Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help with pop-ups [RESOLVED]


  • This topic is locked This topic is locked

#1
Bucfive

Bucfive

    New Member

  • Member
  • Pip
  • 5 posts
Hello,

Can't seem to get rid of these annoying pop-ups. Ran Spybot S&D and it detected Smithfraud C services although it was unable to delelte it. Any suggestions would be helpful. Below is Hijackthis and Smithfraud scan logs. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:26 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://middlegeorgia.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060922
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: tuvvtSiJ - tuvvtSiJ.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7849 bytes

SmitFraudFix v2.319

Scan done at 18:34:44.06, Fri 05/16/2008
Run from C:\Documents and Settings\Mari Beth\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mari Beth


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mari Beth\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MARIBE~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell Wireless 1390 WLAN Mini-Card - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{734AA616-9F4D-4B80-9FB3-AA5F884B01AB}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{734AA616-9F4D-4B80-9FB3-AA5F884B01AB}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{734AA616-9F4D-4B80-9FB3-AA5F884B01AB}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O20 - Winlogon Notify: tuvvtSiJ - tuvvtSiJ.dll (file missing)

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Bucfive

Bucfive

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks Grayknight,

Here is the Cobofix log:

Start Time= Sat 05/17/2008 17:51:43.95

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-05-16 20:09:26 160256 ( A.... ) "C:\WINDOWS\system32\blackster.scr"
2008-05-16 20:06:46 10520 ( A.... ) "C:\WINDOWS\system32\avgrsstx.dll"
2008-05-16 20:06:28 ( .D... ) "C:\Program Files\AVG"
2008-05-16 19:26:24 ( .D... ) "C:\Documents and Settings\Mari Beth\Application Data\AVGTOOLBAR"
2008-05-16 19:03:48 ( .D... ) "C:\Documents and Settings\Mari Beth\Application Data\Uniblue"
2008-05-16 18:46:10 ( .D... ) "C:\Program Files\Trend Micro"
2008-05-16 18:34:48 2802 ( A.... ) "C:\WINDOWS\system32\tmp.reg"
2008-05-16 17:46:28 ( .D... ) "C:\Documents and Settings\Mari Beth\Application Data\Malwarebytes"
2008-05-16 17:46:24 ( .D... ) "C:\Program Files\Malwarebytes' Anti-Malware"
2008-05-16 17:46:04 ( .D... ) "C:\Program Files\Common Files\Download Manager"
2008-05-11 21:01:44 ( .D... ) "C:\Program Files\Panda Security"
2008-05-09 17:35:04 16863864 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2008-05-05 08:29:08 ( .D... ) "C:\Program Files\Hijackthis"
2008-05-04 18:40:18 48640 ( A.... ) "C:\WINDOWS\system32\interns32.dll"
2008-05-03 12:26:08 ( .D... ) "C:\Program Files\Microsoft Windows OneCare Live"
2008-04-28 08:03:06 82944 ( A.... ) "C:\WINDOWS\system32\IEDFix.exe"
2008-04-28 08:03:06 82944 ( A.... ) "C:\WINDOWS\system32\404Fix.exe"
2008-04-27 11:23:04 ( .D... ) "C:\Program Files\Enigma Software Group"
2008-04-24 08:10:34 86528 ( A.... ) "C:\WINDOWS\system32\VACFix.exe"
2008-04-14 15:27:38 ( .D... ) "C:\Program Files\Course 12"
2008-04-14 15:27:14 ( .D... ) "C:\Program Files\Course 12, version 4"
2008-04-14 15:26:20 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2008-03-27 04:12:54 151583 ( A.... ) "C:\WINDOWS\system32\msjint40.dll"
2008-03-25 00:50:58 838432 ( A.... ) "C:\WINDOWS\system32\mswdat10.dll"
2008-03-25 00:50:58 621344 ( A.... ) "C:\WINDOWS\system32\mswstr10.dll"
2008-03-25 00:50:58 355104 ( A.... ) "C:\WINDOWS\system32\msxbde40.dll"
2008-03-25 00:50:56 264992 ( A.... ) "C:\WINDOWS\system32\mstext40.dll"
2008-03-25 00:50:52 559904 ( A.... ) "C:\WINDOWS\system32\msrepl40.dll"
2008-03-25 00:50:50 322336 ( A.... ) "C:\WINDOWS\system32\msrd3x40.dll"
2008-03-25 00:50:48 432928 ( A.... ) "C:\WINDOWS\system32\msrd2x40.dll"
2008-03-25 00:50:46 355104 ( A.... ) "C:\WINDOWS\system32\mspbde40.dll"
2008-03-25 00:50:44 219936 ( A.... ) "C:\WINDOWS\system32\msltus40.dll"
2008-03-25 00:50:42 248608 ( A.... ) "C:\WINDOWS\system32\msjtes40.dll"
2008-03-25 00:50:42 60192 ( A.... ) "C:\WINDOWS\system32\msjter40.dll"
2008-03-25 00:50:40 355112 ( A.... ) "C:\WINDOWS\system32\msjetoledb40.dll"
2008-03-25 00:50:34 1516568 ( A.... ) "C:\WINDOWS\system32\msjet40.dll"
2008-03-25 00:50:30 326432 ( A.... ) "C:\WINDOWS\system32\msexcl40.dll"
2008-03-25 00:50:28 518944 ( A.... ) "C:\WINDOWS\system32\msexch40.dll"
2008-03-19 05:47:00 1845248 ( A.... ) "C:\WINDOWS\system32\win32k.sys"
2008-03-01 18:36:30 3591680 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2008-03-01 09:06:32 826368 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2008-03-01 09:06:30 1159680 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2008-03-01 09:06:30 671232 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2008-03-01 09:06:30 233472 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2008-03-01 09:06:30 105984 ( A.... ) "C:\WINDOWS\system32\url.dll"
2008-03-01 09:06:30 102912 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2008-03-01 09:06:30 44544 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2008-03-01 09:06:28 478208 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2008-03-01 09:06:28 193024 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2008-03-01 09:06:26 459264 ( A.... ) "C:\WINDOWS\system32\msfeeds.dll"
2008-03-01 09:06:26 267776 ( A.... ) "C:\WINDOWS\system32\iertutil.dll"
2008-03-01 09:06:26 52224 ( A.... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2008-03-01 09:06:26 27648 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2008-03-01 09:06:24 6066176 ( A.... ) "C:\WINDOWS\system32\ieframe.dll"
2008-03-01 09:06:24 44544 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2008-03-01 09:06:22 384512 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2008-03-01 09:06:22 383488 ( A.... ) "C:\WINDOWS\system32\ieapfltr.dll"
2008-03-01 09:06:22 347136 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2008-03-01 09:06:22 230400 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2008-03-01 09:06:22 214528 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2008-03-01 09:06:22 153088 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2008-03-01 09:06:22 133120 ( A.... ) "C:\WINDOWS\system32\extmgr.dll"
2008-03-01 09:06:22 63488 ( A.... ) "C:\WINDOWS\system32\icardie.dll"
2008-03-01 09:06:20 124928 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2008-02-29 04:55:24 70656 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2008-02-22 06:00:52 13824 ( A.... ) "C:\WINDOWS\system32\ieudinit.exe"
2008-02-20 02:51:06 282624 ( A.... ) "C:\WINDOWS\system32\gdi32.dll"
2008-02-20 01:32:44 148992 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2008-02-20 01:32:44 45568 ( A.... ) "C:\WINDOWS\system32\dnsrslvr.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Lexmark X84-X85 Button Monitor"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X84-X85.exe"
"Lexmark X84-X85 Button Manager"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X84-X85.exe"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"Uniblue RegistryBooster 2"="C:\\Program Files\\Uniblue\\RegistryBooster 2\\RegistryBooster.exe /S"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Extender Resource Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\Extender Resource Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\ehome\\RMSysTry.exe "
"item"="Extender Resource Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="quickset"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="issch"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AcBtnMgr_X84-X85"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X84-X85.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ACMonitor_X84-X85"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X84-X85.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NetWaiting"
"hkey"="HKCU"
"command"="C:\\Program Files\\NetWaiting\\NetWaiting.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Norton Ghost\\Agent\\GhostTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"


Contents of the 'Scheduled Tasks' folder

Completion time: Sat 05/17/2008 17:52:47.01
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete ComboFix and download it again from the second link instead. It seems the first link has an older version of it. Run the new ComboFix tool and post the log here.
  • 0

#5
Bucfive

Bucfive

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for your help...
Here is the log from the second link.

ComboFix 08-05-15.3 - Mari Beth 2008-05-19 6:10:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1049 [GMT -4:00]
Running from: C:\Documents and Settings\Mari Beth\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\rdpcddd.sys
C:\WINDOWS\system32\EOpYbJjl.ini
C:\WINDOWS\system32\EOpYbJjl.ini2
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_RDPCDDD
-------\Service_rdpcddd


((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXBOUSCI.INI
2008-05-17 06:11 . 2008-05-17 06:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-16 20:09 . 2008-05-16 20:09 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-16 20:06 . 2008-05-19 06:07 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-16 20:06 . 2008-05-16 20:06 <DIR> d-------- C:\Program Files\AVG
2008-05-16 20:06 . 2008-05-16 20:06 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-16 20:06 . 2008-05-16 20:06 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-16 20:06 . 2008-05-16 20:06 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-16 19:35 . 2008-05-16 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-16 19:26 . 2008-05-16 19:26 <DIR> d-------- C:\Documents and Settings\Mari Beth\Application Data\AVGTOOLBAR
2008-05-16 19:03 . 2008-05-16 19:03 <DIR> d-------- C:\Documents and Settings\Mari Beth\Application Data\Uniblue
2008-05-16 18:46 . 2008-05-16 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 18:34 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-16 18:34 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-16 18:34 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-16 18:34 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-16 18:34 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-16 18:34 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-16 18:34 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-16 18:34 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Documents and Settings\Mari Beth\Application Data\Malwarebytes
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 17:46 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 17:46 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-11 21:01 . 2008-05-11 21:01 <DIR> d-------- C:\Program Files\Panda Security
2008-05-04 18:41 . 2008-05-04 18:41 1 --a------ C:\WINDOWS\system32\tb.dr
2008-05-04 18:40 . 2008-05-04 18:40 48,640 --a------ C:\WINDOWS\system32\interns32.dll
2008-05-04 18:40 . 2008-05-04 18:40 404 --a------ C:\WINDOWS\system32\es.dat
2008-05-04 09:25 . 2008-05-16 18:34 2,802 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-03 12:26 . 2008-05-03 12:26 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-05-03 12:25 . 2008-05-03 12:25 119,832 --a------ C:\Temp\MSAntiMalwareRepair.exe
2008-04-29 22:42 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-29 20:31 . 2008-04-29 22:50 <DIR> d-------- C:\Documents and Settings\Mari Beth\.housecall6.6
2008-04-27 11:23 . 2008-04-27 11:23 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-26 12:22 . 2008-04-26 12:22 47,787,248 --a------ C:\Temp\avg_free_stf_en_8_100a1295.exe
2008-04-26 12:04 . 2008-05-19 06:14 20 --a------ C:\WINDOWS\ACMonitor_X84-X85.ini
2008-04-26 09:05 . 2008-05-17 06:32 <DIR> d--hs---- C:\Documents and Settings\Mari Beth\!
2008-04-26 09:04 . 2008-04-30 05:19 <DIR> d--hs---- C:\WINDOWS\TWFyaSBCZXRoIA
2008-04-26 09:04 . 2008-04-26 09:04 <DIR> d-------- C:\Temp\kvebs14
2008-04-26 09:03 . 2008-04-27 10:40 <DIR> d-------- C:\WINDOWS\system32\pnVes05

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 14:49 --------- d-----w C:\Program Files\Disney Interactive
2008-04-26 19:43 --------- d-----w C:\Program Files\Google
2008-04-26 16:53 --------- d-----w C:\Program Files\LimeWire
2008-04-26 16:04 --------- d-----w C:\Documents and Settings\Mari Beth\Application Data\LimeWire
2008-04-26 13:03 --------- d-----w C:\Program Files\Zune
2008-04-14 19:27 --------- d-----w C:\Program Files\Course 12, version 4
2008-04-14 19:27 --------- d-----w C:\Program Files\Course 12
2008-04-14 19:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-01 00:07 308 ----a-w C:\Documents and Settings\Mari Beth\Application Data\wklnhst.dat
2006-10-28 17:44 88 --sh--r C:\WINDOWS\system32\96814779B2.sys
2006-10-28 17:44 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 08:39 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45 118784]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-22 17:58 98304]
"Lexmark X84-X85 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2003-01-08 14:36 40960]
"Lexmark X84-X85 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 10:36 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-18 19:52 36864]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49 1121280]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-16 20:06 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=C:\WINDOWS\pss\Extender Resource Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-12-13 16:30 58992 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-06-29 13:13 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 17:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager]
--a------ 2002-09-04 10:36 53248 C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor]
--a------ 2003-01-08 14:36 40960 C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\NetWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
--a------ 2005-12-07 17:05 1537696 C:\Program Files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-16 20:06]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-16 20:06]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-16 20:06]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-16 20:06]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 06:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 06:14:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\MARIBE~1\LOCALS~1\Temp\020c6efd-9d82-44e9-9b84-3a7327a162c5.tmp 0 bytes


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-19 6:21:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 10:20:44
ComboFix2.txt 2008-05-17 21:52:47

Pre-Run: 27,392,446,464 bytes free
Post-Run: 27,318,030,336 bytes free

208 --- E O F --- 2008-05-16 22:52:47
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Uninstall Limewire via the Add/Remove Programs panel. I don't recommend using any file sharing programs as they may contribute to malware infections.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\tb.dr
C:\WINDOWS\system32\interns32.dll
C:\WINDOWS\system32\es.dat
C:\Temp\MSAntiMalwareRepair.exe
C:\Temp\avg_free_stf_en_8_100a1295.exe
C:\WINDOWS\ACMonitor_X84-X85.ini
C:\DOCUME~1\MARIBE~1\LOCALS~1\Temp\020c6efd-9d82-44e9-9b84-3a7327a162c5.tmp
Folder::
C:\Documents and Settings\Mari Beth\!
C:\WINDOWS\TWFyaSBCZXRoIA
C:\Temp\kvebs14
C:\WINDOWS\system32\pnVes05

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#7
Bucfive

Bucfive

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Greyknight17,

Thanks again. I couldn't delete Limewire from Control panel as recommended. I had to do a search then delete the folder. Below is the Combofix log:

ComboFix 08-05-19.4 - Mari Beth 2008-05-20 5:47:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1049 [GMT -4:00]
Running from: C:\Documents and Settings\Mari Beth\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mari Beth\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\MARIBE~1\LOCALS~1\Temp\020c6efd-9d82-44e9-9b84-3a7327a162c5.tmp
C:\Temp\avg_free_stf_en_8_100a1295.exe
C:\Temp\MSAntiMalwareRepair.exe
C:\WINDOWS\ACMonitor_X84-X85.ini
C:\WINDOWS\system32\es.dat
C:\WINDOWS\system32\interns32.dll
C:\WINDOWS\system32\tb.dr
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mari Beth\!
C:\Temp\avg_free_stf_en_8_100a1295.exe
C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\MSAntiMalwareRepair.exe
C:\WINDOWS\ACMonitor_X84-X85.ini
C:\WINDOWS\system32\es.dat
C:\WINDOWS\system32\interns32.dll
C:\WINDOWS\system32\pnVes05
C:\WINDOWS\system32\tb.dr
C:\WINDOWS\TWFyaSBCZXRoIA

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXBOUSCI.INI
2008-05-17 06:11 . 2008-05-17 06:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-16 20:09 . 2008-05-16 20:09 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-16 20:06 . 2008-05-20 05:27 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-16 20:06 . 2008-05-16 20:06 <DIR> d-------- C:\Program Files\AVG
2008-05-16 20:06 . 2008-05-16 20:06 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-16 20:06 . 2008-05-16 20:06 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-16 20:06 . 2008-05-16 20:06 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-16 19:35 . 2008-05-16 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-16 19:26 . 2008-05-16 19:26 <DIR> d-------- C:\Documents and Settings\Mari Beth\Application Data\AVGTOOLBAR
2008-05-16 19:03 . 2008-05-16 19:03 <DIR> d-------- C:\Documents and Settings\Mari Beth\Application Data\Uniblue
2008-05-16 18:46 . 2008-05-16 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 18:34 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-16 18:34 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-16 18:34 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-16 18:34 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-16 18:34 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-16 18:34 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-16 18:34 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-16 18:34 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Documents and Settings\Mari Beth\Application Data\Malwarebytes
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 17:46 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 17:46 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-11 21:01 . 2008-05-11 21:01 <DIR> d-------- C:\Program Files\Panda Security
2008-05-04 09:25 . 2008-05-16 18:34 2,802 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-03 12:26 . 2008-05-03 12:26 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-04-29 22:42 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-29 20:31 . 2008-04-29 22:50 <DIR> d-------- C:\Documents and Settings\Mari Beth\.housecall6.6
2008-04-27 11:23 . 2008-04-27 11:23 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-26 12:04 . 2008-05-20 05:48 20 --a------ C:\WINDOWS\ACMonitor_X84-X85.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 14:49 --------- d-----w C:\Program Files\Disney Interactive
2008-04-26 19:43 --------- d-----w C:\Program Files\Google
2008-04-26 16:04 --------- d-----w C:\Documents and Settings\Mari Beth\Application Data\LimeWire
2008-04-26 13:03 --------- d-----w C:\Program Files\Zune
2008-04-14 19:27 --------- d-----w C:\Program Files\Course 12, version 4
2008-04-14 19:27 --------- d-----w C:\Program Files\Course 12
2008-04-14 19:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2007-10-01 00:07 308 ----a-w C:\Documents and Settings\Mari Beth\Application Data\wklnhst.dat
2006-10-28 17:44 88 --sh--r C:\WINDOWS\system32\96814779B2.sys
2006-10-28 17:44 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_ 6.20.34.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 08:39 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45 118784]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-22 17:58 98304]
"Lexmark X84-X85 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2003-01-08 14:36 40960]
"Lexmark X84-X85 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 10:36 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-18 19:52 36864]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49 1121280]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-16 20:06 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=C:\WINDOWS\pss\Extender Resource Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-12-13 16:30 58992 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-06-29 13:13 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 17:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager]
--a------ 2002-09-04 10:36 53248 C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor]
--a------ 2003-01-08 14:36 40960 C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\NetWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
--a------ 2005-12-07 17:05 1537696 C:\Program Files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-16 20:06]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-16 20:06]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-16 20:06]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-16 20:06]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 06:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 05:48:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-20 5:49:33
ComboFix-quarantined-files.txt 2008-05-20 09:49:21
ComboFix2.txt 2008-05-19 10:21:48
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\blackster.scr
Folder::
C:\Documents and Settings\Mari Beth\Application Data\LimeWire

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#9
Bucfive

Bucfive

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
The pop-ups are completely gone and comp is running like infections are cleared. Not sure how the comp got infected in the first place but it is running great now. THis is just in time too, I leave for 3 month deployment this Saturday. My wife will be happy her comp is fixed. Thanks



ComboFix 08-05-19.4 - Mari Beth 2008-05-21 6:59:09.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1064 [GMT -4:00]
Running from: C:\Documents and Settings\Mari Beth\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mari Beth\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\blackster.scr
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Mari Beth\Application Data\LimeWire
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\412splashfree.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\data.ser
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\filters.props
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\installation.props
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\library.dat
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\pub1.key
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\public.key
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\questions.props
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\secureMessage.key
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\tables.props
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme.lwtp
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\01_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\02_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\03_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\04_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\05_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\chat.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\dir_closed.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\dir_open.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\forward_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\forward_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\kill.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\kill_on.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\lime.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\logo.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\notsearching.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\pause_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\pause_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\play_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\play_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\question.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\rewind_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\rewind_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\searching.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\splash.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\splashpro.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\stop_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\stop_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\theme.txt
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\black_theme\warning.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme.lwtp
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\01_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\02_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\03_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\04_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\05_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\chat.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\dir_closed.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\dir_open.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\forward_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\forward_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\kill.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\logo.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\notsearching.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\pause_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\pause_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\play_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\play_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\question.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\rewind_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\rewind_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\search.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\searching.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\splash.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\splashpro.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\stop_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\stop_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\theme.txt
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\classic_theme\warning.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme.lwtp
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\01_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\02_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\03_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\04_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\05_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\chat.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\dir_closed.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\dir_open.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\forward_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\forward_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\kill.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\kill_on.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\lime.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\logo.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\notsearching.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\pause_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\pause_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\play_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\play_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\question.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\rewind_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\rewind_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\searching.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\splash.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\splashpro.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\stop_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\stop_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\theme.txt
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\limewire_theme\warning.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme.lwtp
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\01_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\02_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\03_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\04_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\05_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\chat.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\forward_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\forward_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\kill.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\kill_on.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\logo.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\notsearching.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\pause_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\pause_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\play_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\play_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\question.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\rewind_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\rewind_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\searching.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\splash.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\splashpro.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\stop_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\stop_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\theme.txt
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\other_theme\warning.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\splash.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\splashpro.png
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\ttree.cache
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\update.xml
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\version.key
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\version.xml
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\data\delete_me
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\misc\application.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\misc\audio.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\misc\document.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\misc\image.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\misc\video.gif
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\schemas\application.xsd
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\schemas\audio.xsd
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\schemas\document.xsd
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\schemas\image.xsd
C:\Documents and Settings\Mari Beth\Application Data\LimeWire\xml\schemas\video.xsd
C:\WINDOWS\system32\blackster.scr

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXBOUSCI.INI
2008-05-17 06:11 . 2008-05-17 06:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-16 20:06 . 2008-05-20 05:27 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-16 20:06 . 2008-05-16 20:06 <DIR> d-------- C:\Program Files\AVG
2008-05-16 20:06 . 2008-05-16 20:06 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-16 20:06 . 2008-05-16 20:06 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-16 20:06 . 2008-05-16 20:06 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-16 19:35 . 2008-05-16 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-16 19:26 . 2008-05-16 19:26 <DIR> d-------- C:\Documents and Settings\Mari Beth\Application Data\AVGTOOLBAR
2008-05-16 19:03 . 2008-05-16 19:03 <DIR> d-------- C:\Documents and Settings\Mari Beth\Application Data\Uniblue
2008-05-16 18:46 . 2008-05-16 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 18:34 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-16 18:34 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-16 18:34 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-16 18:34 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-16 18:34 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-16 18:34 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-16 18:34 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-16 18:34 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Documents and Settings\Mari Beth\Application Data\Malwarebytes
2008-05-16 17:46 . 2008-05-16 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 17:46 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 17:46 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-11 21:01 . 2008-05-11 21:01 <DIR> d-------- C:\Program Files\Panda Security
2008-05-04 09:25 . 2008-05-16 18:34 2,802 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-03 12:26 . 2008-05-03 12:26 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-04-29 22:42 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-29 20:31 . 2008-04-29 22:50 <DIR> d-------- C:\Documents and Settings\Mari Beth\.housecall6.6
2008-04-27 11:23 . 2008-04-27 11:23 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-26 12:04 . 2008-05-21 07:00 20 --a------ C:\WINDOWS\ACMonitor_X84-X85.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 14:49 --------- d-----w C:\Program Files\Disney Interactive
2008-04-26 19:43 --------- d-----w C:\Program Files\Google
2008-04-26 13:03 --------- d-----w C:\Program Files\Zune
2008-04-14 19:27 --------- d-----w C:\Program Files\Course 12, version 4
2008-04-14 19:27 --------- d-----w C:\Program Files\Course 12
2008-04-14 19:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-01 00:07 308 ----a-w C:\Documents and Settings\Mari Beth\Application Data\wklnhst.dat
2006-10-28 17:44 88 --sh--r C:\WINDOWS\system32\96814779B2.sys
2006-10-28 17:44 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_ 6.20.34.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 10:13:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 10:52:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
+ 2008-05-21 10:55:13 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_238.dat
+ 2008-05-21 10:55:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_cc4.dat
+ 2008-05-21 10:55:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_de0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 08:39 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45 118784]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-22 17:58 98304]
"Lexmark X84-X85 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2003-01-08 14:36 40960]
"Lexmark X84-X85 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 10:36 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-18 19:52 36864]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49 1121280]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-16 20:06 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=C:\WINDOWS\pss\Extender Resource Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-12-13 16:30 58992 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-06-29 13:13 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 17:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager]
--a------ 2002-09-04 10:36 53248 C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor]
--a------ 2003-01-08 14:36 40960 C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\NetWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
--a------ 2005-12-07 17:05 1537696 C:\Program Files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-16 20:06]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-16 20:06]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-16 20:06]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-16 20:06]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 06:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 07:00:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-21 7:01:12
ComboFix-quarantined-files.txt 2008-05-21 11:01:07
ComboFix2.txt 2008-05-20 09:49:34
ComboFix3.txt 2008-05-19 10:21:48
ComboFix4.txt 2008-05-17 21:52:47

Pre-Run: 27,270,639,616 bytes free
Post-Run: 27,260,256,256 bytes free

362 --- E O F --- 2008-05-16 22:52:47
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It could be due to many reasons. File sharing programs like Limewire can also help contribute to these issues as you are never sure who you are downloading from and you could very well have gotten the infection there.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP