\directx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\system32\PDFCreatorMessages.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10675 bytes




Waiting for instructions! Thanks!

RMohr
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi RMohr

welcome back to geekstogo :)

some questions first:

1. how many antivirus programs do your think you are running? i can see evidence of AVG, Norton and hauri?

2. you have these trusted zones (ie internet sites that you are willing to operate on with the minimal security available), should they all be trustes zones?
www.ebay.com
http://cc.liquidviewer.com
http://my.msn.com
www.wolfgangsvault.com
http://www.wolfgangsvault.com
IP range: http://66.28.204.187




====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



In your next reply could i see:
1. the answers to the above questions
2. the combofix log
3. a new hijackthis log

andrewuk
  • 0

#3
RMohr

RMohr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi andrewuk,

In answer to the questions:
Actively running anti-virus: 1) AVG; 2)I'm not sure about the Norton, I installed Norton Ghost earlier this year to copy my master harddrive to a larger one (making that one the master). I've kept Ghost installed but am unaware of it's antivirus capabilities. I used to use a Norton and a McAfee antivirus app years ago but dumped both as garbage; 3) ViRobot (hauri)

I also use PestPatrol, AdAware, and SpyBot SearchandDestroy when needed. And like I noted in my original post I used Malwarebytes' AntiMalware and SuperAntiSpyware.

As for the Trusted Zones addies: The eBay and MyMsn sites are okay; the Liquidviewer,the two Wolfgang's Vault sites and the 66.28.204.187 site I should get rid of, especially the latter site as I have no idea what it is anymore

Hope that answers.

Here are the logs from ComboFix and HijackThis:


ComboFix 08-05-01.3 - Randy 2008-05-02 18:21:40.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.455 [GMT -7:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\avcfuloy.ini
C:\WINDOWS\system32\avqbprmd.ini
C:\WINDOWS\system32\baegtvyp.ini
C:\WINDOWS\system32\bnuvybtu.ini
C:\WINDOWS\system32\cvxpffgx.ini
C:\WINDOWS\system32\eonmnswy.ini
C:\WINDOWS\system32\fgpsaywg.ini
C:\WINDOWS\system32\fgujibay.ini
C:\WINDOWS\system32\fyxatdsg.ini
C:\WINDOWS\system32\gannpskt.ini
C:\WINDOWS\system32\grvtylpu.ini
C:\WINDOWS\system32\gtysquaj.ini
C:\WINDOWS\system32\hixaagho.ini
C:\WINDOWS\system32\HjPWyyay.ini
C:\WINDOWS\system32\HjPWyyay.ini2
C:\WINDOWS\system32\jvchcatj.ini
C:\WINDOWS\system32\krbkydro.ini
C:\WINDOWS\system32\ktuwidhv.ini
C:\WINDOWS\system32\lgeebjls.ini
C:\WINDOWS\system32\lsfuhjuo.ini
C:\WINDOWS\system32\mljgevrc.ini
C:\WINDOWS\system32\muofxdbx.ini
C:\WINDOWS\system32\peuxfjac.ini
C:\WINDOWS\system32\pfkxehgm.ini
C:\WINDOWS\system32\qchgihfw.ini
C:\WINDOWS\system32\qffoqivj.ini
C:\WINDOWS\system32\qviibqyt.ini
C:\WINDOWS\system32\qvlllros.ini
C:\WINDOWS\system32\rerlmsky.ini
C:\WINDOWS\system32\selhavur.ini
C:\WINDOWS\system32\tecrxhws.ini
C:\WINDOWS\system32\tgbqbivx.ini
C:\WINDOWS\system32\tojbeaot.ini
C:\WINDOWS\system32\uyaqqjem.ini
C:\WINDOWS\system32\vokkkuaf.dll
C:\WINDOWS\system32\vyhtoyob.ini
C:\WINDOWS\system32\xbpjabeq.ini
C:\WINDOWS\system32\xdbdinkb.ini
C:\WINDOWS\system32\xdlvgcxq.ini
C:\WINDOWS\system32\xjbdmldg.ini
C:\WINDOWS\system32\yayyWPjH.dll
C:\WINDOWS\system32\ywkkruii.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-05-02 16:00 . 2008-05-02 16:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-01 09:37 . 2008-05-01 09:38 <DIR> d-------- C:\Program Files\Panda Security
2008-05-01 04:19 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-01 04:19 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-01 04:19 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 21:31 . 2008-04-30 22:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-30 21:31 . 2008-04-30 21:31 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\Malwarebytes
2008-04-30 21:31 . 2008-04-30 21:31 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-04-30 21:30 . 2008-04-30 21:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-30 11:15 . 2008-04-30 11:16 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-30 11:14 . 2008-04-30 11:14 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-30 11:09 . 2008-04-30 11:09 <DIR> d-------- C:\Program Files\Windows Live
2008-04-30 11:09 . 2008-04-30 11:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-30 11:08 . 2008-04-30 11:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-04-29 19:50 . 2008-04-30 10:58 109,766 --a------ C:\WINDOWS\BM91e5de62.xml
2008-04-28 09:25 . 2008-04-28 09:25 8,424 --a------ C:\RATATOUILLE.MDS
2008-04-28 08:13 . 2008-04-28 09:25 8,337,195,008 --a------ C:\RATATOUILLE.ISO
2008-04-28 08:03 . 2008-04-28 08:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SlySoft
2008-04-28 08:02 . 2008-04-28 08:02 0 ---hs---- C:\WINDOWS\S1827B697.tmp
2008-04-23 15:53 . 2008-04-30 12:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-23 15:53 . 2008-04-23 15:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-10 06:19 . 2008-04-10 06:19 97,728 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 01:33 32,288,800 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-03 01:32 --------- d-----w C:\Program Files\PestPatrol
2008-05-03 01:29 381,500 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-03 01:28 --------- d-----w C:\Documents and Settings\Randy\Application Data\MSN6
2008-05-03 00:45 --------- d-----w C:\Documents and Settings\Randy\Application Data\AVG7
2008-05-01 14:50 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-01 05:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 05:40 --------- d-----w C:\Documents and Settings\Randy\Application Data\SUPERAntiSpyware.com
2008-04-29 18:03 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-04-29 07:00 --------- d-----w C:\Documents and Settings\Randy\Application Data\uTorrent
2008-04-25 03:13 --------- d-----w C:\Program Files\Common Files\DAZ
2008-04-03 05:22 --------- d-----w C:\Program Files\CompuServe 2000
2008-04-01 17:51 --------- d-----w C:\Documents and Settings\Randy\Application Data\tunebite
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-13 04:41 --------- d-----w C:\Program Files\Napster
2008-03-06 16:37 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 22:10 65,536 ----a-w C:\WINDOWS\system32\dzcarrara.dll
2008-02-28 22:09 32,256 ----a-w C:\WINDOWS\system32\dzbryce6.dll
2008-02-28 22:09 25,600 -c--a-w C:\WINDOWS\system32\dzwrapper.dll
2008-02-28 22:04 9,056,256 -c--a-w C:\WINDOWS\system32\dzcore.dll
2008-02-28 19:08 6,131,712 -c--a-w C:\WINDOWS\system32\daz-qt-mt.dll
2008-02-28 19:08 1,785,856 -c--a-w C:\WINDOWS\system32\daz-qsa.dll
2008-02-28 19:04 2,076,672 ----a-w C:\WINDOWS\system32\dz3delight.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-08-28 18:07 81,216 -c--a-w C:\Documents and Settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2006-11-03 21:31 9,903 -c--a-w C:\Program Files\uninstal.log
2005-03-11 01:43 457 -c--a-w C:\Program Files\INSTALL.LOG
2005-01-24 23:51 5,636,184 -c--a-w C:\Documents and Settings\Randy\Application Data\DPSLib.exe
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,744 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4487a4d7-e178-47f5-bde1-a91fa32dfd38}]
C:\WINDOWS\system32\vxcsgumu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"OM_Monitor"="D:\Olympus\Monitor.exe" [2005-07-19 11:14 57344]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 15:32 700416]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.exe" [2007-01-12 06:00 177664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-09-14 17:03 36864]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 02:00 90112]
"CTStartup"="C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe" [2001-06-04 02:00 28672]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 17:26 406016]
"POINTER"="point32.exe" []
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 12:49 98304]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 08:53 148480]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 10:35 73728]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [ ]
"Vrmon"="C:\Program Files\ViRobotXP\vrmonnt.exe" [2006-01-18 18:07 249916]
"EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.exe" [2007-01-12 06:00 177664]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-11-08 18:58 323216]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-11-19 00:33 1851392]
"PDFCreatorClient"="D:\JawsPDF Create\PDFClient.exe" [2003-12-09 13:11 315392]
"AVG7_CC"="C:\PROGRA~1\Grisoft\avgcc.exe" [2008-01-22 13:31 579072]
"Adobe Photo Downloader"="D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe" [2007-02-13 15:00 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"Norton Ghost 12.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2007-03-28 21:41 2037352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-03 17:17 180269]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\avgw.exe" [2008-01-22 13:32 219136]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-24 12:53:02 110592]
Adobe Reader Speed Launch.lnk.disabled [2005-11-07 20:13:20 1757]
ColorVisionStartup.lnk - D:\Pantone\Utility\ColorVisionStartup.exe [2006-01-31 18:48:52 385024]
Microtek Scanner Finder.lnk - C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-01-24 18:37:29 344064]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2005-10-17 20:01:36 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNeEVO]
byXNeEVO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm
"VIDC.PIXL"= pclepixl.dll
"VIDC.NTN1"= NUVision.ax
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Color Calibration.lnk]
backup=C:\WINDOWS\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
backup=C:\WINDOWS\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
backup=C:\WINDOWS\pss\NaturalColorLoad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-04-20 15:52 28672 C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MagicRotation]
--a--c--- 2005-12-26 17:23 1089536 C:\Program Files\MagicRotation\MagicPvt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediafourGettingStartedWithMacDrive6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
--a--c--- 2003-10-14 09:36 38984 C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
--a------ 2005-07-19 11:06 40960 D:\Olympus\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCLEPCI]
--a------ 2004-02-03 15:13 49152 D:\Pinnacle\PPE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-12-03 17:17 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskTray]
--a------ 2001-06-29 02:00 163840 C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2005-12-03 17:17 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\utorrent.exe"=

R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 03:26]
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\system32\PackethSvc.exe [2001-08-09 17:46]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);C:\WINDOWS\system32\drivers\e10kx2k.sys [2001-07-13 05:29]
S0 gyyxgrem;gyyxgrem;C:\WINDOWS\system32\drivers\sfgdganm.sys []
S2 DirectCihk;DirectX Service;C:\WINDOWS\system32\directx.exe []
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 17:30]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys [2004-08-03 21:39]
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\Drivers\LxrSG20d.sys [2005-01-18 18:52]
S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 13:55]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2006-09-22 17:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\SH3Autorun.exe

*Newly Created Service* - VRFIL
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 06:58:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-03 01:10:13 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 18:31:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run????????????x??????s$????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???j????&2???A~??A~j???????\???\???????$???U?A~??A~\???\???????X?b???????B~\???\??????sj???\??????s\????&2?A??s?&2???B~???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\avgamsvr.exe
C:\PROGRA~1\Grisoft\avgupsvc.exe
C:\PROGRA~1\Grisoft\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\PDFCreatorMessages.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-05-02 18:39:36 - machine was rebooted [Randy]
ComboFix-quarantined-files.txt 2008-05-03 01:39:10

Pre-Run: 91,987,664,896 bytes free
Post-Run: 92,067,852,288 bytes free

280 --- E O F --- 2008-05-02 01:32:44



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:54 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Support.com\bin\tgcmd.exe
D:\JawsPDF Create\PDFClient.exe
C:\PROGRA~1\Grisoft\avgcc.exe
D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\Grisoft\avgamsvr.exe
C:\PROGRA~1\Grisoft\avgupsvc.exe
C:\PROGRA~1\Grisoft\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: {83dfd23a-f19a-1edb-5f74-871e7d4a7844} - {4487a4d7-e178-47f5-bde1-a91fa32dfd38} - C:\WINDOWS\system32\vxcsgumu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [PDFCreatorClient] D:\JawsPDF Create\PDFClient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] D:\Olympus\Monitor.exe -NoStart
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S1C1.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: ColorVisionStartup.lnk = D:\Pantone\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://cc.liquidviewer.com
O15 - Trusted Zone: http://my.msn.com
O15 - Trusted Zone: www.wolfgangsvault.com
O15 - Trusted Zone: http://www.wolfgangsvault.com
O15 - Trusted IP range: http://66.28.204.187
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103834206219
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byXNeEVO - byXNeEVO.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DirectX Service (DirectCihk) - Unknown owner - C:\WINDOWS\system32\directx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\system32\PDFCreatorMessages.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10655 bytes



I'll wait for your email!!

RMohr
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will ensure you only have one antivirus program running, clear the malware in the logs, scan a couple of suspicous looking files and do an online scan to see what we pick up.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.


====STEP 1====
Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time.

Go HERE and choose the product that is installed and then download the removal tool.
Run it and reboot.
This should get rid of Norton.

and could you remove Hauri using the Add/Remove Programs in the control panel


====STEP 2====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: {83dfd23a-f19a-1edb-5f74-871e7d4a7844} - {4487a4d7-e178-47f5-bde1-a91fa32dfd38} - C:\WINDOWS\system32\vxcsgumu.dll (file missing)
O15 - Trusted Zone: http://cc.liquidviewer.com
O15 - Trusted Zone: www.wolfgangsvault.com
O15 - Trusted Zone: http://www.wolfgangsvault.com
O15 - Trusted IP range: http://66.28.204.187
O20 - Winlogon Notify: byXNeEVO - byXNeEVO.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 3====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\vxcsgumu.dll
C:\WINDOWS\byXNeEVO.dll
C:\WINDOWS\system32\drivers\sfgdganm.sys

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

Driver::
gyyxgrem


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.




====STEP 4====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\directx.exe

Click on the submit button

Please also do the same with the following file:
C:\WINDOWS\BM91e5de62.xml


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal




====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


In your next reply could i see:
1. the 2 jotti reports
2. the kaspersky scan log
3. the combofix log
4. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
RMohr

RMohr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Okay ... Had to let the Kaspersky run overnight (I'm on the West Coast of the States) ...

Here are the reports:

Jotti:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Jotti2:

Scan taken on 03 May 2008 06:24:03 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 03, 2008 7:42:44 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/05/2008
Kaspersky Anti-Virus database records: 736525
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 209822
Number of viruses found: 6
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 03:06:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Support.com\profiles\Randy\triggers.log Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Creative\Media Database\PCML_1.dpm Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Creative\Media Database\PCML_1.ldb Object is locked skipped
C:\Documents and Settings\Randy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Desktop\Downloads\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_DC4B_2DF5_92D6_ED51\dfsr.db Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_DC4B_2DF5_92D6_ED51\fsr.log Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_DC4B_2DF5_92D6_ED51\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_DC4B_2DF5_92D6_ED51\tmp.edb Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\MSN\db30\msrmohr-msn-com.sdf Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\History\History.IE5\MSHist012008050220080503\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\fdr780.fdr Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\JET7D4F.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\~DF5098.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\~DF5151.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Randy\ntuser.dat Object is locked skipped
C:\Documents and Settings\Randy\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\calendar.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\mail.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\market.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\market32.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\miadv.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\mibas.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\micd.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\printing.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\qos.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\themedef.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\themedef32.mar Object is locked skipped
C:\Program Files\MSN\MsnInstaller\install.mar Object is locked skipped
C:\Program Files\MSN\MsnInstaller\Resources\MSNClientBrand\en\us\q002\9.50.433.0\brand.mar Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP225\A0043025.dll Object is locked skipped
C:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP228\A0043437.dll Object is locked skipped
C:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP230\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833987$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SOLARIS.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\S1827B697.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT01c35.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT01c4c.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\PGCedit\bin\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
D:\PGCedit\PgcEdit.exe/Tcl/work/PGCEDIT/bin/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
D:\PGCedit\PgcEdit.exe ZIP: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP219\A0042515.exe/data0000.cab/is152915.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpm skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP219\A0042515.exe/data0000.cab/_launcher.exe Infected: Trojan-Clicker.MSIL.Xone.r skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP219\A0042515.exe/data0000.cab/_1.exe Infected: Packed.Win32.Monder.gen skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP219\A0042515.exe/data0000.cab Infected: Packed.Win32.Monder.gen skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP219\A0042515.exe Rsrc-Package: infected - 4 skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP227\A0043341.exe Object is locked skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP227\A0043346.exe/data0000.cab/is201853.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP227\A0043346.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP227\A0043346.exe Rsrc-Package: infected - 2 skipped
D:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP230\change.log Object is locked skipped

Scan process completed.

ComboFix:

ComboFix 08-05-01.3 - Randy 2008-05-02 22:55:57.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.468 [GMT -7:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Randy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\byXNeEVO.dll
C:\WINDOWS\system32\drivers\sfgdganm.sys
C:\WINDOWS\system32\vxcsgumu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GYYXGREM
-------\Service_gyyxgrem


((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-05-02 22:42 . 2008-05-02 22:42 0 --a------ C:\WINDOWS\UnSetup.INI
2008-05-02 16:00 . 2008-05-02 16:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-01 09:37 . 2008-05-01 09:38 <DIR> d-------- C:\Program Files\Panda Security
2008-05-01 04:19 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-01 04:19 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-01 04:19 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 21:31 . 2008-04-30 22:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-30 21:31 . 2008-04-30 21:31 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\Malwarebytes
2008-04-30 21:31 . 2008-04-30 21:31 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-04-30 21:30 . 2008-04-30 21:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-30 11:15 . 2008-04-30 11:16 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-30 11:14 . 2008-04-30 11:14 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-30 11:09 . 2008-04-30 11:09 <DIR> d-------- C:\Program Files\Windows Live
2008-04-30 11:09 . 2008-04-30 11:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-30 11:08 . 2008-04-30 11:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-04-29 19:50 . 2008-04-30 10:58 109,766 --a------ C:\WINDOWS\BM91e5de62.xml
2008-04-28 09:25 . 2008-04-28 09:25 8,424 --a------ C:\RATATOUILLE.MDS
2008-04-28 08:13 . 2008-04-28 09:25 8,337,195,008 --a------ C:\RATATOUILLE.ISO
2008-04-28 08:03 . 2008-04-28 08:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SlySoft
2008-04-28 08:02 . 2008-04-28 08:02 0 ---hs---- C:\WINDOWS\S1827B697.tmp
2008-04-23 15:53 . 2008-04-30 12:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-23 15:53 . 2008-04-23 15:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-10 06:19 . 2008-04-10 06:19 97,728 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 06:07 32,403,488 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-03 06:06 --------- d-----w C:\Program Files\PestPatrol
2008-05-03 06:03 382,820 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-03 06:01 --------- d-----w C:\Documents and Settings\Randy\Application Data\MSN6
2008-05-03 05:42 --------- d-----w C:\Program Files\ViRobotXP
2008-05-03 05:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-03 00:45 --------- d-----w C:\Documents and Settings\Randy\Application Data\AVG7
2008-05-01 14:50 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-01 05:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 05:40 --------- d-----w C:\Documents and Settings\Randy\Application Data\SUPERAntiSpyware.com
2008-04-29 18:03 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-04-29 07:00 --------- d-----w C:\Documents and Settings\Randy\Application Data\uTorrent
2008-04-25 03:13 --------- d-----w C:\Program Files\Common Files\DAZ
2008-04-03 05:22 --------- d-----w C:\Program Files\CompuServe 2000
2008-04-01 17:51 --------- d-----w C:\Documents and Settings\Randy\Application Data\tunebite
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-13 04:41 --------- d-----w C:\Program Files\Napster
2008-03-06 16:37 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 22:10 65,536 ----a-w C:\WINDOWS\system32\dzcarrara.dll
2008-02-28 22:09 32,256 ----a-w C:\WINDOWS\system32\dzbryce6.dll
2008-02-28 22:09 25,600 -c--a-w C:\WINDOWS\system32\dzwrapper.dll
2008-02-28 22:04 9,056,256 -c--a-w C:\WINDOWS\system32\dzcore.dll
2008-02-28 19:08 6,131,712 -c--a-w C:\WINDOWS\system32\daz-qt-mt.dll
2008-02-28 19:08 1,785,856 -c--a-w C:\WINDOWS\system32\daz-qsa.dll
2008-02-28 19:04 2,076,672 ----a-w C:\WINDOWS\system32\dz3delight.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-08-28 18:07 81,216 -c--a-w C:\Documents and Settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2006-11-03 21:31 9,903 -c--a-w C:\Program Files\uninstal.log
2005-03-11 01:43 457 -c--a-w C:\Program Files\INSTALL.LOG
2005-01-24 23:51 5,636,184 -c--a-w C:\Documents and Settings\Randy\Application Data\DPSLib.exe
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,744 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((( [email protected]_18.38.12.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-03 01:30:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-03 06:04:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-02 23:10:19 63,470 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-03 05:35:55 63,470 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-02 23:10:19 405,888 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-03 05:35:55 405,888 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-05-02 23:06:01 14,233 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-05-03 06:07:26 14,233 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"OM_Monitor"="D:\Olympus\Monitor.exe" [2005-07-19 11:14 57344]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 15:32 700416]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.exe" [2007-01-12 06:00 177664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-09-14 17:03 36864]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 02:00 90112]
"CTStartup"="C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe" [2001-06-04 02:00 28672]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 17:26 406016]
"POINTER"="point32.exe" []
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 12:49 98304]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 08:53 148480]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 10:35 73728]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [ ]
"EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.exe" [2007-01-12 06:00 177664]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-11-08 18:58 323216]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-11-19 00:33 1851392]
"PDFCreatorClient"="D:\JawsPDF Create\PDFClient.exe" [2003-12-09 13:11 315392]
"AVG7_CC"="C:\PROGRA~1\Grisoft\avgcc.exe" [2008-01-22 13:31 579072]
"Adobe Photo Downloader"="D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe" [2007-02-13 15:00 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-03 17:17 180269]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\avgw.exe" [2008-01-22 13:32 219136]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-24 12:53:02 110592]
Adobe Reader Speed Launch.lnk.disabled [2005-11-07 20:13:20 1757]
ColorVisionStartup.lnk - D:\Pantone\Utility\ColorVisionStartup.exe [2006-01-31 18:48:52 385024]
Microtek Scanner Finder.lnk - C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-01-24 18:37:29 344064]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2005-10-17 20:01:36 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm
"VIDC.PIXL"= pclepixl.dll
"VIDC.NTN1"= NUVision.ax
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Color Calibration.lnk]
backup=C:\WINDOWS\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
backup=C:\WINDOWS\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
backup=C:\WINDOWS\pss\NaturalColorLoad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-04-20 15:52 28672 C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MagicRotation]
--a--c--- 2005-12-26 17:23 1089536 C:\Program Files\MagicRotation\MagicPvt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediafourGettingStartedWithMacDrive6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
--a--c--- 2003-10-14 09:36 38984 C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
--a------ 2005-07-19 11:06 40960 D:\Olympus\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCLEPCI]
--a------ 2004-02-03 15:13 49152 D:\Pinnacle\PPE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-12-03 17:17 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskTray]
--a------ 2001-06-29 02:00 163840 C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2005-12-03 17:17 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\utorrent.exe"=

R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 03:26]
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\system32\PackethSvc.exe [2001-08-09 17:46]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);C:\WINDOWS\system32\drivers\e10kx2k.sys [2001-07-13 05:29]
S2 DirectCihk;DirectX Service;C:\WINDOWS\system32\directx.exe []
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 17:30]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys [2004-08-03 21:39]
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\Drivers\LxrSG20d.sys [2005-01-18 18:52]
S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 13:55]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2006-09-22 17:36]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 06:58:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-03 06:07:13 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 23:05:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run????????????x??????s$????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???,????&2???A~??A~,???????\???\???????$???U?A~??A~\???\?????????`???????B~\???\??????s,???\??????s\????&2?A??s?&2???B~???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\avgamsvr.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\avgupsvc.exe
C:\PROGRA~1\Grisoft\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PDFCreatorMessages.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2008-05-02 23:12:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-03 06:12:06
ComboFix2.txt 2008-05-03 01:39:39

Pre-Run: 92,011,307,008 bytes free
Post-Run: 92,002,869,248 bytes free

248 --- E O F --- 2008-05-02 01:32:44


HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:15 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\avgamsvr.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\Support.com\bin\tgcmd.exe
D:\JawsPDF Create\PDFClient.exe
C:\PROGRA~1\Grisoft\avgcc.exe
D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe
C:\PROGRA~1\Grisoft\avgupsvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [PDFCreatorClient] D:\JawsPDF Create\PDFClient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] D:\Olympus\Monitor.exe -NoStart
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S1C1.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: ColorVisionStartup.lnk = D:\Pantone\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://my.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103834206219
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DirectX Service (DirectCihk) - Unknown owner - C:\WINDOWS\system32\directx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\system32\PDFCreatorMessages.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9427 bytes


There you go!

RMohr
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
your logs are now looking pretty good :)

the kaspersky scan picked up safely quarantined files and some false positives. so, in this post we will remove one last infection, scan one file and do a couple of wrap up scans.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: DirectX Service (DirectCihk) - Unknown owner - C:\WINDOWS\system32\directx.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis



====STEP 2====
You have to deal with the service prior to fixing it with HJT
I find it easier to use a batch for multiple services in this case it would be the following

Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc stop DirectCihk
sc delete DirectCihk
exit
do not run this file yet
Double click FixServices.bat. A window will open and close. This is normal.


====STEP 3====
i just want to check this file:

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal


====STEP 4====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


====STEP 5====
and lets do a final scan with your malwarebytes program, we will also make sure it is fully updated before we run it.

Double Click the malwarebytes icon on the desktop to launch the program
  • Click the Update tab and press the Check for Updates button. let it run and follow all instructions if asked to reinstall the program.
  • Then, click the Scanner tab, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


In your next reply could i see:
1. jotti scan log
2. the combofix log
3. the SUPERantispyware log
4. the malwarebytes log
5. a new hijackthis log
6. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#7
RMohr

RMohr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Glad to read the logs are looking good!

Here are the latest logs:

Jotti:


Scan taken on 03 May 2008 18:03:56 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

ComboFix:

ComboFix 08-05-01.3 - Randy 2008-05-03 22:39:24.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.265 [GMT -7:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-02 22:42 . 2008-05-02 22:42 0 --a------ C:\WINDOWS\UnSetup.INI
2008-05-02 16:00 . 2008-05-02 16:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-01 09:37 . 2008-05-01 09:38 <DIR> d-------- C:\Program Files\Panda Security
2008-05-01 04:19 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-01 04:19 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-01 04:19 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 21:31 . 2008-04-30 22:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-30 21:31 . 2008-04-30 21:31 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\Malwarebytes
2008-04-30 21:31 . 2008-04-30 21:31 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-04-30 21:30 . 2008-04-30 21:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-30 11:15 . 2008-04-30 11:16 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-30 11:14 . 2008-04-30 11:14 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-30 11:09 . 2008-04-30 11:09 <DIR> d-------- C:\Program Files\Windows Live
2008-04-30 11:09 . 2008-04-30 11:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-30 11:08 . 2008-04-30 11:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-04-29 19:50 . 2008-04-30 10:58 109,766 --a------ C:\WINDOWS\BM91e5de62.xml
2008-04-28 09:25 . 2008-04-28 09:25 8,424 --a------ C:\RATATOUILLE.MDS
2008-04-28 08:13 . 2008-04-28 09:25 8,337,195,008 --a------ C:\RATATOUILLE.ISO
2008-04-28 08:03 . 2008-04-28 08:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SlySoft
2008-04-28 08:02 . 2008-04-28 08:02 0 ---hs---- C:\WINDOWS\S1827B697.tmp
2008-04-23 15:53 . 2008-04-30 12:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-23 15:53 . 2008-04-23 15:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-10 06:19 . 2008-04-10 06:19 97,728 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 05:45 33,290,272 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-03 18:21 --------- d-----w C:\Documents and Settings\Randy\Application Data\MSN6
2008-05-03 18:14 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-03 18:13 --------- d-----w C:\Program Files\PestPatrol
2008-05-03 18:12 392,708 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-03 15:06 --------- d-----w C:\Documents and Settings\Randy\Application Data\AVG7
2008-05-03 05:42 --------- d-----w C:\Program Files\ViRobotXP
2008-05-03 05:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-01 05:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 05:40 --------- d-----w C:\Documents and Settings\Randy\Application Data\SUPERAntiSpyware.com
2008-04-29 18:03 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-04-29 07:00 --------- d-----w C:\Documents and Settings\Randy\Application Data\uTorrent
2008-04-25 03:13 --------- d-----w C:\Program Files\Common Files\DAZ
2008-04-03 05:22 --------- d-----w C:\Program Files\CompuServe 2000
2008-04-01 17:51 --------- d-----w C:\Documents and Settings\Randy\Application Data\tunebite
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-13 04:41 --------- d-----w C:\Program Files\Napster
2008-03-06 16:37 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 22:10 65,536 ----a-w C:\WINDOWS\system32\dzcarrara.dll
2008-02-28 22:09 32,256 ----a-w C:\WINDOWS\system32\dzbryce6.dll
2008-02-28 22:09 25,600 -c--a-w C:\WINDOWS\system32\dzwrapper.dll
2008-02-28 22:04 9,056,256 -c--a-w C:\WINDOWS\system32\dzcore.dll
2008-02-28 19:08 6,131,712 -c--a-w C:\WINDOWS\system32\daz-qt-mt.dll
2008-02-28 19:08 1,785,856 -c--a-w C:\WINDOWS\system32\daz-qsa.dll
2008-02-28 19:04 2,076,672 ----a-w C:\WINDOWS\system32\dz3delight.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-08-28 18:07 81,216 -c--a-w C:\Documents and Settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2006-11-03 21:31 9,903 -c--a-w C:\Program Files\uninstal.log
2005-03-11 01:43 457 -c--a-w C:\Program Files\INSTALL.LOG
2005-01-24 23:51 5,636,184 -c--a-w C:\Documents and Settings\Randy\Application Data\DPSLib.exe
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,744 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((( [email protected]_18.38.12.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-03 01:30:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-03 18:13:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
- 2007-09-07 18:29:00 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
- 2007-09-07 18:29:00 946,176 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-02 23:10:19 63,470 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-03 18:19:13 63,470 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-02 23:10:19 405,888 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-03 18:19:13 405,888 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-05-02 23:06:01 14,233 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-05-03 18:14:58 14,233 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"OM_Monitor"="D:\Olympus\Monitor.exe" [2005-07-19 11:14 57344]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 15:32 700416]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.exe" [2007-01-12 06:00 177664]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-03 11:14 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-09-14 17:03 36864]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 02:00 90112]
"CTStartup"="C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe" [2001-06-04 02:00 28672]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 17:26 406016]
"POINTER"="point32.exe" []
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 12:49 98304]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 08:53 148480]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 10:35 73728]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [ ]
"EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.exe" [2007-01-12 06:00 177664]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-11-08 18:58 323216]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-11-19 00:33 1851392]
"PDFCreatorClient"="D:\JawsPDF Create\PDFClient.exe" [2003-12-09 13:11 315392]
"AVG7_CC"="C:\PROGRA~1\Grisoft\avgcc.exe" [2008-01-22 13:31 579072]
"Adobe Photo Downloader"="D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe" [2007-02-13 15:00 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-03 17:17 180269]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\avgw.exe" [2008-01-22 13:32 219136]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-24 12:53:02 110592]
Adobe Reader Speed Launch.lnk.disabled [2005-11-07 20:13:20 1757]
ColorVisionStartup.lnk - D:\Pantone\Utility\ColorVisionStartup.exe [2006-01-31 18:48:52 385024]
Microtek Scanner Finder.lnk - C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-01-24 18:37:29 344064]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2005-10-17 20:01:36 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-03 11:14 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm
"VIDC.PIXL"= pclepixl.dll
"VIDC.NTN1"= NUVision.ax
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Color Calibration.lnk]
backup=C:\WINDOWS\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
backup=C:\WINDOWS\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
backup=C:\WINDOWS\pss\NaturalColorLoad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-04-20 15:52 28672 C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MagicRotation]
--a--c--- 2005-12-26 17:23 1089536 C:\Program Files\MagicRotation\MagicPvt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediafourGettingStartedWithMacDrive6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
--a--c--- 2003-10-14 09:36 38984 C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
--a------ 2005-07-19 11:06 40960 D:\Olympus\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCLEPCI]
--a------ 2004-02-03 15:13 49152 D:\Pinnacle\PPE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-12-03 17:17 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskTray]
--a------ 2001-06-29 02:00 163840 C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2005-12-03 17:17 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\utorrent.exe"=

R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 03:26]
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\system32\PackethSvc.exe [2001-08-09 17:46]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);C:\WINDOWS\system32\drivers\e10kx2k.sys [2001-07-13 05:29]
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 17:30]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys [2004-08-03 21:39]
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\Drivers\LxrSG20d.sys [2005-01-18 18:52]
S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 13:55]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2006-09-22 17:36]

*Newly Created Service* - CATCHME
*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 06:58:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-04 05:07:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 22:44:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run????????????x??????s$????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2???A~??A~????????\???\???????$???U?A~??A~\???\????????K`???????B~\???\??????s????\??????s\????&2?A??s?&2???B~???

scanning hidden files ...


C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Messenger\Brands\Q002\Q002_en-us_P10.cab 55244 bytes
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_DC4B_2DF5_92D6_ED51\$db_clean$ 0 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-05-03 22:47:05
ComboFix-quarantined-files.txt 2008-05-04 05:46:49
ComboFix2.txt 2008-05-03 06:12:31
ComboFix3.txt 2008-05-03 01:39:39

Pre-Run: 91,945,443,328 bytes free
Post-Run: 91,931,152,384 bytes free

224 --- E O F --- 2008-05-02 01:32:44


SuperAntiSpy:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/03/2008 at 03:03 PM

Application Version : 4.0.1154

Core Rules Database Version : 3452
Trace Rules Database Version: 1444

Scan type : Complete Scan
Total Scan Time : 03:40:09

Memory items scanned : 535
Memory threats detected : 0
Registry items scanned : 7408
Registry threats detected : 0
File items scanned : 204628
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Randy\Cookies\[email protected][2].txt
C:\Documents and Settings\Randy\Cookies\[email protected][1].txt
C:\Documents and Settings\Randy\Cookies\[email protected][1].txt
C:\Documents and Settings\Randy\Cookies\[email protected][1].txt
C:\Documents and Settings\Randy\Cookies\[email protected][2].txt

MalwareByte:

Malwarebytes' Anti-Malware 1.11
Database version: 712

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 263667
Time elapsed: 3 hour(s), 54 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\yayyWPjH.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2CC731C8-64B2-46B3-9A25-D124D43F2798}\RP224\A0042962.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:10 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\Support.com\bin\tgcmd.exe
D:\JawsPDF Create\PDFClient.exe
C:\PROGRA~1\Grisoft\avgcc.exe
D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\avgamsvr.exe
C:\PROGRA~1\Grisoft\avgupsvc.exe
C:\PROGRA~1\Grisoft\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [PDFCreatorClient] D:\JawsPDF Create\PDFClient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Adobe\Lightroom\Lightroom 1.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] D:\Olympus\Monitor.exe -NoStart
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S1C1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: ColorVisionStartup.lnk = D:\Pantone\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://my.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103834206219
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\system32\PDFCreatorMessages.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9478 bytes


That's it so far...

RMohr
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
i seem to be going mad, dont know why i asked for another combofix log......

the jotti scan was fine, the malwarebytes scan picked up quarantined items and the SUPERantispyware scan only picked up cookies.

.......how is your machine running now?
  • 0

#9
RMohr

RMohr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Mad? Mad? You??!! Heh ...

When the trojans started hitting I noticed a slowdown in webpage loading etc ... now it's just fine. No more threat alerts from AVG. I think the biggest bit of advice was to get rid of the Norton and Hauri (though Norton Ghost was great to copy my main harddrive to a bigger harddrive)!

One additional thing: Zone Alarm of late (like, right now) has been popping up with an alert of an exe wanting to access the internet and send an Error Report to Microsoft .. it's dw15.exe ... I always deny access for apps I'm not familiar with especially when it's never done that before. I did a little research, seems benign enough ... what would you suggest?

Am I at a point where I can delete/uninstall all the logs and antivirus apps (Malwarebyte, SuperAntiSpy, HijackThis, ComboFix, WindowsXPBootDisk.exe, FixServices.bat etc? And can I empty the quarantied files from the various programs (should I have already done so)?

RMohr
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi RMohr

congratulations, your logs are clean :)

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

I think the biggest bit of advice was to get rid of the Norton and Hauri (though Norton Ghost was great to copy my main harddrive to a bigger harddrive)!

it was most likely the hauri and remants of a prior installation of norton that was slowing you down. the norton ghost is probably ok.

Zone Alarm of late (like, right now) has been popping up with an alert of an exe wanting to access the internet and send an Error Report to Microsoft .. it's dw15.exe ... I always deny access for apps I'm not familiar with especially when it's never done that before. I did a little research, seems benign enough ... what would you suggest?

hmm....the dw15.exe file is a Microsoft Application Error Reporting from Microsoft Corporation belonging to Microsoft Application Error Reporting - so that is the not the error it is trying to report. any ideas what error it is trying to report?

Am I at a point where I can delete/uninstall all the logs and antivirus apps (Malwarebyte, SuperAntiSpy, HijackThis, ComboFix, WindowsXPBootDisk.exe, FixServices.bat etc? And can I empty the quarantied files from the various programs (should I have already done so)?

we will be doing that now

====STEP 1====
Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
you can now remove any other tools we used in the fix


====STEP 2====
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

Instructions with screenshots to help is http://www.f-secure..../sfc_dis1.shtml

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405


====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#11
RMohr

RMohr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey, thanks a million!! As always you and Geeks rock and rule!!

I've bookmarked the sites you recommended ...

About the Microsoft Error Reporting: I suspect it may be from my trying to cancel an update that's trying to install updates to Microsoft Office (which I rarely use) .. I suppose I should just let it install the updates, eh?

Once again, thanks for the invaluable help!

R Mohr
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

About the Microsoft Error Reporting: I suspect it may be from my trying to cancel an update that's trying to install updates to Microsoft Office (which I rarely use) .. I suppose I should just let it install the updates, eh?

yes, let microsoft install updates.
  • 0

#13
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP