Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Zlob.trojan plus smitfraud [RESOLVED]


  • This topic is locked This topic is locked

#16
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
SmitFraudFix v2.323

Scan done at 22:19:06.96, Wed 06/04/2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlcxcoms.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\notepad.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Matthew


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Matthew\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Matthew\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G PCI Adapter
DNS Server Search Order: 24.154.1.35
DNS Server Search Order: 24.154.1.37

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8C4A141-456D-47D8-B93F-3318919A92F0}: DhcpNameServer=24.154.1.35 24.154.1.37
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8C4A141-456D-47D8-B93F-3318919A92F0}: DhcpNameServer=24.154.1.35 24.154.1.37
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F8C4A141-456D-47D8-B93F-3318919A92F0}: DhcpNameServer=24.154.1.35 24.154.1.37
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.154.1.35 24.154.1.37
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.154.1.35 24.154.1.37
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.154.1.35 24.154.1.37


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

Advertisements


#17
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Explorer killed successfully
File/Folder C:\Program Files\NetProject not found.
File/Folder G:\Autorun.exe not found.
File/Folder H:\LaunchU3.exe not found.
File move failed. E:\Setup.exe scheduled to be moved on reboot.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52daf334-26d6-11dd-86d7-0019d1405841} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52daf334-26d6-11dd-86d7-0019d1405841}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c04fd80-2cfe-11dd-bba4-001839142802} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c04fd80-2cfe-11dd-bba4-001839142802}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb233278-26e1-11dd-ad00-806e6f6e6963} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb233278-26e1-11dd-ad00-806e6f6e6963}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingB3738 >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingB3738 deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingD983 >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingD983 deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{51D81DD5-55B7-497F-95DB-D356429BB54E} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{51D81DD5-55B7-497F-95DB-D356429BB54E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}\ not found.
< HKEY_CLASSES_ROOT\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E} >
Registry key HKEY_CLASSES_ROOT\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}\\ not found.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06042008_220915

Files moved on Reboot...
File move failed. E:\Setup.exe scheduled to be moved on reboot.

DSS log coming asap, Thanks for the help!
  • 0

#18
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. waiting for your DSS log..
  • 0

#19
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Deckard's System Scanner v20071014.68
Run by Matthew on 2008-06-05 07:47:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Matthew.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:48:02, on 6/5/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Matthew\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matthew.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RestartNeroSetup] "C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 8" RUNSETUPXU="1" UPGRADE="1"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6216 bytes

-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-05-31 12:13:26 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-31 12:13:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 21:49:51 1409 --a------ C:\Windows\mozver.dat
2008-05-29 10:13:33 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-29 06:56:30 0 d-------- C:\Users\All Users\FLEXnet
2008-05-28 19:01:51 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-28 19:00:10 0 d-------- C:\Program Files\Trend Micro
2008-05-28 18:25:36 0 d-------- C:\VundoFix Backups
2008-05-28 18:19:43 2710 --a------ C:\Windows\system32\tmp.reg
2008-05-28 18:16:43 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-05-28 18:16:43 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-28 18:16:43 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-28 18:16:43 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-28 18:16:43 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-28 18:16:43 82944 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-28 18:16:43 51200 --a------ C:\Windows\system32\dumphive.exe
2008-05-28 18:16:43 82944 --a------ C:\Windows\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-28 09:06:16 0 d--h----- C:\$AVG8.VAULT$
2008-05-28 08:29:07 0 d-------- C:\Windows\system32\drivers\Avg
2008-05-28 08:29:04 0 d-------- C:\Users\All Users\avg8
2008-05-28 08:29:04 0 d-------- C:\Program Files\AVG
2008-05-28 08:20:59 0 d-------- C:\Program Files\Enigma Software Group
2008-05-28 07:56:53 0 d-------- C:\Windows\Content.IE5
2008-05-27 23:35:32 0 d-------- C:\Users\All Users\Lavasoft
2008-05-27 23:35:32 0 d-------- C:\Program Files\Lavasoft
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:30:39 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-26 23:29:58 0 d-------- C:\Users\All Users\Xfire
2008-05-26 23:29:58 0 d-------- C:\Program Files\Xfire
2008-05-26 22:13:09 0 d-------- C:\Program Files\Logitech
2008-05-26 14:00:06 0 d-------- C:\Program Files\Dl_cats
2008-05-26 13:59:26 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-26 13:59:21 0 d-------- C:\Program Files\Dell
2008-05-26 13:58:45 45056 --a------ C:\Windows\system32\DLPRMON.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:45 32768 --a------ C:\Windows\system32\DLPMONUI.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:25 98345 --a------ C:\Windows\system32\IMHOST32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:25 339968 --a------ C:\Windows\system32\IMGMAN32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:24 0 d-------- C:\Users\All Users\DellFaxCtr
2008-05-26 13:58:20 0 d-------- C:\Program Files\Dell PC Fax
2008-05-26 13:58:16 274432 --a------ C:\Windows\system32\dlcxinst.dll
2008-05-26 13:58:16 323584 --a------ C:\Windows\system32\dlcxhcp.dll <Not Verified; ; Printer Communication System>
2008-05-26 13:58:16 0 d-------- C:\Program Files\Dell Photo AIO Printer 926
2008-05-25 21:34:13 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-25 18:10:47 0 d-------- C:\Users\All Users\Steam
2008-05-25 18:10:32 0 d-------- C:\Users\All Users\PopCap Games
2008-05-25 17:30:07 0 d-------- C:\Program Files\Nvidia Omega Drivers
2008-05-25 17:20:27 0 d-------- C:\Program Files\DIFX
2008-05-25 03:00:27 0 d-------- C:\Program Files\MSXML 4.0
2008-05-23 20:43:40 0 d-------- C:\Ubuntu
2008-05-23 20:20:53 0 d-------- C:\Users\All Users\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Common Files\Nero
2008-05-22 23:08:35 0 d-------- C:\Program Files\CodeGazer
2008-05-22 22:38:01 0 --a------ C:\Windows\nsreg.dat
2008-05-22 18:29:40 0 d-------- C:\Windows\nvidia icons
2008-05-21 18:42:53 0 d-------- C:\Program Files\Bonjour
2008-05-21 18:42:22 0 d-------- C:\Program Files\Emergent Music LLC
2008-05-21 18:41:37 0 d-------- C:\Program Files\Ruckus Player
2008-05-21 18:28:41 0 d-------- C:\Program Files\uTorrent
2008-05-20 23:58:55 0 d-------- C:\Windows\Panther
2008-05-20 23:58:13 0 d-------- C:\Windows\system32\OEM
2008-05-20 23:58:13 34 -rah----- C:\Windows\DELL_VERSION
2008-05-20 23:04:14 0 d-------- C:\Windows\SoftwareDistribution
2008-05-20 23:03:01 0 d-------- C:\Windows\Debug
2008-05-20 22:59:48 0 d-------- C:\Windows\Prefetch
2008-05-20 22:29:43 0 d-------- C:\Windows\system32\Macromed
2008-05-20 22:20:07 0 d-------- C:\Program Files\Common Files\Steam
2008-05-20 22:20:06 0 d-------- C:\Program Files\Steam
2008-05-20 22:07:58 0 d-------- C:\Users\All Users\NVIDIA
2008-05-20 21:48:14 1726 --a------ C:\Windows\ndinst.exe
2008-05-20 21:48:14 0 -rahs---- C:\MSDOS.SYS
2008-05-20 21:48:14 0 -rahs---- C:\IO.SYS
2008-05-20 21:33:14 15781 --a------ C:\Windows\system32\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2008-05-20 21:33:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-20 21:32:57 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-05-20 21:08:41 0 d-------- C:\Users\All Users\Adobe
2008-05-20 20:53:36 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-20 20:52:58 0 d--hs---- C:\Windows\Installer
2008-05-20 20:52:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-20 20:31:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-20 20:14:46 0 dr------- C:\Users\Matthew\Searches
2008-05-20 20:14:38 0 dr------- C:\Users\Matthew\Contacts
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Templates
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Start Menu
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\SendTo
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Recent
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\PrintHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\NetHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\My Documents
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Local Settings
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Cookies
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Application Data
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Videos
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Saved Games
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Pictures
2008-05-20 20:14:33 2621440 --ahs---- C:\Users\Matthew\NTUSER.DAT
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Music
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Links
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Favorites
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Downloads
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Documents
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Desktop
2008-05-20 20:14:33 0 d--h----- C:\Users\Matthew\AppData
2008-05-18 23:17:36 0 d-------- C:\NVIDIA


-- Find3M Report ---------------------------------------------------------------

2008-05-31 12:13:33 0 d-------- C:\Users\Matthew\AppData\Roaming\Malwarebytes
2008-05-28 18:20:19 35 --a------ C:\Users\Matthew\AppData\Roaming\SetValue.bat
2008-05-28 18:20:19 691 --a------ C:\Users\Matthew\AppData\Roaming\GetValue.vbs
2008-05-28 00:17:21 0 d-------- C:\Users\Matthew\AppData\Roaming\DellFaxCtr
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files
2008-05-27 23:22:09 0 d-------- C:\Users\Matthew\AppData\Roaming\Xfire
2008-05-25 23:47:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Adobe
2008-05-25 21:50:38 174 --ahs---- C:\Program Files\desktop.ini
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Sidebar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Mail
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Collaboration
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Calendar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Movie Maker
2008-05-25 21:45:02 0 d-------- C:\Program Files\Windows Defender
2008-05-25 19:46:53 0 d-------- C:\Users\Matthew\AppData\Roaming\uTorrent
2008-05-23 20:21:55 0 d-------- C:\Users\Matthew\AppData\Roaming\Nero
2008-05-22 22:37:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Mozilla
2008-05-21 19:22:12 0 d-------- C:\Users\Matthew\AppData\Roaming\goombah
2008-05-21 18:43:56 0 d-------- C:\Users\Matthew\AppData\Roaming\Ruckus Network
2008-05-20 22:29:44 0 d-------- C:\Users\Matthew\AppData\Roaming\Macromedia
2008-05-20 21:09:08 0 d-------- C:\Users\Matthew\AppData\Roaming\AdobeUM
2008-05-20 20:14:39 0 d-------- C:\Users\Matthew\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 23:38]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"RestartNeroSetup"="C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [05/02/2008 22:46]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [05/02/2008 22:46]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [11/03/2006 18:09]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [01/12/2007 12:57]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [11/03/2006 18:04]
"DLCXCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [10/16/2006 01:31]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/28/2008 08:29]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [05/26/2008 22:13]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 23:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB3738"=command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
"SpybotDeletingD983"=cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [5/26/2008 22:13:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-05 07:49:29 ------------

Thanks! :)
  • 0

#20
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply... Urrgghhh... That's extremely stubborn entry..

Please download Dr.Web CureIt to the Desktop. Don't run it yet.. Please restart your computer into Safe Mode. Then run the following in Safe Mode. If you do not know how to get into Safe Mode, please navigate the link below:

http://www.pchell.co.../safemode.shtml



In Safe Mode, please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.



NEXT


  • In Safe Mode, please doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Please include a fresh DSS log in your next reply...

Edited by fenzodahl512, 05 June 2008 - 06:59 AM.

  • 0

#21
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Okay...did everything, restarted in normal mode, and before i ran DSS, i did a HJT scan just for the heck of it, and the entries were not there. However, as soon as i ran DSS...my Spybot teatimer showed them all coming back...so i check HJT again...and there they were....

Heres DSS...

Deckard's System Scanner v20071014.68
Run by Matthew on 2008-06-06 18:41:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Matthew.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41:36, on 6/6/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Users\Matthew\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matthew.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RestartNeroSetup] "C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 8" RUNSETUPXU="1" UPGRADE="1"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6273 bytes

-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-05 18:25:31 0 d-------- C:\Users\Matthew\DoctorWeb
2008-05-31 12:13:26 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-31 12:13:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 21:49:51 1409 --a------ C:\Windows\mozver.dat
2008-05-29 10:13:33 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-29 06:56:30 0 d-------- C:\Users\All Users\FLEXnet
2008-05-28 19:01:51 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-28 19:00:10 0 d-------- C:\Program Files\Trend Micro
2008-05-28 18:25:36 0 d-------- C:\VundoFix Backups
2008-05-28 18:19:43 2710 --a------ C:\Windows\system32\tmp.reg
2008-05-28 18:16:43 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-05-28 18:16:43 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-28 18:16:43 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-28 18:16:43 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-28 18:16:43 51200 --a------ C:\Windows\system32\dumphive.exe
2008-05-28 09:06:16 0 d--h----- C:\$AVG8.VAULT$
2008-05-28 08:29:07 0 d-------- C:\Windows\system32\drivers\Avg
2008-05-28 08:29:04 0 d-------- C:\Users\All Users\avg8
2008-05-28 08:29:04 0 d-------- C:\Program Files\AVG
2008-05-28 08:20:59 0 d-------- C:\Program Files\Enigma Software Group
2008-05-28 07:56:53 0 d-------- C:\Windows\Content.IE5
2008-05-27 23:35:32 0 d-------- C:\Users\All Users\Lavasoft
2008-05-27 23:35:32 0 d-------- C:\Program Files\Lavasoft
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:30:39 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-26 23:29:58 0 d-------- C:\Users\All Users\Xfire
2008-05-26 23:29:58 0 d-------- C:\Program Files\Xfire
2008-05-26 22:13:09 0 d-------- C:\Program Files\Logitech
2008-05-26 14:00:06 0 d-------- C:\Program Files\Dl_cats
2008-05-26 13:59:26 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-26 13:59:21 0 d-------- C:\Program Files\Dell
2008-05-26 13:58:45 45056 --a------ C:\Windows\system32\DLPRMON.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:45 32768 --a------ C:\Windows\system32\DLPMONUI.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:25 98345 --a------ C:\Windows\system32\IMHOST32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:25 339968 --a------ C:\Windows\system32\IMGMAN32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:24 0 d-------- C:\Users\All Users\DellFaxCtr
2008-05-26 13:58:20 0 d-------- C:\Program Files\Dell PC Fax
2008-05-26 13:58:16 274432 --a------ C:\Windows\system32\dlcxinst.dll
2008-05-26 13:58:16 323584 --a------ C:\Windows\system32\dlcxhcp.dll <Not Verified; ; Printer Communication System>
2008-05-26 13:58:16 0 d-------- C:\Program Files\Dell Photo AIO Printer 926
2008-05-25 21:34:13 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-25 18:10:47 0 d-------- C:\Users\All Users\Steam
2008-05-25 18:10:32 0 d-------- C:\Users\All Users\PopCap Games
2008-05-25 17:30:07 0 d-------- C:\Program Files\Nvidia Omega Drivers
2008-05-25 17:20:27 0 d-------- C:\Program Files\DIFX
2008-05-25 03:00:27 0 d-------- C:\Program Files\MSXML 4.0
2008-05-23 20:43:40 0 d-------- C:\Ubuntu
2008-05-23 20:20:53 0 d-------- C:\Users\All Users\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Common Files\Nero
2008-05-22 23:08:35 0 d-------- C:\Program Files\CodeGazer
2008-05-22 22:38:01 0 --a------ C:\Windows\nsreg.dat
2008-05-22 18:29:40 0 d-------- C:\Windows\nvidia icons
2008-05-21 18:42:53 0 d-------- C:\Program Files\Bonjour
2008-05-21 18:42:22 0 d-------- C:\Program Files\Emergent Music LLC
2008-05-21 18:41:37 0 d-------- C:\Program Files\Ruckus Player
2008-05-21 18:28:41 0 d-------- C:\Program Files\uTorrent
2008-05-20 23:58:55 0 d-------- C:\Windows\Panther
2008-05-20 23:58:13 0 d-------- C:\Windows\system32\OEM
2008-05-20 23:58:13 34 -rah----- C:\Windows\DELL_VERSION
2008-05-20 23:04:14 0 d-------- C:\Windows\SoftwareDistribution
2008-05-20 23:03:01 0 d-------- C:\Windows\Debug
2008-05-20 22:59:48 0 d-------- C:\Windows\Prefetch
2008-05-20 22:29:43 0 d-------- C:\Windows\system32\Macromed
2008-05-20 22:20:07 0 d-------- C:\Program Files\Common Files\Steam
2008-05-20 22:20:06 0 d-------- C:\Program Files\Steam
2008-05-20 22:07:58 0 d-------- C:\Users\All Users\NVIDIA
2008-05-20 21:48:14 1726 --a------ C:\Windows\ndinst.exe
2008-05-20 21:48:14 0 -rahs---- C:\MSDOS.SYS
2008-05-20 21:48:14 0 -rahs---- C:\IO.SYS
2008-05-20 21:33:14 15781 --a------ C:\Windows\system32\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2008-05-20 21:33:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-20 21:32:57 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-05-20 21:08:41 0 d-------- C:\Users\All Users\Adobe
2008-05-20 20:53:36 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-20 20:52:58 0 d--hs---- C:\Windows\Installer
2008-05-20 20:52:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-20 20:31:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-20 20:14:46 0 dr------- C:\Users\Matthew\Searches
2008-05-20 20:14:38 0 dr------- C:\Users\Matthew\Contacts
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Templates
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Start Menu
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\SendTo
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Recent
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\PrintHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\NetHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\My Documents
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Local Settings
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Cookies
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Application Data
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Videos
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Saved Games
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Pictures
2008-05-20 20:14:33 2621440 --ahs---- C:\Users\Matthew\NTUSER.DAT
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Music
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Links
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Favorites
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Downloads
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Documents
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Desktop
2008-05-20 20:14:33 0 d--h----- C:\Users\Matthew\AppData
2008-05-18 23:17:36 0 d-------- C:\NVIDIA


-- Find3M Report ---------------------------------------------------------------

2008-05-31 12:13:33 0 d-------- C:\Users\Matthew\AppData\Roaming\Malwarebytes
2008-05-28 18:20:19 35 --a------ C:\Users\Matthew\AppData\Roaming\SetValue.bat
2008-05-28 18:20:19 691 --a------ C:\Users\Matthew\AppData\Roaming\GetValue.vbs
2008-05-28 00:17:21 0 d-------- C:\Users\Matthew\AppData\Roaming\DellFaxCtr
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files
2008-05-27 23:22:09 0 d-------- C:\Users\Matthew\AppData\Roaming\Xfire
2008-05-25 23:47:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Adobe
2008-05-25 21:50:38 174 --ahs---- C:\Program Files\desktop.ini
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Sidebar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Mail
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Collaboration
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Calendar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Movie Maker
2008-05-25 21:45:02 0 d-------- C:\Program Files\Windows Defender
2008-05-25 19:46:53 0 d-------- C:\Users\Matthew\AppData\Roaming\uTorrent
2008-05-23 20:21:55 0 d-------- C:\Users\Matthew\AppData\Roaming\Nero
2008-05-22 22:37:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Mozilla
2008-05-21 19:22:12 0 d-------- C:\Users\Matthew\AppData\Roaming\goombah
2008-05-21 18:43:56 0 d-------- C:\Users\Matthew\AppData\Roaming\Ruckus Network
2008-05-20 22:29:44 0 d-------- C:\Users\Matthew\AppData\Roaming\Macromedia
2008-05-20 21:09:08 0 d-------- C:\Users\Matthew\AppData\Roaming\AdobeUM
2008-05-20 20:14:39 0 d-------- C:\Users\Matthew\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 23:38]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"RestartNeroSetup"="C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [05/02/2008 22:46]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [05/02/2008 22:46]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [11/03/2006 18:09]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [01/12/2007 12:57]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [11/03/2006 18:04]
"DLCXCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [10/16/2006 01:31]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/28/2008 08:29]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [05/26/2008 22:13]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 23:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB3738"=command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
"SpybotDeletingD983"=cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [5/26/2008 22:13:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

Edited by johnny boy, 06 June 2008 - 04:43 PM.

  • 0

#22
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. lets do the following instead.. Firstly, Please disable your Spybot Tea-Timer prior to our fix.. Delete all Spybot quarantine file if any..


The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.

For detailed instruction on how to back-up registry via ERUNT, please visit HERE




NEXT


Please copy and paste the following into a Notepad

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchURL"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"=-
"Search Bar"=-
"Search Page"=-
"Start Page"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"=-

[-HKEY_CLASSES_ROOT\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB3738"=-
"SpybotDeletingD983"=-

Save it in desktop as Fix.reg and in Save as type: choose All Files

A new registry file will then created on your desktop. It should look like this: Posted Image

Just double-click the file and choose Yes at prompt.

If you do not sure how to make a registry file, please visit HERE for the tutorial.




NEXT


Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\\SearchURL
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Search_URL
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Bar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Page
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{51D81DD5-55B7-497F-95DB-D356429BB54E}
    HKEY_CLASSES_ROOT\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingB3738
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingD983
    C:\Program Files\NetProject\sbmntr.exe_old
    C:\Program Files\NetProject
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Please post the following logs in your next reply... Post each log in separate post

1. OTMoveIt2
2. ComboFix
3. A fresh HijackThis log (after ComboFix step)


Regards
fenzodahl512
  • 0

#23
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:14:04, on 6/7/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RestartNeroSetup] "C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 8" RUNSETUPXU="1" UPGRADE="1"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6252 bytes
  • 0

#24
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
ComboFix 08-06-07.3 - Matthew 06/07/2008 23:09:05.1 - NTFSx86
Running from: C:\Users\Matthew\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\tmp60.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-07 23:07 . 2008-06-08 01:24 <DIR> d-------- C:\327882R2FWJFW
2008-06-07 23:02 . 2008-06-07 23:03 <DIR> d-------- C:\Program Files\ERUNT
2008-06-05 18:25 . 2008-06-05 18:36 <DIR> d-------- C:\Users\Matthew\DoctorWeb
2008-06-04 22:09 . 2008-06-04 22:09 <DIR> d-------- C:\_OTMoveIt
2008-05-31 12:13 . 2008-05-31 12:13 <DIR> d-------- C:\Users\Matthew\AppData\Roaming\Malwarebytes
2008-05-31 12:13 . 2008-05-31 12:13 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-05-31 12:13 . 2008-05-31 12:13 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-05-31 12:13 . 2008-05-31 12:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-31 12:13 . 2008-05-30 01:06 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-31 12:13 . 2008-05-30 01:06 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-31 07:12 . 2008-05-31 07:12 <DIR> d-------- C:\Deckard
2008-05-30 23:00 . 2008-05-30 23:00 25,755,448 --a------ C:\Program Files\wmp11.exe
2008-05-30 21:49 . 2008-05-30 22:52 1,409 --a------ C:\Windows\mozver.dat
2008-05-29 10:13 . 2008-05-29 10:13 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-29 06:56 . 2008-05-29 06:56 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-05-29 06:56 . 2008-05-29 06:56 <DIR> d-------- C:\ProgramData\FLEXnet
2008-05-28 19:01 . 2008-05-28 19:01 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-28 19:01 . 2008-05-28 19:01 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-05-28 19:00 . 2008-05-28 19:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 18:25 . 2008-05-28 18:25 <DIR> d-------- C:\VundoFix Backups
2008-05-28 18:20 . 2008-05-28 18:20 691 --a------ C:\Users\Matthew\AppData\Roaming\GetValue.vbs
2008-05-28 18:20 . 2008-05-28 18:20 35 --a------ C:\Users\Matthew\AppData\Roaming\SetValue.bat
2008-05-28 18:19 . 2008-06-04 22:19 2,710 --a------ C:\Windows\System32\tmp.reg
2008-05-28 18:16 . 2007-09-06 00:22 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2008-05-28 18:16 . 2006-04-27 17:49 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2008-05-28 18:16 . 2008-05-27 13:54 86,528 --a------ C:\Windows\System32\VACFix.exe
2008-05-28 18:16 . 2004-07-31 18:50 51,200 --a------ C:\Windows\System32\dumphive.exe
2008-05-28 18:16 . 2007-10-04 00:36 25,600 --a------ C:\Windows\System32\WS2Fix.exe
2008-05-28 09:06 . 2008-05-28 09:06 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-28 08:29 . 2008-06-07 13:16 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-05-28 08:29 . 2008-05-28 08:29 <DIR> d-------- C:\Users\All Users\avg8
2008-05-28 08:29 . 2008-05-28 08:29 <DIR> d-------- C:\ProgramData\avg8
2008-05-28 08:29 . 2008-05-28 08:29 <DIR> d-------- C:\Program Files\AVG
2008-05-28 08:29 . 2008-05-28 08:29 96,520 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-05-28 08:29 . 2008-05-28 08:29 67,080 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-05-28 08:29 . 2008-05-28 08:29 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-05-28 08:20 . 2008-05-28 18:43 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-28 07:56 . 2008-05-28 07:56 <DIR> d-------- C:\Windows\Content.IE5
2008-05-28 00:17 . 2008-05-28 00:17 <DIR> d-------- C:\Users\Matthew\AppData\Roaming\DellFaxCtr
2008-05-27 23:50 . 2008-05-27 23:50 164 --a------ C:\Windows\wininit.ini
2008-05-27 23:35 . 2008-05-27 23:38 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-05-27 23:35 . 2008-05-27 23:38 <DIR> d-------- C:\ProgramData\Lavasoft
2008-05-27 23:35 . 2008-05-27 23:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-27 23:35 . 2008-05-28 19:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:30 . 2008-05-27 23:50 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-27 23:30 . 2008-05-27 23:50 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-27 23:30 . 2008-05-27 23:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-27 22:25 . 2008-03-07 22:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 22:25 . 2008-03-08 00:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-26 23:30 . 2008-05-27 23:22 <DIR> d-------- C:\Users\Matthew\AppData\Roaming\Xfire
2008-05-26 23:29 . 2008-05-30 22:57 <DIR> d-------- C:\Users\All Users\Xfire
2008-05-26 23:29 . 2008-05-30 22:57 <DIR> d-------- C:\ProgramData\Xfire
2008-05-26 23:29 . 2008-05-26 23:30 <DIR> d-------- C:\Program Files\Xfire
2008-05-26 22:13 . 2008-05-26 22:13 <DIR> d-------- C:\Program Files\Logitech
2008-05-26 22:13 . 2008-05-26 22:13 130,208 -r------- C:\Windows\bwUnin-8.1.1.87-8876480SL.exe
2008-05-26 14:00 . 2008-05-26 14:00 <DIR> d-------- C:\Program Files\Dl_cats
2008-05-26 13:59 . 2008-05-26 13:59 <DIR> d-------- C:\Program Files\Dell
2008-05-26 13:59 . 2008-05-26 13:59 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-26 13:58 . 2008-05-26 13:58 <DIR> d-------- C:\Users\All Users\DellFaxCtr
2008-05-26 13:58 . 2008-05-26 13:58 <DIR> d-------- C:\ProgramData\DellFaxCtr
2008-05-26 13:58 . 2008-05-26 13:59 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 926
2008-05-26 13:58 . 2008-05-26 13:59 <DIR> d-------- C:\Program Files\Dell PC Fax
2008-05-25 23:43 . 2008-05-25 23:43 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-25 21:34 . 2008-05-25 21:21 152,576 --a------ C:\Windows\System32\SPWizUI.dll
2008-05-25 21:34 . 2008-05-25 21:21 47,560 --a------ C:\Windows\System32\SPReview.exe
2008-05-25 21:24 . 2008-01-18 21:31 8,322,048 --a------ C:\Windows\System32\spwizimg.dll
2008-05-25 21:22 . 2008-01-18 23:33 44,032 --a------ C:\Windows\System32\cbsra.exe
2008-05-25 21:21 . 2008-05-25 21:34 196,608 --a------ C:\Windows\SPInstall.etl
2008-05-25 18:10 . 2008-05-25 18:10 <DIR> d-------- C:\Users\All Users\Steam
2008-05-25 18:10 . 2008-05-25 18:11 <DIR> d-------- C:\Users\All Users\PopCap Games
2008-05-25 18:10 . 2008-05-25 18:10 <DIR> d-------- C:\ProgramData\Steam
2008-05-25 18:10 . 2008-05-25 18:11 <DIR> d-------- C:\ProgramData\PopCap Games
2008-05-25 17:49 . 2008-05-02 22:46 768,544 --a------ C:\Windows\System32\nvcplui.exe
2008-05-25 17:49 . 2008-05-02 22:46 420,384 --a------ C:\Windows\System32\nvcpl.cpl
2008-05-25 17:49 . 2008-05-02 22:46 313,888 --a------ C:\Windows\System32\nvexpbar.dll
2008-05-25 17:30 . 2008-05-25 17:30 <DIR> d-------- C:\Program Files\Nvidia Omega Drivers
2008-05-25 17:30 . 2008-04-30 17:27 442,368 --a------ C:\Windows\System32\NVUNINST.EXE
2008-05-25 17:20 . 2008-05-25 17:20 <DIR> d-------- C:\Program Files\DIFX
2008-05-25 17:11 . 2008-05-25 17:11 472,576 --a------ C:\Windows\Nvidia Omega Drivers v1.169.25 Uninstall.exe
2008-05-25 03:00 . 2008-05-25 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-23 21:35 . 2008-05-23 21:35 0 --a------ C:\Windows\Irremote.ini
2008-05-23 20:43 . 2008-05-23 20:43 <DIR> d-------- C:\Ubuntu
2008-05-23 20:21 . 2008-05-23 20:21 <DIR> d-------- C:\Users\Matthew\AppData\Roaming\Nero
2008-05-23 20:20 . 2008-05-23 21:35 <DIR> d-------- C:\Users\All Users\Nero
2008-05-23 20:20 . 2008-05-23 21:35 <DIR> d-------- C:\ProgramData\Nero
2008-05-23 20:20 . 2008-05-23 20:20 <DIR> d-------- C:\Program Files\Nero
2008-05-23 20:20 . 2008-05-23 21:36 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-05-22 23:08 . 2008-05-22 23:08 <DIR> d-------- C:\Program Files\CodeGazer
2008-05-22 22:38 . 2008-05-22 22:38 0 --a------ C:\Windows\nsreg.dat
2008-05-22 22:36 . 2008-05-22 22:37 6,039,048 --a------ C:\Program Files\Firefox.exe
2008-05-22 18:29 . 2008-05-25 17:49 <DIR> d-------- C:\Windows\nvidia icons
2008-05-22 18:22 . 2008-05-22 18:22 38,055,000 --a------ C:\Program Files\Nvidia Drivers.exe
2008-05-21 18:44 . 2008-05-21 19:22 <DIR> d-------- C:\Users\Matthew\AppData\Roaming\goombah
2008-05-21 18:43 . 2008-05-21 18:43 <DIR> d-------- C:\Users\Matthew\AppData\Roaming\Ruckus Network
2008-05-21 18:42 . 2008-05-21 18:42 <DIR> d-------- C:\Program Files\Emergent Music LLC
2008-05-21 18:42 . 2008-05-21 18:42 <DIR> d-------- C:\Program Files\Bonjour
2008-05-21 18:41 . 2008-05-21 18:43 <DIR> d-------- C:\Program Files\Ruckus Player
2008-05-21 18:41 . 2008-05-21 18:41 12,872,160 --a------ C:\Program Files\Ruckus Player.EXE
2008-05-21 18:41 . 2005-11-22 17:10 499,712 --a------ C:\Windows\System32\msvcp71.dll
2008-05-21 18:41 . 2005-11-22 17:10 348,160 --a------ C:\Windows\System32\msvcr71.dll
2008-05-21 18:28 . 2008-06-07 22:59 <DIR> d-------- C:\Users\Matthew\AppData\Roaming\uTorrent
2008-05-21 18:28 . 2008-05-21 18:28 <DIR> d-------- C:\Program Files\uTorrent
2008-05-21 02:51 . 2008-05-21 02:51 1,820 --a------ C:\Windows\System32\rasctrnm.h
2008-05-21 02:36 . 2008-01-18 23:34 15,872 --a------ C:\Windows\System32\hcrstco.dll
2008-05-21 02:36 . 2006-11-02 01:46 8,704 --a------ C:\Windows\System32\hccoin.dll
2008-05-21 02:34 . 2008-05-21 02:34 988,216 --a------ C:\Windows\System32\winload.exe
2008-05-21 02:34 . 2008-05-21 02:34 927,288 --a------ C:\Windows\System32\winresume.exe
2008-05-21 02:34 . 2008-05-21 02:34 615,992 --a------ C:\Windows\System32\ci.dll
2008-05-21 02:34 . 2008-05-21 02:34 378,368 --a------ C:\Windows\System32\srcore.dll
2008-05-21 02:34 . 2008-05-21 02:34 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-05-21 02:34 . 2008-05-21 02:34 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-05-21 02:34 . 2008-05-21 02:34 40,960 --a------ C:\Windows\System32\srclient.dll
2008-05-21 02:34 . 2008-05-21 02:34 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-05-21 02:34 . 2008-05-21 02:34 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-05-21 02:34 . 2008-05-21 02:34 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-05-21 02:32 . 2008-05-21 02:32 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-05-21 02:32 . 2008-05-21 02:32 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-05-21 02:27 . 2008-05-21 02:27 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-05-21 02:27 . 2008-05-21 02:27 826,880 --a------ C:\Windows\System32\wininet.dll
2008-05-20 23:58 . 2008-05-20 23:58 <DIR> d-------- C:\Windows\System32\OEM
2008-05-20 23:58 . 2008-05-20 23:08 <DIR> d-------- C:\Windows\Panther
2008-05-20 23:58 . 2007-02-21 15:54 34 -rah----- C:\Windows\DELL_VERSION
2008-05-20 23:03 . 2008-05-21 02:26 <DIR> d-------- C:\Windows\Debug
2008-05-20 22:29 . 2008-05-20 22:29 <DIR> d-------- C:\Windows\System32\Macromed
2008-05-20 22:20 . 2008-06-04 21:48 <DIR> d-------- C:\Program Files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 01:50 174 --sha-w C:\Program Files\desktop.ini
2008-05-26 01:45 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-26 01:45 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-26 01:45 --------- d-----w C:\Program Files\Windows Mail
2008-05-26 01:45 --------- d-----w C:\Program Files\Windows Defender
2008-05-26 01:45 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-26 01:45 --------- d-----w C:\Program Files\Windows Calendar
2008-05-26 01:37 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-26 01:37 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-21 02:19 1,567,232 ----a-w C:\Program Files\SteamInstall.msi
2008-04-29 15:20 15,648 ----a-w C:\Windows\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\Windows\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\Windows\system32\drivers\Awrtpd.sys
2008-03-08 04:19 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:19 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:19 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 01:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-05-26 22:13 91440]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-18 23:38 1008184]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"RestartNeroSetup"="C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" [ ]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-02 22:46 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-11-03 18:09 312200]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 12:57 292336]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 18:04 304008]
"DLCXCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 01:31 106496]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-28 08:29 1177368]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{60FA1249-788E-4D35-A69A-94A18A302FAF}C:\\program files\\steam\\steamapps\\treashunter\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\treashunter\team fortress 2\hl2.exe:hl2
"UDP Query User{2BE05C8D-C7F0-4367-933A-2724DDCE1A04}C:\\program files\\steam\\steamapps\\treashunter\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\treashunter\team fortress 2\hl2.exe:hl2
"TCP Query User{D4DBBEEF-86FF-42AB-B9D1-2CCB314A0C0B}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{1DADE256-2592-4E72-B0D9-987F178C6EF9}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{E14D8455-21D5-46B4-AC8B-6690971E5AAD}"= UDP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus
"{A672124D-9274-4194-9F68-2ABB4AD9FCEF}"= TCP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus
"TCP Query User{4B5ABA1D-50EE-4F56-B5F1-7F148AFC49C0}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2361C460-94F8-4AA6-B55A-814F2FF56A6D}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{CE5DC8D6-67EE-4D64-BDE5-774B7D81E8D5}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{4319EC4B-851D-47E1-875C-9D4C356564F1}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{083F76C4-D16B-4A3B-9A46-3BFCA70938B0}C:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= UDP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"UDP Query User{9982D627-57A8-4040-8B8C-ADE98AA92383}C:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= TCP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"TCP Query User{C7F5FE41-FE2C-4445-9A3A-673FC0E92690}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"UDP Query User{A859DC3F-A22A-44E4-9F46-08C56D525905}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"TCP Query User{F19759C7-854C-442F-9171-62D3BC6FCE50}C:\\users\\matthew\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= UDP:C:\users\matthew\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"UDP Query User{4BBE0725-FA86-43AE-8AA4-B5A88B80925C}C:\\users\\matthew\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= TCP:C:\users\matthew\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"TCP Query User{4A145636-C018-4376-88A8-7D729A226BD9}C:\\program files\\steam\\steamapps\\treashunter\\ricochet\\hl.exe"= UDP:C:\program files\steam\steamapps\treashunter\ricochet\hl.exe:Half-Life Launcher
"UDP Query User{636B801C-AC1F-4D01-A14C-C4E7318818B2}C:\\program files\\steam\\steamapps\\treashunter\\ricochet\\hl.exe"= TCP:C:\program files\steam\steamapps\treashunter\ricochet\hl.exe:Half-Life Launcher
"{921AE93B-C7B8-4980-919F-943216A4D915}"= UDP:C:\Windows\System32\dlcxcoms.exe:Lexmark Communications System
"{24E829AB-1213-4105-A353-A9AB8DD018D3}"= TCP:C:\Windows\System32\dlcxcoms.exe:Lexmark Communications System
"{4C5226C7-E95F-4198-BB44-83ECAB47C98F}"= UDP:C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe:Device Monitor
"{5EF0627C-6A9D-47D7-99B2-02270BBD65C9}"= TCP:C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe:Device Monitor
"{CF4B9E5F-B35F-4AE0-A2A7-1F0FDE842305}"= UDP:C:\Program Files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"{94A18003-D8D4-43BE-9A0F-B89530416836}"= TCP:C:\Program Files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"{09493FE8-4782-4D8D-AB1E-F8211E7105CC}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{538785C9-E3B7-404C-87FA-D3906F2C11DA}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"TCP Query User{3F8AB8D6-7BA1-46BC-868D-C22AEAA37A7A}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{1637C9EF-2A5D-46A6-A1EE-30EEAA403A04}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{DCDC32CB-23F7-47D6-B3A9-4B3D2AD6BBDE}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{2C75B9F9-B692-42B9-9F8F-EB7CB61AB8AD}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{69BECD92-B87C-42FB-9380-53CF24100711}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{7E95E331-318E-4B76-B0C1-EEFC569371F5}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 23:10:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-07 23:11:20
ComboFix-quarantined-files.txt 2008-06-08 03:11:08

Pre-Run: 161,897,574,400 bytes free
Post-Run: 161,856,536,576 bytes free

232 --- E O F --- 2008-06-07 21:04:37
  • 0

#25
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Explorer killed successfully
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\\SearchURL >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\\SearchURL not found.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Search_URL >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Search_URL not found.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Bar >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Bar not found.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Page >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Page not found.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page not found.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{51D81DD5-55B7-497F-95DB-D356429BB54E} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{51D81DD5-55B7-497F-95DB-D356429BB54E} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}\ not found.
< HKEY_CLASSES_ROOT\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E} >
Registry key HKEY_CLASSES_ROOT\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingB3738 >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingB3738 not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingD983 >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingD983 not found.
File/Folder C:\Program Files\NetProject\sbmntr.exe_old not found.
File/Folder C:\Program Files\NetProject not found.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06072008_230546
  • 0

Advertisements


#26
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
After i ran combofix...i did not have a desktop, had to CTRL ALT DEL and log off, then log back on. It moved all of my icons around, and i had no internet connection...and it seems if the entires are still there...did i do anything wrong?
  • 0

#27
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

After i ran combofix...i did not have a desktop, had to CTRL ALT DEL and log off, then log back on. It moved all of my icons around, and i had no internet connection...and it seems if the entires are still there...did i do anything wrong?



Hello, Do you have your Desktop now? What do you mean it moved all your icon? Does the icon still at the Desktop?

Post a fresh DSS log please..
  • 0

#28
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Yes, after i logged off, and then back on, my desktop came back. What imeant when i said it rearanged it was that i had all my icons seperated into sections, and it just switched them all around. My dekstop background was not affected.
DSS log in a moment
  • 0

#29
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Deckard's System Scanner v20071014.68
Run by Matthew on 2008-06-08 09:03:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Matthew.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:03:19, on 6/8/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Matthew\Desktop\dss.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matthew.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RestartNeroSetup] "C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 8" RUNSETUPXU="1" UPGRADE="1"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6359 bytes

-- Files created between 2008-05-08 and 2008-06-08 -----------------------------

2008-06-07 23:08:09 68096 --a------ C:\Windows\zip.exe
2008-06-07 23:08:09 49152 --a------ C:\Windows\VFind.exe
2008-06-07 23:08:09 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-07 23:08:09 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-07 23:08:09 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-07 23:08:09 98816 --a------ C:\Windows\sed.exe
2008-06-07 23:08:09 80412 --a------ C:\Windows\grep.exe
2008-06-07 23:08:09 89504 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-07 23:07:51 0 d-------- C:\327882R2FWJFW
2008-06-05 18:25:31 0 d-------- C:\Users\Matthew\DoctorWeb
2008-05-31 12:13:26 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-31 12:13:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 21:49:51 1409 --a------ C:\Windows\mozver.dat
2008-05-29 10:13:33 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-29 06:56:30 0 d-------- C:\Users\All Users\FLEXnet
2008-05-28 19:01:51 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-28 19:00:10 0 d-------- C:\Program Files\Trend Micro
2008-05-28 18:25:36 0 d-------- C:\VundoFix Backups
2008-05-28 18:19:43 2710 --a------ C:\Windows\system32\tmp.reg
2008-05-28 18:16:43 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-05-28 18:16:43 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-28 18:16:43 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-28 18:16:43 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-28 18:16:43 51200 --a------ C:\Windows\system32\dumphive.exe
2008-05-28 09:06:16 0 d--h----- C:\$AVG8.VAULT$
2008-05-28 08:29:07 0 d-------- C:\Windows\system32\drivers\Avg
2008-05-28 08:29:04 0 d-------- C:\Users\All Users\avg8
2008-05-28 08:29:04 0 d-------- C:\Program Files\AVG
2008-05-28 08:20:59 0 d-------- C:\Program Files\Enigma Software Group
2008-05-28 07:56:53 0 d-------- C:\Windows\Content.IE5
2008-05-27 23:35:32 0 d-------- C:\Users\All Users\Lavasoft
2008-05-27 23:35:32 0 d-------- C:\Program Files\Lavasoft
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:30:39 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-26 23:29:58 0 d-------- C:\Users\All Users\Xfire
2008-05-26 23:29:58 0 d-------- C:\Program Files\Xfire
2008-05-26 22:13:09 0 d-------- C:\Program Files\Logitech
2008-05-26 14:00:06 0 d-------- C:\Program Files\Dl_cats
2008-05-26 13:59:26 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-26 13:59:21 0 d-------- C:\Program Files\Dell
2008-05-26 13:58:45 45056 --a------ C:\Windows\system32\DLPRMON.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:45 32768 --a------ C:\Windows\system32\DLPMONUI.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:25 98345 --a------ C:\Windows\system32\IMHOST32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:25 339968 --a------ C:\Windows\system32\IMGMAN32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:24 0 d-------- C:\Users\All Users\DellFaxCtr
2008-05-26 13:58:20 0 d-------- C:\Program Files\Dell PC Fax
2008-05-26 13:58:16 274432 --a------ C:\Windows\system32\dlcxinst.dll
2008-05-26 13:58:16 323584 --a------ C:\Windows\system32\dlcxhcp.dll <Not Verified; ; Printer Communication System>
2008-05-26 13:58:16 0 d-------- C:\Program Files\Dell Photo AIO Printer 926
2008-05-25 21:34:13 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-25 18:10:47 0 d-------- C:\Users\All Users\Steam
2008-05-25 18:10:32 0 d-------- C:\Users\All Users\PopCap Games
2008-05-25 17:30:07 0 d-------- C:\Program Files\Nvidia Omega Drivers
2008-05-25 17:20:27 0 d-------- C:\Program Files\DIFX
2008-05-25 03:00:27 0 d-------- C:\Program Files\MSXML 4.0
2008-05-23 20:43:40 0 d-------- C:\Ubuntu
2008-05-23 20:20:53 0 d-------- C:\Users\All Users\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Common Files\Nero
2008-05-22 23:08:35 0 d-------- C:\Program Files\CodeGazer
2008-05-22 22:38:01 0 --a------ C:\Windows\nsreg.dat
2008-05-22 18:29:40 0 d-------- C:\Windows\nvidia icons
2008-05-21 18:42:53 0 d-------- C:\Program Files\Bonjour
2008-05-21 18:42:22 0 d-------- C:\Program Files\Emergent Music LLC
2008-05-21 18:41:37 0 d-------- C:\Program Files\Ruckus Player
2008-05-21 18:28:41 0 d-------- C:\Program Files\uTorrent
2008-05-20 23:58:55 0 d-------- C:\Windows\Panther
2008-05-20 23:58:13 0 d-------- C:\Windows\system32\OEM
2008-05-20 23:58:13 34 -rah----- C:\Windows\DELL_VERSION
2008-05-20 23:04:14 0 d-------- C:\Windows\SoftwareDistribution
2008-05-20 23:03:01 0 d-------- C:\Windows\Debug
2008-05-20 22:59:48 0 d-------- C:\Windows\Prefetch
2008-05-20 22:29:43 0 d-------- C:\Windows\system32\Macromed
2008-05-20 22:20:07 0 d-------- C:\Program Files\Common Files\Steam
2008-05-20 22:20:06 0 d-------- C:\Program Files\Steam
2008-05-20 22:07:58 0 d-------- C:\Users\All Users\NVIDIA
2008-05-20 21:48:14 1726 --a------ C:\Windows\ndinst.exe
2008-05-20 21:48:14 0 -rahs---- C:\MSDOS.SYS
2008-05-20 21:48:14 0 -rahs---- C:\IO.SYS
2008-05-20 21:33:14 15781 --a------ C:\Windows\system32\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2008-05-20 21:33:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-20 21:32:57 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-05-20 21:08:41 0 d-------- C:\Users\All Users\Adobe
2008-05-20 20:53:36 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-20 20:52:58 0 d--hs---- C:\Windows\Installer
2008-05-20 20:52:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-20 20:31:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-20 20:14:46 0 dr------- C:\Users\Matthew\Searches
2008-05-20 20:14:38 0 dr------- C:\Users\Matthew\Contacts
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Templates
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Start Menu
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\SendTo
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Recent
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\PrintHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\NetHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\My Documents
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Local Settings
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Cookies
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Application Data
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Videos
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Saved Games
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Pictures
2008-05-20 20:14:33 2621440 --ahs---- C:\Users\Matthew\NTUSER.DAT
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Music
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Links
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Favorites
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Downloads
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Documents
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Desktop
2008-05-20 20:14:33 0 d--h----- C:\Users\Matthew\AppData
2008-05-18 23:17:36 0 d-------- C:\NVIDIA


-- Find3M Report ---------------------------------------------------------------

2008-06-08 09:03:23 0 d-------- C:\Users\Matthew\AppData\Roaming\uTorrent
2008-05-31 12:13:33 0 d-------- C:\Users\Matthew\AppData\Roaming\Malwarebytes
2008-05-28 18:20:19 35 --a------ C:\Users\Matthew\AppData\Roaming\SetValue.bat
2008-05-28 18:20:19 691 --a------ C:\Users\Matthew\AppData\Roaming\GetValue.vbs
2008-05-28 00:17:21 0 d-------- C:\Users\Matthew\AppData\Roaming\DellFaxCtr
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files
2008-05-27 23:22:09 0 d-------- C:\Users\Matthew\AppData\Roaming\Xfire
2008-05-25 23:47:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Adobe
2008-05-25 21:50:38 174 --ahs---- C:\Program Files\desktop.ini
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Sidebar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Mail
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Collaboration
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Calendar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Movie Maker
2008-05-25 21:45:02 0 d-------- C:\Program Files\Windows Defender
2008-05-23 20:21:55 0 d-------- C:\Users\Matthew\AppData\Roaming\Nero
2008-05-22 22:37:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Mozilla
2008-05-21 19:22:12 0 d-------- C:\Users\Matthew\AppData\Roaming\goombah
2008-05-21 18:43:56 0 d-------- C:\Users\Matthew\AppData\Roaming\Ruckus Network
2008-05-20 22:29:44 0 d-------- C:\Users\Matthew\AppData\Roaming\Macromedia
2008-05-20 21:09:08 0 d-------- C:\Users\Matthew\AppData\Roaming\AdobeUM
2008-05-20 20:14:39 0 d-------- C:\Users\Matthew\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 23:38]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"RestartNeroSetup"="C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [05/02/2008 22:46]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [05/02/2008 22:46]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [11/03/2006 18:09]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [01/12/2007 12:57]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [11/03/2006 18:04]
"DLCXCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [10/16/2006 01:31]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/28/2008 08:29]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [05/26/2008 22:13]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 23:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB3738"=command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
"SpybotDeletingD983"=cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [5/26/2008 22:13:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-08 09:04:42 ------------
  • 0

#30
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Huuu.. That's extremely stubborn entries.. I wonder myself why it keeps coming.. Lets do the following..

Please disable your Spybot Tea-Timer and Windows Defender prior to our fix.. Please re-enable them back after performing all steps given..

If you do not know how, please navigate this website



NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchURL"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"=-
"Search Bar"=-
"Search Page"=-
"Start Page"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB3738"=-
"SpybotDeletingD983"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.


Please re-enable them back now.. Please post the following logs in your next reply..

1. ComboFix
2. GMER
3. A fresh HijackThis log (after GMER step)


Regards
fenzodahl512
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP