Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

FOLLOWED INSTRUCTIONS ON clickbeforepostingahijackthislog [RESOLVED]


  • This topic is locked This topic is locked

#1
Chad Oneal

Chad Oneal

    Member

  • Member
  • PipPip
  • 45 posts
Heres what happened, downloaded a file... BAN! My background changed to something about my computer being infected and use a anti virus, which was so halariously sitting on my desktop(which i didnt have before) ready for me to launch. Internet went out, device manager empty, 10 extra procceses. After malware, virus removal Ive got it almost back to normall. But even after updating drivers, my computer still cant recognize my router, and I cant do ANY updates. Microsoft, anti virus, spybot, anythign. WHen you click on update it gets some kind of connection error. So i have to run them as installed. Hope that helps. THANKS SO MUCH IN ADVANCE
OKay, using Windows XP here is my loggs.

HIJACK THIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:25 PM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cy...mallsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uace] "C:\WINDOWS\system32\SMBOLS~1\iexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Mxmez] "C:\Program Files\?dobe\r?ndll.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Galaxy P2P Plus\Ares.exe" -h
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-21-1417001333-261478967-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1417001333-261478967-725345543-1003\..\Run: [Uace] "C:\WINDOWS\system32\SMBOLS~1\iexplore.exe" -vt yazb (User '?')
O4 - HKUS\S-1-5-21-1417001333-261478967-725345543-1003\..\Run: [Mxmez] "C:\Program Files\?dobe\r?ndll.exe" (User '?')
O4 - HKUS\S-1-5-21-1417001333-261478967-725345543-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1417001333-261478967-725345543-1003\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe "/Trigger RunAtLogon" (User '?')
O4 - HKUS\S-1-5-21-1417001333-261478967-725345543-1003\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-1417001333-261478967-725345543-1003\..\Run: [ares] "C:\Program Files\Ares Galaxy P2P Plus\Ares.exe" -h (User '?')
O4 - HKUS\S-1-5-21-1417001333-261478967-725345543-1003\..\Run: [Aim6] (User '?')
O4 - HKUS\S-1-5-21-1417001333-261478967-725345543-1003\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-21-1417001333-261478967-725345543-1003 Startup: PowerReg Scheduler.exe (User '?')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: DNS4Me Tray.lnk = C:\Program Files\RhinoSoft.com\DNS4Me\DNS4MeClient.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189461425046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203305127015
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demos.webex....bex/ieatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,avgrsstx.dll,
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 9669 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
Chad Oneal

Chad Oneal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Thank you for your help. I gave it a try in cronological order. But the same symptom applies here, so I ceased to run the Combofix. When I isntall Windows Recovery from the WinXp Cd, It goes into its Dynamic Update with Microsoft (Connecting to Microsoft). And even though internet access is working fine, it fails to update. The wizard was unable to downloaded the updated windows setupfile. So I downloaded it as another options suggest, but when i drag the icon over ther combo fix icon, it does not install it. It only starts running the combofix program and goes through is scans procedures . THANKS

omboFix 08-07-25.7 - admin 2008-07-26 9:34:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.274 [GMT -5:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\admin\Application Data\macromedia\Flash Player\#SharedObjects\X8TMAWPW\interclick.com
C:\Documents and Settings\admin\Application Data\macromedia\Flash Player\#SharedObjects\X8TMAWPW\interclick.com\ud.sol
C:\Documents and Settings\admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\admin\g2mdlhlpx.exe
C:\Program Files\dobe~1
C:\WINDOWS\system32\_000003_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 22:38 . 2008-07-25 22:38 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-07-25 22:37 . 2008-07-25 22:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 22:37 . 2008-07-25 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 22:37 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-25 22:37 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-25 22:29 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-07-25 22:28 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-25 22:27 . 2004-08-03 22:41 404,990 --a--c--- C:\WINDOWS\system32\dllcache\slntamr.sys
2008-07-25 22:26 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-07-25 22:25 . 2004-08-04 00:56 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-07-25 22:24 . 2004-08-04 00:56 1,737,856 --a--c--- C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-07-25 22:23 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-07-25 22:22 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-07-25 22:21 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-07-25 22:20 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-07-25 22:19 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-07-25 22:18 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-07-25 22:17 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-07-25 22:16 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-07-25 22:15 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-07-25 22:06 . 2008-07-25 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 20:45 . 2008-07-25 22:43 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-25 20:16 . 2008-07-25 20:16 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-25 20:16 . 2008-07-25 20:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-25 20:15 . 2008-07-25 20:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-25 20:15 . 2008-07-25 20:15 <DIR> d-------- C:\Program Files\AVG
2008-07-25 20:15 . 2008-07-25 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-25 20:15 . 2008-07-25 20:17 <DIR> d-------- C:\Documents and Settings\admin\Application Data\AVGTOOLBAR
2008-07-25 18:57 . 2008-07-25 18:57 <DIR> d-------- C:\Program Files\Acoolsoft
2008-07-24 20:28 . 2008-07-25 19:16 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-07-24 19:16 . 2008-07-24 19:16 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-07-24 19:16 . 2008-07-24 19:16 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-07-24 19:16 . 2008-07-24 19:16 <DIR> d-------- C:\Documents and Settings\admin\Application Data\SmartFTP
2008-07-24 18:58 . 2008-07-24 19:14 <DIR> d-------- C:\Documents and Settings\admin\Application Data\CoreFTP
2008-07-24 18:57 . 2008-07-24 18:57 <DIR> d-------- C:\Program Files\CoreFTP
2008-07-24 16:04 . 2008-07-25 19:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-24 16:04 . 2008-07-24 16:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-23 22:03 . 2008-07-23 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-23 21:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-07-23 21:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-07-23 21:56 . 2008-07-23 21:56 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 21:46 . 2008-07-23 21:46 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-23 00:53 . 2008-07-23 00:53 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-07-23 00:51 . 2008-07-23 00:51 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-07-23 00:39 . 2008-07-23 00:39 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-23 00:39 . 2008-07-23 00:39 <DIR> d-------- C:\Program Files\MSBuild
2008-07-23 00:38 . 2008-07-23 00:38 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-23 00:38 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-07-21 20:31 . 2008-07-22 20:10 <DIR> d-------- C:\Program Files\Conference
2008-07-20 11:59 . 2008-07-20 11:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-20 11:59 . 2008-07-20 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-20 11:56 . 2008-07-20 11:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-20 11:54 . 2008-07-20 11:54 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-07-20 11:08 . 2008-07-20 11:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 11:08 . 2008-07-20 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ludia
2008-07-20 11:08 . 2008-07-20 11:08 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Ludia
2008-07-20 11:07 . 2008-07-20 11:07 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-07-20 11:07 . 2008-07-20 12:24 <DIR> d-------- C:\Program Files\Chill
2008-07-18 16:52 . 2008-07-20 12:23 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Uniblue
2008-07-16 20:13 . 2008-07-16 20:15 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2008-07-16 20:05 . 2008-07-16 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-14 03:07 . 2008-07-14 03:07 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-13 18:41 . 2008-07-13 18:46 <DIR> d-------- C:\Program Files\LimeWire
2008-07-13 18:41 . 2008-07-13 18:45 <DIR> d-------- C:\Documents and Settings\admin\Application Data\LimeWire
2008-07-13 18:32 . 2008-07-13 20:04 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Apple Computer
2008-07-13 18:31 . 2008-07-13 18:32 <DIR> d-------- C:\Program Files\QuickTime
2008-07-13 18:30 . 2008-07-13 18:30 <DIR> d-------- C:\Program Files\iTunes
2008-07-13 18:29 . 2008-07-13 18:29 <DIR> d-------- C:\Program Files\iPod
2008-07-13 18:29 . 2008-07-13 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-13 18:29 . 2004-12-18 20:32 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2008-07-13 17:29 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-13 17:29 . 2008-06-13 08:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 12:48 --------- d-----w C:\Documents and Settings\admin\Application Data\Move Networks
2008-07-26 02:10 --------- d-----w C:\Program Files\32Vegas Casino
2008-07-26 00:17 --------- d-----w C:\Program Files\Java
2008-07-24 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-23 06:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-20 17:26 --------- d-----w C:\Program Files\MorpheusBar
2008-07-20 17:24 --------- d-----w C:\Program Files\Citrix
2008-07-20 17:23 --------- d-----w C:\Program Files\Vstep
2008-07-20 17:22 --------- d-----w C:\Program Files\VstPlugins
2008-07-20 17:22 --------- d-----w C:\Program Files\Image-Line
2008-07-20 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-07-20 17:19 --------- d-----w C:\Program Files\PCFriendly
2008-07-20 16:56 --------- d-----w C:\Program Files\Prima Games
2008-07-14 08:08 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-13 23:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 00:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 20:47 8720384]

[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DNS4Me Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DNS4Me Tray.lnk
backup=C:\WINDOWS\pss\DNS4Me Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mxmez]
C:\Program Files\?dobe\r?ndll.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-07-25 20:15 1232152 C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
--a------ 2008-01-30 21:24 1481472 C:\Program Files\COMODO\Firewall\cfp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-15 18:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-12-20 20:54 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-07-13 18:31 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Conference\\Conference.dll"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-25 20:16]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-01-30 21:24]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-01-30 21:24]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-25 20:15]
S4 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe []
S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
.
Contents of the 'Scheduled Tasks' folder
2008-07-20 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job - s !7C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe-sadmin0' []
2008-07-18 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-ares - C:\Program Files\Ares Galaxy P2P Plus\Ares.exe
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-ddoctorv2 - C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
MSConfigStartUp-GoToMeeting - C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
MSConfigStartUp-Uace - C:\WINDOWS\system32\SMBOLS~1\iexplore.exe
MSConfigStartUp-vptray - C:\PROGRA~1\SYMANT~1\VPTray.exe
MSConfigStartUp-WinVNC - C:\Program Files\TightVNC\WinVNC.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O18 -: Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - C:\Program Files\CoreFTP\pftpns.dll

O16 -: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
C:\WINDOWS\Downloaded Program Files\sprtexternal.inf
C:\WINDOWS\Downloaded Program Files\tgctlsi.dll
C:\WINDOWS\Downloaded Program Files\sprtexternal.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 09:38:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-26 9:42:27
ComboFix-quarantined-files.txt 2008-07-26 14:41:23

Pre-Run: 9,187,618,816 bytes free
Post-Run: 9,176,440,832 bytes free

228 --- E O F --- 2008-07-25 23:52:49



HIJACK THIS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:55 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189461425046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203305127015
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demos.webex....bex/ieatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5894 bytes

Edited by Chad Oneal, 26 July 2008 - 08:45 AM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::
C:\Program Files\?dobe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mxmez]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#5
Chad Oneal

Chad Oneal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
ASPERSKY ONLINE SCANNER REPORT
Sunday, July 27, 2008 2:34:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/07/2008
Kaspersky Anti-Virus database records: 1014904
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 91047
Number of viruses found: 6
Number of infected objects: 47
Number of suspicious objects: 0
Duration of the scan process: 01:59:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\MSHist012008072720080728\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\temp\~DFC0FD.tmp Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate132.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate132.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate132.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate132.exe/data0005/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aa skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate132.exe/data0005/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate132.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate132.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate133.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate133.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate133.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate133.exe/data0006/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aa skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate133.exe/data0006/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate133.exe/data0006 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip/Chad/music/KazaaUpdate133.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip ZIP: infected - 14 skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate132.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate132.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate132.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate132.exe/data0005/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aa skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate132.exe/data0005/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate132.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate132.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate133.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate133.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate133.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate133.exe/data0006/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aa skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate133.exe/data0006/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate133.exe/data0006 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate133.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip ZIP: infected - 14 skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate132.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate132.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate132.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate132.exe/data0005/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aa skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate132.exe/data0005/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate132.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate132.exe Inno: infected - 6 skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate133.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate133.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate133.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor.c skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate133.exe/data0006/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aa skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate133.exe/data0006/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate133.exe/data0006 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate133.exe Inno: infected - 6 skipped
C:\Documents and Settings\admin\ntuser.dat Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7679A7AB-FD07-4317-A9FE-47FC813E9D66}\RP13\change.log Object is locked skipped
C:\System Volume Information\_restore{7679A7AB-FD07-4317-A9FE-47FC813E9D66}\RP2\A0001152.exe Object is locked skipped
C:\System Volume Information\_restore{7679A7AB-FD07-4317-A9FE-47FC813E9D66}\RP2\A0001153.exe Object is locked skipped
C:\System Volume Information\_restore{7679A7AB-FD07-4317-A9FE-47FC813E9D66}\RP2\A0003721.exe Object is locked skipped
C:\System Volume Information\_restore{7679A7AB-FD07-4317-A9FE-47FC813E9D66}\RP2\A0003746.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
C:\System Volume Information\_restore{7679A7AB-FD07-4317-A9FE-47FC813E9D66}\RP2\A0003746.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{7679A7AB-FD07-4317-A9FE-47FC813E9D66}\RP2\A0003768.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

Scan process completed.
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\666.zip
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate132.exe
C:\Documents and Settings\admin\My Documents\pxsx2\Chad\music.zip/music/KazaaUpdate133.exe
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate132.exe
C:\Documents and Settings\admin\My Documents\pxsx2\music\KazaaUpdate133.exe
C:\Program Files\Morpheus\morpheustoolbar.exe

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall






Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Also post a new HijackThis log
  • 0

#7
Chad Oneal

Chad Oneal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Explorer killed successfully
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\lilo2 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\lilo3 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\lilo4 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\~DF4514.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07272008_210149

Files moved on Reboot...
File C:\DOCUME~1\admin\LOCALS~1\Temp\lilo2 not found!
File C:\DOCUME~1\admin\LOCALS~1\Temp\lilo3 not found!
File C:\DOCUME~1\admin\LOCALS~1\Temp\lilo4 not found!
C:\DOCUME~1\admin\LOCALS~1\Temp\~DF4514.tmp moved successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:40 AM, on 7/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mxmez] "C:\Program Files\?dobe\r?ndll.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189461425046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203305127015
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demos.webex....bex/ieatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 7367 bytes

Edited by Chad Oneal, 28 July 2008 - 01:43 AM.

  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#9
Chad Oneal

Chad Oneal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
For a side note, computer is running much slower. I have done the following.
In the beggining before posting I was told to update through Microsoft. I thought I had through Automatic update, but when I actually went to the Microsoft site it found ALOT more i needed. So I updated to SP3. Rid more usless programs through UNinstall, and did a disk defrag which I hadnt in some time. Another thing i noticed when I did the defrag. You know how in you start-> programs the menus select will usually only show the programs you ran recently and the rest are hidden behind a drop down arrow. Well right next to System Resotore this morning, Remote Desktop Connection is there and I never selected that progam EVER. unless that was a SP3 addon i dont know. Also, after the reboot from defrag I went to sleep and AVG Anti Virus was running. It always take an hour to an hour and half, this morning I come in and Its still scanning 2 hours 45 minutes later via the elapsed time menu..... Slooooooooooooowww... On another note, the svchost that controlls AUDIO almost everyday gets into the 150000 to 200000 memory usage range, and I wont even be using any audio software at all. Internet, and programs will be running and freeze up, as soon as i stop that process it runs smooth again(obviously no more audio after that)

Heres my log, no malitious found...


Malwarebytes' Anti-Malware 1.23
Database version: 994
Windows 5.1.2600 Service Pack 3

3:04:46 PM 7/28/2008
mbam-log-7-28-2008 (15-04-46).txt

Scan type: Quick Scan
Objects scanned: 42769
Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#11
Chad Oneal

Chad Oneal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Well first and for most thank you extremely for your help. I am a Geek In Training myself so your help was more then usefull and I am gratefull.
My computer is kind of running slow but I think its time for a memory upgrade non the less. Hope to work along side of you in the near future!!

edit bump...

I remembered the importance of updating everyone on how things went. After all the fixes my computer was running obnoziously slow. But clean non the less. So I did a PCPitStop scan to get a general Idea of what may be slowing it down. Besides the fact that now I have anti-virus, and anti spyware programs running now which use up a lot of ram that wasnt being used before, I felt it was slower then neccisary. The svchost bug is one that annoys me alot, so many services being ran under one file. But really a super cache clean(including starting in safe mode and doing a del index.dat /s what I did and maybe recommend to fellow users is a goooooooood defrag.. Not a windows defrag either. Get a good after market defrag program.
Its the only time Ive actually seen performance results from degraging. Night and Day. Havnt used enough to make any suggestions so youll have to look on your own. THANKS AGAIN.

Edited by Chad Oneal, 29 July 2008 - 01:31 AM.

  • 0

#12
Chad Oneal

Chad Oneal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
edit bump
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP