Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Vundo [RESOLVED]


  • This topic is locked This topic is locked

#1
dziggy

dziggy

    New Member

  • Member
  • Pip
  • 7 posts
Hi! First of all I just want to say how much I appreciate the effort put into this site to help non comp savy people with the growing problems of Windows. I have been infected by the Trojan Vundo virus and none of the spyware removers work. Vundofix and virtumundobegone did not find anything either. I would truly appreciate any help given here. This is a copy of my log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:00 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AdwareAlert\AdwareAlert.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {910C6737-EE58-46AD-86C1-6C342DD6010C} - C:\WINDOWS\system32\wvUkIYpp.dll
O2 - BHO: {4451f68a-d3a4-f0aa-82b4-3d1b60190a4e} - {e4a09106-b1d3-4b28-aa0f-4a3da86f1544} - C:\WINDOWS\system32\rbrrte.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [fbc7fc3c] rundll32.exe "C:\WINDOWS\system32\hfhdhkqy.dll",b
O4 - HKLM\..\Run: [BMf8f4cfa0] Rundll32.exe "C:\WINDOWS\system32\farwcxys.dll",s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/gs.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zon...mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCamSvc - Unknown owner - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8688 bytes
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo... Please do the following...

Tell me why do you run HijackThis in Safe Mode with Networking.. Can you run it under Normal Mode?



Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.
  • 0

#3
dziggy

dziggy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
The reason why I ran Hijackthis in Safe mode networking is because the virus for some reason is not permitting me to use my browser in normal mode to any functional extent. I am posting this from another computer. I had to download Hijackthis in safe networking mode because that was the only time my broswer functioned normally. I will try to download combofix and hijack fix in safe mode then run it in normal. thank you for your patience

[Edit 1]Ok I am in definite trouble with my browser. i cant even log into geekstogo.com except in safe mode with networking. Basically there is no internet for me unless im in safe mode. I would appreciate any advice offered at this point.

[Edit 2] Ok here is what I'm able to do. I'll be running Hijackthis and Combofix in normal mode. Then Ill save it to a folder then post it on here in safemode. Ill do my best with the instructions on Windows XP recovery.

By the way here is the major infections found by AdwareAlert:
Sinowal(keylogger), Kazaa(p2p), Antivirus XP 2008(Rogue Antispyware), Bifrose(Backdoor), Vundo(Adware)

I believe they all came together starting with the Antivirus XP 2008 but your the professional. I hope this saves you a bit of time.

[Edit 3] Alright I finally got the logs down and I must say it was total [bleep] getting them so I hope they help.

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:15, on 2008-07-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: {76d0d745-144d-5edb-9c94-8dc42d6b5051} - {1505b6d2-4cd8-49c9-bde5-d441547d0d67} - C:\WINDOWS\system32\nsjlhw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [fbc7fc3c] rundll32.exe "C:\WINDOWS\system32\bqqslrhc.dll",b
O4 - HKLM\..\Run: [BMf8f4cfa0] Rundll32.exe "C:\WINDOWS\system32\mnghmwpi.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/gs.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zon...mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCamSvc - Unknown owner - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10283 bytes

And ComboFix:


ComboFix 08-06-20.4 - George 2008-07-01 0:23:33.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.114 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-07-01 00:02 . 2008-07-01 00:14 414 ---hs---- C:\WINDOWS\system32\chrlsqqb.ini
2008-07-01 00:01 . 2008-07-01 00:02 0 --a------ C:\WINDOWS\BMf8f4cfa0.xml
2008-06-30 23:36 . 2008-06-30 23:36 81,920 --a------ C:\WINDOWS\system32\bqqslrhc.dll
2008-06-30 23:35 . 2008-06-30 23:35 103,424 --a------ C:\WINDOWS\system32\tovwbprg.dll
2008-06-30 23:35 . 2008-06-30 23:35 103,424 --a------ C:\WINDOWS\system32\nsjlhw.dll
2008-06-30 23:34 . 2008-06-30 23:34 91,136 --a------ C:\WINDOWS\system32\mnghmwpi.dll
2008-06-29 22:59 . 2008-06-29 22:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-29 22:16 . 2008-06-29 22:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 22:03 . 2008-06-29 22:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdwareAlert
2008-06-29 22:00 . 2008-06-29 22:00 <DIR> d--hs---- C:\FOUND.008
2008-06-29 21:25 . 2008-06-29 21:25 <DIR> d-------- C:\VundoFix Backups
2008-06-29 21:04 . 2008-06-29 21:04 <DIR> d-------- C:\Program Files\Opera
2008-06-29 21:04 . 2008-06-29 21:04 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-06-29 11:57 . 2008-06-29 11:57 <DIR> d-------- C:\Documents and Settings\George\Application Data\AdwareAlert
2008-06-29 11:56 . 2008-06-29 11:56 <DIR> d-------- C:\Program Files\AdwareAlert
2008-06-29 11:43 . 2008-06-29 11:43 103,424 --a------ C:\WINDOWS\system32\rbrrte.dll
2008-06-29 11:43 . 2008-06-29 11:43 103,424 --a------ C:\WINDOWS\system32\isxuwdoi.dll
2008-06-29 11:41 . 2008-06-29 11:41 90,624 --a------ C:\WINDOWS\system32\farwcxys.dll
2008-06-28 21:26 . 2008-06-28 21:26 103,424 --a------ C:\WINDOWS\system32\iwyaddog.dll
2008-06-28 21:26 . 2008-06-28 21:26 103,424 --a------ C:\WINDOWS\system32\bvoxkj.dll
2008-06-28 10:29 . 2008-06-28 10:30 81,920 --a------ C:\WINDOWS\system32\ivpkxaxv.dll
2008-06-28 10:27 . 2008-06-28 10:27 103,424 --a------ C:\WINDOWS\system32\alhpte.dll
2008-06-28 10:26 . 2008-06-28 10:27 103,424 --a------ C:\WINDOWS\system32\poeserbp.dll
2008-06-28 10:25 . 2008-06-28 10:25 90,624 --a------ C:\WINDOWS\system32\gkxqmjap.dll
2008-06-27 17:01 . 2008-06-27 17:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-27 13:36 . 2008-06-27 13:36 <DIR> d-------- C:\WINDOWS\KU3CLU3CLU3CLU3C
2008-06-27 13:34 . 2008-06-27 13:34 <DIR> d--hs---- C:\FOUND.007
2008-06-27 11:53 . 2008-06-27 11:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-27 11:53 . 2008-06-27 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-27 11:51 . 2008-06-27 11:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-27 11:37 . 2008-06-27 11:37 <DIR> d--hs---- C:\FOUND.006
2008-06-27 11:29 . 2008-06-27 11:30 <DIR> d-------- C:\Documents and Settings\George\Application Data\rhc10vj0eetu
2008-06-27 11:29 . 2008-06-27 11:29 25,600 --a------ C:\WINDOWS\system32\fccCRlKE.dll.vir
2008-06-23 00:58 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-06-17 23:10 . 2008-06-17 23:10 <DIR> d-------- C:\Program Files\Second Sight Software
2008-06-15 18:46 . 2008-06-15 18:46 <DIR> d-------- C:\Documents and Settings\George\Application Data\iWin
2008-06-11 14:15 . 2008-06-11 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-06-11 14:06 . 2008-06-11 14:06 <DIR> d-------- C:\Program Files\TradewindsLegends_at
2008-06-10 15:35 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 15:35 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 04:49 61,024 ----a-w C:\Documents and Settings\George\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 05:35 --------- d-----w C:\Program Files\THQ
2008-05-15 04:52 --------- d-----w C:\Documents and Settings\George\Application Data\LimeWire
2008-05-15 04:51 --------- d-----w C:\Program Files\LimeWire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 04:16 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-23 04:16 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-23 04:16 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-23 04:16 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-23 04:16 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-23 04:16 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-16 05:20 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
.

((((((((((((((((((((((((((((( [email protected]_ 0.02.38.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 06:59:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 07:13:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-01 06:57:10 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-01 07:17:44 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-01 06:57:10 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-01 07:17:44 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1505b6d2-4cd8-49c9-bde5-d441547d0d67}]
2008-06-30 23:35 103424 --a------ C:\WINDOWS\system32\nsjlhw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2008-06-27 13:18 8860912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-16 17:24 88204 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 17:28 16005120 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 14:21 53248]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 07:17 102491]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 07:16 692315]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15 45056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 13:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 13:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 13:55 118784]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-03-30 13:56 471040]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 16:43 401408]
"ImageItEncrypt"="C:\WINDOWS\system32\ImageItEncrypt.exe" [2005-12-30 14:02 40960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 00:11 771704]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe" [2004-05-25 09:16 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34 851968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15 75520]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"fbc7fc3c"="C:\WINDOWS\system32\bqqslrhc.dll" [2008-06-30 23:36 81920]
"BMf8f4cfa0"="C:\WINDOWS\system32\mnghmwpi.dll" [2008-06-30 23:34 91136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-10 20:42:57 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\Thrones.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 16:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 16:57]
R3 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
S1 52dc2a13;52dc2a13;C:\WINDOWS\system32\drivers\52dc2a13.sys []
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
S2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" []
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 00:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f83c7b4-7560-11dc-94cf-0016367ad937}]
\Shell\AutoRun\command - F:\Installer.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 03:21:50 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - George.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-07-01 07:16:48 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert.GeorgeWRuns AdwareAlert to scan your computer for malicious and potenially unwanted programs.
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 00:25:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-01 0:25:34
ComboFix-quarantined-files.txt 2008-07-01 07:25:32
ComboFix2.txt 2008-07-01 07:03:16

Pre-Run: 10,336,616,448 bytes free
Post-Run: 10,316,972,032 bytes free

183 --- E O F --- 2008-06-24 10:03:08

Edited by dziggy, 01 July 2008 - 01:37 AM.

  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Erm.. looking at your logs, I totally understand how you feel.. The log is a mess.. We're going to clean em up...


Firstly, please uninstall your AdwareAlert as it is a RogueAntispyware.. Please read HERE for more information...




1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
52dc2a13

File::
C:\WINDOWS\system32\chrlsqqb.ini
C:\WINDOWS\BMf8f4cfa0.xml
C:\WINDOWS\system32\bqqslrhc.dll
C:\WINDOWS\system32\tovwbprg.dll
C:\WINDOWS\system32\nsjlhw.dll
C:\WINDOWS\system32\mnghmwpi.dll
C:\WINDOWS\system32\spupdsvc.inf
C:\WINDOWS\system32\rbrrte.dll
C:\WINDOWS\system32\isxuwdoi.dll
C:\WINDOWS\system32\farwcxys.dll
C:\WINDOWS\system32\iwyaddog.dll
C:\WINDOWS\system32\bvoxkj.dll
C:\WINDOWS\system32\ivpkxaxv.dll
C:\WINDOWS\system32\alhpte.dll
C:\WINDOWS\system32\poeserbp.dll
C:\WINDOWS\system32\gkxqmjap.dll
C:\WINDOWS\system32\fccCRlKE.dll.vir
C:\WINDOWS\system32\drivers\52dc2a13.sys
F:\Installer.exe

Folder::
C:\Documents and Settings\Administrator\Application Data\AdwareAlert
C:\Documents and Settings\George\Application Data\AdwareAlert
C:\Program Files\AdwareAlert
C:\Documents and Settings\George\Application Data\rhc10vj0eetu

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1505b6d2-4cd8-49c9-bde5-d441547d0d67}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdwareAlert"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fbc7fc3c"=-
"BMf8f4cfa0"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f83c7b4-7560-11dc-94cf-0016367ad937}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer]
"SearchURL"=""

DirLook::
C:\WINDOWS\KU3CLU3CLU3CLU3C
C:\FOUND.007
C:\FOUND.006

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
dziggy

dziggy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Dear Febzo,
I am currently on a college tour and my computer is not with me so i will not be able to perform your instructions until july 9th. I am very sorry for this delay but i will do as you requested immediately upon my return home. Thank you for your understanding and patience.
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. noted :)
  • 0

#7
dziggy

dziggy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Well I'm back from my tour! :) ok. so I did everything u asked me to do and here are the logs. (the browser functioned normally right after I deleted Adware Alert just to let you know)

ComboFix Log

ComboFix 08-07-09.5 - George 2008-07-10 3:42:59.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.206 [GMT -7:00]
Running from: C:\Documents and Settings\George\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\George\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMf8f4cfa0.xml
C:\WINDOWS\system32\alhpte.dll
C:\WINDOWS\system32\bqqslrhc.dll
C:\WINDOWS\system32\bvoxkj.dll
C:\WINDOWS\system32\chrlsqqb.ini
C:\WINDOWS\system32\drivers\52dc2a13.sys
C:\WINDOWS\system32\farwcxys.dll
C:\WINDOWS\system32\fccCRlKE.dll.vir
C:\WINDOWS\system32\gkxqmjap.dll
C:\WINDOWS\system32\isxuwdoi.dll
C:\WINDOWS\system32\ivpkxaxv.dll
C:\WINDOWS\system32\iwyaddog.dll
C:\WINDOWS\system32\mnghmwpi.dll
C:\WINDOWS\system32\nsjlhw.dll
C:\WINDOWS\system32\poeserbp.dll
C:\WINDOWS\system32\rbrrte.dll
C:\WINDOWS\system32\spupdsvc.inf
C:\WINDOWS\system32\tovwbprg.dll
F:\Installer.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\AdwareAlert
C:\Documents and Settings\Administrator\Application Data\AdwareAlert\Log\2008 Jun 29 - 10_03_41 PM_187.log
C:\Documents and Settings\Administrator\Application Data\AdwareAlert\rs.dat
C:\Documents and Settings\Administrator\Application Data\AdwareAlert\Settings\ScanResults.pie
C:\Documents and Settings\George\Application Data\AdwareAlert
C:\Documents and Settings\George\Application Data\AdwareAlert\DataBaseNew.ref
C:\Documents and Settings\George\Application Data\AdwareAlert\Log\2008 Jul 10 - 03_00_42 AM_015.log
C:\Documents and Settings\George\Application Data\AdwareAlert\Log\2008 Jul 10 - 03_00_48 AM_000.log
C:\Documents and Settings\George\Application Data\AdwareAlert\Log\2008 Jul 10 - 03_25_32 AM_109.log
C:\Documents and Settings\George\Application Data\AdwareAlert\rs.dat
C:\Documents and Settings\George\Application Data\AdwareAlert\Settings\ScanResults.pie
C:\WINDOWS\BMf8f4cfa0.xml
C:\WINDOWS\system32\fccCRlKE.dll.vir
C:\WINDOWS\system32\spupdsvc.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_52dc2a13


((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-06-29 22:59 . 2008-06-29 22:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-29 22:16 . 2008-06-29 22:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 22:00 . 2008-06-29 22:00 <DIR> d--hs---- C:\FOUND.008
2008-06-29 21:25 . 2008-06-29 21:25 <DIR> d-------- C:\VundoFix Backups
2008-06-29 21:04 . 2008-06-29 21:04 <DIR> d-------- C:\Program Files\Opera
2008-06-27 17:01 . 2008-06-27 17:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-27 13:36 . 2008-06-27 13:36 <DIR> d-------- C:\WINDOWS\KU3CLU3CLU3CLU3C
2008-06-27 13:34 . 2008-06-27 13:34 <DIR> d--hs---- C:\FOUND.007
2008-06-27 11:53 . 2008-06-27 11:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-27 11:53 . 2008-06-27 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-27 11:51 . 2008-06-27 11:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-27 11:37 . 2008-06-27 11:37 <DIR> d--hs---- C:\FOUND.006
2008-06-23 00:58 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-06-17 23:10 . 2008-06-17 23:10 <DIR> d-------- C:\Program Files\Second Sight Software
2008-06-15 18:46 . 2008-06-15 18:46 <DIR> d-------- C:\Documents and Settings\George\Application Data\iWin
2008-06-11 14:15 . 2008-06-11 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-06-11 14:06 . 2008-06-11 14:06 <DIR> d-------- C:\Program Files\TradewindsLegends_at
2008-06-10 15:35 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 15:35 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-05-21 04:49 61,024 ----a-w C:\Documents and Settings\George\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 05:35 --------- d-----w C:\Program Files\THQ
2008-05-15 04:52 --------- d-----w C:\Documents and Settings\George\Application Data\LimeWire
2008-05-15 04:51 --------- d-----w C:\Program Files\LimeWire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 04:16 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-23 04:16 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-23 04:16 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-23 04:16 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-23 04:16 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-23 04:16 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 07:04 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-04-21 07:04 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-04-21 07:04 3,059,712 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-21 07:04 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 07:03 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2008-04-21 07:03 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2008-04-21 07:03 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-04-21 07:03 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2008-04-21 07:03 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-04-21 07:03 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-04-21 07:03 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 07:03 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-04-16 05:20 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\FOUND.006 ----

2008-06-27 11:37 32768 --------- C:\FOUND.006\FILE0031.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0040.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0039.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0038.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0037.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0036.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0035.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0034.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0033.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0032.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0030.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0029.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0028.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0027.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0026.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0025.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0024.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0023.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0022.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0021.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0020.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0019.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0018.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0017.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0016.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0015.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0014.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0013.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0012.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0011.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0010.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0009.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0008.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0007.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0006.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0005.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0004.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0003.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0002.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0001.CHK
2008-06-27 11:37 16384 --------- C:\FOUND.006\FILE0000.CHK

---- Directory of C:\FOUND.007 ----

2008-06-27 13:34 65536 --------- C:\FOUND.007\FILE0000.CHK
2008-06-27 13:34 32768 --------- C:\FOUND.007\FILE0001.CHK
2008-06-27 13:34 16384 --------- C:\FOUND.007\FILE0002.CHK

---- Directory of C:\WINDOWS\KU3CLU3CLU3CLU3C ----



((((((((((((((((((((((((((((( snapshot_2008-07-01_ 0.47.48.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 07:32:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 10:45:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-20 05:32:44 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2008-07-01 07:37:48 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-01 07:55:26 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-01 07:37:48 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-01 07:55:26 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 14:21 53248]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 07:17 102491]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 07:16 692315]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15 45056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 13:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 13:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 13:55 118784]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-03-30 13:56 471040]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 16:43 401408]
"ImageItEncrypt"="C:\WINDOWS\system32\ImageItEncrypt.exe" [2005-12-30 14:02 40960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 00:11 771704]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe" [2004-05-25 09:16 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34 851968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15 75520]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-16 17:24 88204 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 17:28 16005120 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-10 20:42:57 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\Thrones.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 16:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 16:57]
R3 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
S2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe []
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 00:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 03:21:50 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - George.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-07-10 10:25:34 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert.GeorgeWRuns AdwareAlert to scan your computer for malicious and potenially unwanted programs.
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 03:46:36
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSVCHST.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\APPCORE\APPSVC32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSVCHST.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2008-07-10 3:49:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 10:48:56
ComboFix5.txt 2008-07-01 07:25:36
ComboFix4.txt 2008-07-01 07:47:56
ComboFix3.txt 2008-07-01 07:58:50
ComboFix2.txt 2008-07-10 10:36:22

Pre-Run: 9,997,533,184 bytes free
Post-Run: 9,974,988,800 bytes free

288 --- E O F --- 2008-07-10 10:03:45


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:50, on 2008-07-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/gs.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zon...mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCamSvc - Unknown owner - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9569 bytes



P.S. Thanks for all your help so far!
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job

Folder::
C:\WINDOWS\KU3CLU3CLU3CLU3C
C:\FOUND.008
C:\FOUND.007
C:\FOUND.006

3. Save the above as CFScript.txt in your Desktop.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the ComboFix log in your next reply..



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please post the following logs in your next reply..

1. ComboFix
2. Malwarebytes'
3. A fresh HijackThis (after Malwarebytes' step)
4. Tell me about your computer behaviour..


Regards
fenzodahl512
  • 0

#9
dziggy

dziggy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
New ComboFix Log:

ComboFix 08-07-09.5 - George 2008-07-10 12:21:16.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.229 [GMT -7:00]
Running from: C:\Documents and Settings\George\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\George\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.006
C:\FOUND.006\FILE0000.CHK
C:\FOUND.006\FILE0001.CHK
C:\FOUND.006\FILE0002.CHK
C:\FOUND.006\FILE0003.CHK
C:\FOUND.006\FILE0004.CHK
C:\FOUND.006\FILE0005.CHK
C:\FOUND.006\FILE0006.CHK
C:\FOUND.006\FILE0007.CHK
C:\FOUND.006\FILE0008.CHK
C:\FOUND.006\FILE0009.CHK
C:\FOUND.006\FILE0010.CHK
C:\FOUND.006\FILE0011.CHK
C:\FOUND.006\FILE0012.CHK
C:\FOUND.006\FILE0013.CHK
C:\FOUND.006\FILE0014.CHK
C:\FOUND.006\FILE0015.CHK
C:\FOUND.006\FILE0016.CHK
C:\FOUND.006\FILE0017.CHK
C:\FOUND.006\FILE0018.CHK
C:\FOUND.006\FILE0019.CHK
C:\FOUND.006\FILE0020.CHK
C:\FOUND.006\FILE0021.CHK
C:\FOUND.006\FILE0022.CHK
C:\FOUND.006\FILE0023.CHK
C:\FOUND.006\FILE0024.CHK
C:\FOUND.006\FILE0025.CHK
C:\FOUND.006\FILE0026.CHK
C:\FOUND.006\FILE0027.CHK
C:\FOUND.006\FILE0028.CHK
C:\FOUND.006\FILE0029.CHK
C:\FOUND.006\FILE0030.CHK
C:\FOUND.006\FILE0031.CHK
C:\FOUND.006\FILE0032.CHK
C:\FOUND.006\FILE0033.CHK
C:\FOUND.006\FILE0034.CHK
C:\FOUND.006\FILE0035.CHK
C:\FOUND.006\FILE0036.CHK
C:\FOUND.006\FILE0037.CHK
C:\FOUND.006\FILE0038.CHK
C:\FOUND.006\FILE0039.CHK
C:\FOUND.006\FILE0040.CHK
C:\FOUND.007
C:\FOUND.007\FILE0000.CHK
C:\FOUND.007\FILE0001.CHK
C:\FOUND.007\FILE0002.CHK
C:\FOUND.008
C:\FOUND.008\FILE0000.CHK
C:\WINDOWS\KU3CLU3CLU3CLU3C
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-06-29 22:59 . 2008-06-29 22:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-29 22:16 . 2008-06-29 22:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 21:25 . 2008-06-29 21:25 <DIR> d-------- C:\VundoFix Backups
2008-06-29 21:04 . 2008-06-29 21:04 <DIR> d-------- C:\Program Files\Opera
2008-06-27 17:01 . 2008-06-27 17:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-27 11:53 . 2008-06-27 11:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-27 11:53 . 2008-06-27 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-27 11:51 . 2008-06-27 11:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 00:58 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-06-17 23:10 . 2008-06-17 23:10 <DIR> d-------- C:\Program Files\Second Sight Software
2008-06-15 18:46 . 2008-06-15 18:46 <DIR> d-------- C:\Documents and Settings\George\Application Data\iWin
2008-06-11 14:15 . 2008-06-11 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-06-11 14:06 . 2008-06-11 14:06 <DIR> d-------- C:\Program Files\TradewindsLegends_at
2008-06-10 15:35 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 15:35 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-05-21 04:49 61,024 ----a-w C:\Documents and Settings\George\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 05:35 --------- d-----w C:\Program Files\THQ
2008-05-15 04:52 --------- d-----w C:\Documents and Settings\George\Application Data\LimeWire
2008-05-15 04:51 --------- d-----w C:\Program Files\LimeWire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 04:16 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-23 04:16 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-23 04:16 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-23 04:16 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-23 04:16 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-23 04:16 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 07:04 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-04-21 07:04 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-04-21 07:04 3,059,712 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-21 07:04 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 07:03 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2008-04-21 07:03 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2008-04-21 07:03 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-04-21 07:03 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2008-04-21 07:03 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-04-21 07:03 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-04-21 07:03 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 07:03 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-04-16 05:20 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
.

((((((((((((((((((((((((((((( snapshot_2008-07-01_ 0.47.48.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 07:32:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 10:45:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-20 05:32:44 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2008-07-01 07:37:48 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-10 10:51:30 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-01 07:37:48 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-10 10:51:30 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 14:21 53248]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 07:17 102491]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 07:16 692315]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15 45056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 13:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 13:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 13:55 118784]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-03-30 13:56 471040]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 16:43 401408]
"ImageItEncrypt"="C:\WINDOWS\system32\ImageItEncrypt.exe" [2005-12-30 14:02 40960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 00:11 771704]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe" [2004-05-25 09:16 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34 851968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15 75520]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-16 17:24 88204 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 17:28 16005120 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-10 20:42:57 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\Thrones.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 16:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 16:57]
R3 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
S2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe []
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 00:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 03:21:50 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - George.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 12:23:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-10 12:23:25
ComboFix-quarantined-files.txt 2008-07-10 19:23:22
ComboFix5.txt 2008-07-01 07:47:56
ComboFix4.txt 2008-07-01 07:58:50
ComboFix3.txt 2008-07-10 10:36:22
ComboFix2.txt 2008-07-10 10:49:06

Pre-Run: 8,130,920,448 bytes free
Post-Run: 8,114,896,896 bytes free

228 --- E O F --- 2008-07-10 10:03:45


MBAM Log:

Malwarebytes' Anti-Malware 1.20
Database version: 937
Windows 5.1.2600 Service Pack 2

12:59:02 2008-07-10
mbam-log-7-10-2008 (12-59-02).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 108561
Time elapsed: 31 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearc...com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP158\A0036248.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP158\A0036249.dll (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP158\A0036258.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP163\A0037315.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP165\A0037606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP166\A0039552.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP166\A0039564.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP166\A0039565.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP170\A0040986.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\khfFXqQk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ivpkxaxv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fccCRlKE.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMf8f4cfa0.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\George\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:08, on 2008-07-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/gs.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zon...mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCamSvc - Unknown owner - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9717 bytes


Computer Status Report:
My computer seems to be functioning normally. The browser/internet seems to be working fine. I am no longer recieving popups or other forms of spam. I am still uncertain however, about whether or not Vundo was completely removed. This trojan has been a constant pest so I'm not sure if it's completely wiped out. I hope you can tell me something from my current log reports. Thanks for your time and help, I truly apprecate it!
  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Good news.. Your logs look clean to my eyes...


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image



NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 7




NEXT


I noticed you already have..

1. Symantec as antivirus
2. Malwarebytes' as antispyware..



However, I haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewall below:
After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.





Lastly, to keep your operating system up to date please visit the link below monthly

To learn more about how to protect yourself while on the internet read this excellent article by Tony Klein: So how did I get infected in the first place?

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#11
dziggy

dziggy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
My computer behavior is excellent and I have not encountered any faults or lags. Thank you for your help and I suppose you can close this thread now. But before you close this thread I have one final question. Could you suggest any good antivirus programs that is free? My Norton antivirus only has 60 days left so I was just wondering if there are any other options out there. (I'm not particularly pleased with the effectiveness of Norton).

Thanks for everything!

"Mischief Managed"

Edited by dziggy, 11 July 2008 - 01:54 PM.

  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

My computer behavior is excellent and I have not encountered any faults or lags. Thank you for your help and I suppose you can close this thread now. But before you close this thread I have one final question. Could you suggest any good antivirus programs that is free? My Norton antivirus only has 60 days left so I was just wondering if there are any other options out there. (I'm not particularly pleased with the effectiveness of Norton).

Thanks for everything!

"Mischief Managed"



Sure.. Please choose ONLY ONE of the following list.. It's up to you to use which one...



Anymore questions?


Regards
fenzodahl512
  • 0

#13
dziggy

dziggy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Nope. Thats all my questions. Thanks for everything!You can close this thread now.


Dziggy
  • 0

#14
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP