Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My computer is out of wack, too many viruses I think. [CLOSED]

Started by handmedown , Aug 15 2008 09:19 AM

  • This topic is locked This topic is locked

#16
handmedown
Posted 18 August 2008 - 07:25 AM

handmedown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
So far it seems like a false alarm. But it might be catching up later in the day. Have you found any new info on my comps condition?
  • 0

Advertisements

#17
Ltangelic
Posted 18 August 2008 - 07:36 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey handmedown,

There are still some infected files and registry keys in there, let's run some scripts and tools to remove them.

1) Upload files for analysis

There is a file we need to submit for analysis by experts. Please follow the instructions below carefully.

Please ensure you can view hidden files and folders by doing the following:

  • Go to Start>Control Panel and go under Appearances and Themes
  • Click on Folder Options and go under View tab
  • Ensure that "Show hidden files and folders" is selected and click Apply

Next

Please go here and read the instructions carefully.

After you have read and understood the instructions, proceed here to start a new topic and upload the file.

Under "Subject:", please fill in New renos for S!Ri from Geekstogo, then fill in the relevant details and upload the following file by using the "Browse" button and navigating to the correct directory.

C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll

Important! Don't forget to give a link to THIS thread.

After you are done, click on "Post".

2) Run a registry script

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERUNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Next

Please open notepad, and copy/paste the following text (including REGEDIT4) into the notepad window:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

  • Save the file above as fixit.reg on deskstop.
  • Double click on it. A window will open and prompt you if you want to merge it with the registry, click "Yes".
  • Another window will pop up informing you the merge was successful.

3) Run HijackThis

Please re-open HijackThis and Do a System Scan Only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {3753B44D-E02F-48B7-81B1-19A377BCCB63} - C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll
O20 - Winlogon Notify: arscore - C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll

Now close all windows other than HijackThis, then click Fix Checked. Close HijackThis.

4) Run OTMoveIt2

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll
purity
emptytemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

5) Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

6) Run DSS

Please double-click on dss.exe.
DSS will now run again.
Please post back both logs that open in notepad.
Main txt and extra txt

Next reply (please include):

Fresh HijackThis log
OTMoveIt2 log
MBAM scan log
DSS logs

Edited by Ltangelic, 18 August 2008 - 07:39 AM.

  • 0

#18
handmedown
Posted 18 August 2008 - 07:44 AM

handmedown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
The computer wont allow me to view hidden files
  • 0

#19
Ltangelic
Posted 18 August 2008 - 07:45 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Are you able to find that file though?
  • 0

#20
handmedown
Posted 18 August 2008 - 07:52 AM

handmedown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Link to upload:

http://thespykiller....97.new.html#new.
  • 0

#21
Ltangelic
Posted 18 August 2008 - 07:57 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Thanks for alerting me, please continue with the rest of the instructions. :)
  • 0

#22
handmedown
Posted 18 August 2008 - 08:00 AM

handmedown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I do not see a
O2 - BHO: (no name) - {3753B44D-E02F-48B7-81B1-19A377BCCB63} - C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll
O20 - Winlogon Notify: arscore - C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll

in hijack
  • 0

#23
Ltangelic
Posted 18 August 2008 - 08:01 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Carry on with the rest, don't worry about HijackThis, we'll deal with it later. :)
  • 0

#24
handmedown
Posted 18 August 2008 - 09:07 AM

handmedown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
HIJackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:05 AM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E6062720-CD57-415F-8D36-9DD576FCB56D} - C:\WINDOWS\system32\nnnnNHaA.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [OTScanIt] C:\Documents and Settings\Compaq_Administrator.JESTASIA\Desktop\OTMoveIt2.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll zpdevp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7948 bytes




OTMOVEIT2

Explorer killed successfully
C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll unregistered successfully.
File move failed. C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll scheduled to be moved on reboot.
< purity >
< emptytemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08182008_100527

DSS
Main.txt

Deckard's System Scanner v20071014.68
Run by Compaq_Administrator on 2008-08-18 10:56:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Compaq_Administrator.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:32 AM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Administrator.JESTASIA\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\COMPAQ~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3753B44D-E02F-48B7-81B1-19A377BCCB63} - C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E6062720-CD57-415F-8D36-9DD576FCB56D} - C:\WINDOWS\system32\nnnnNHaA.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [OTScanIt] C:\Documents and Settings\Compaq_Administrator.JESTASIA\Desktop\OTMoveIt2.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll zpdevp.dll
O20 - Winlogon Notify: arscore - C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8231 bytes

-- Files created between 2008-07-18 and 2008-08-18 -----------------------------

2008-08-18 10:10:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 10:34:04 0 d--h----- C:\WINDOWS\example
2008-08-16 12:27:53 0 d-------- C:\VundoFix Backups
2008-08-14 13:03:01 0 d-------- C:\Program Files\Trend Micro
2008-08-13 21:23:17 0 d-------- C:\!KillBox
2008-08-13 21:04:39 0 d--h----- C:\$AVG8.VAULT$
2008-08-13 20:22:26 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-13 20:22:10 0 d-------- C:\Program Files\AVG
2008-08-10 10:39:01 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-08-10 10:13:58 0 d-------- C:\Program Files\Common Files\DAZ
2008-08-07 21:28:41 59264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-07 16:54:15 0 d-------- C:\WINDOWS\SHELLNEW
2008-08-07 16:52:07 0 dr-h----- C:\MSOCache
2008-08-06 20:50:54 0 d--h----- C:\WINDOWS\PIF
2008-08-04 11:02:17 0 d-------- C:\Program Files\DNA
2008-08-04 11:02:16 0 d-------- C:\Program Files\BitTorrent
2008-07-26 08:53:35 0 d-------- C:\Program Files\Windows Live Toolbar
2008-07-26 08:51:51 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-07-26 08:40:40 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-26 08:40:22 0 d-------- C:\Program Files\Windows Live
2008-07-21 22:45:54 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-07-21 22:45:53 60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >
2008-07-21 22:45:52 0 d-------- C:\Program Files\ffdshow


-- Find3M Report ---------------------------------------------------------------

2008-08-17 10:59:39 0 d-------- C:\Program Files\Java
2008-08-16 16:30:33 0 d-------- C:\Program Files\MP4Tool
2008-08-14 07:33:36 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-13 20:30:07 0 d-------- C:\Program Files\Common Files
2008-08-13 20:14:21 0 d---s---- C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft
2008-08-12 13:09:17 0 d-------- C:\Program Files\Sonic the Hedgehog Adventure 2
2008-08-12 13:09:16 0 d-------- C:\Program Files\Quicken
2008-08-12 13:09:15 0 d-------- C:\Program Files\MSN Encarta Standard
2008-08-12 13:09:14 0 d-------- C:\Program Files\Microsoft Works
2008-08-12 13:09:13 0 d-------- C:\Program Files\Messenger
2008-08-12 13:09:13 0 d-------- C:\Program Files\Lexmark X125
2008-08-12 13:09:12 0 d-------- C:\Program Files\Easy Internet signup
2008-08-12 13:09:12 0 d-------- C:\Program Files\EA GAMES
2008-08-12 13:09:12 0 d-------- C:\Program Files\DivX
2008-08-12 11:21:23 0 dr------- C:\Program Files\TypingMaster
2008-08-09 19:13:43 0 d-------- C:\Program Files\Prima Games
2008-08-07 16:56:19 0 d-------- C:\Program Files\Microsoft.NET
2008-08-06 20:14:27 0 d-------- C:\Program Files\MSBuild
2008-08-04 10:45:05 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-17 08:43:33 0 d-------- C:\Program Files\Common Files\eSellerate
2008-07-13 14:31:02 0 d-------- C:\Program Files\Unity
2008-07-02 07:20:59 0 d-------- C:\Program Files\ArcSoft
2008-07-02 07:20:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-25 20:24:53 0 d-------- C:\Program Files\IVCsoft
2008-06-22 20:01:54 0 d-------- C:\Program Files\A-Z
2008-06-20 16:09:52 0 d-------- C:\Program Files\GIMPshop
2008-06-13 01:00:08 225280 --a------ C:\WINDOWS\system32\TubeFinder.exe <Not Verified; Koyote Soft; Tube Finder>
2008-06-10 20:07:20 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-10 20:03:26 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-06-10 20:03:26 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-10 20:03:20 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-06-10 20:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-10 20:03:20 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-10 20:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-10 20:03:18 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-04 18:42:54 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-04 18:42:54 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2008-06-04 18:42:54 9728 --a------ C:\WINDOWS\system32\PCCLPFR.DLL <Not Verified; Microsoft Corporation; PicClip>
2008-06-04 18:42:54 141312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2008-06-04 18:42:54 32768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>
2008-05-22 18:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3753B44D-E02F-48B7-81B1-19A377BCCB63}]
C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6062720-CD57-415F-8D36-9DD576FCB56D}]
C:\WINDOWS\system32\nnnnNHaA.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 10:04 PM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/26/2005 01:34 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 09:11 AM]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [09/05/2002 10:05 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [05/16/2008 11:52 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/16/2008 11:52 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/13/2008 08:22 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [08/17/2008 03:01 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"OTScanIt"=C:\Documents and Settings\Compaq_Administrator.JESTASIA\Desktop\OTMoveIt2.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arscore]
C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll zpdevp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll




-- End of Deckard's System Scanner: finished at 2008-08-18 10:57:14 ------------

DSS
extra.txt
There was no extra produced for 08/18/2008

MBAM LOG

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

10:52:15 AM 8/18/2008
mbam-log-08-18-2008 (10-52-15).txt

Scan type: Quick Scan
Objects scanned: 82741
Time elapsed: 29 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 18
Files Infected: 51

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d68133a-716b-4d88-8c59-24a636f2ac77} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d68133a-716b-4d88-8c59-24a636f2ac77} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3753b44d-e02f-48b7-81b1-19a377bccb63} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3753b44d-e02f-48b7-81b1-19a377bccb63} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\bhonew.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gtool.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2bc9a3bd-9ff9-4c52-b8b8-8051adaa7ff6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7a8c49cb-a790-4024-b1fb-0c01094f379d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57df73c0-833c-48b7-9146-1e18930d57ff} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53322b35-2c26-4fac-a713-c31bbaa1c636} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\configurator (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\postInstallLayout (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\products (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_0 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_1 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_2 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_3 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_4 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_5 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_6 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources\Images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\TimerManager (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\ToolbarSearch (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Updater (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\alot (Adware.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\zpdevp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Convict 4Lif3\Application Data\DivX\arscore.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\Compaq_Administrator.JESTASIA\Local Settings\Temp\AntivirusSetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator.JESTASIA\Local Settings\Temporary Internet Files\Content.IE5\4SIUX435\ico[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\Thumbs.db (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\toolbar.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\configurator\configurator.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\configurator\configurator.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\postInstallLayout\postInstallLayout.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\products\products.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\products\products.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_0\Product_0.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_0\Product_0.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_1\Product_1.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_1\Product_1.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_2\Product_2.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_2\Product_2.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_3\Product_3.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_3\Product_3.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_4\Product_4.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_4\Product_4.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_5\Product_5.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_5\Product_5.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_6\Product_6.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Product_6\Product_6.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources\Images\alot_brand.png (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources\Images\alot_icon_35x16.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources\Images\alot_search_24x16.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources\Images\default_205_alot_recipe_mrkt_chefhat2.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources\Images\default_216_alot_recipe_recipesearch.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources\Images\default_217_alot_recipe_reciperssfeed.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources\Images\default_218_alot_recipe_cupboard.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Resources\Images\default_219_alot_recipe_recipevideos.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\TimerManager\TimerManager.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\TimerManager\TimerManager.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\ToolbarSearch\ToolbarSearch.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Updater\Updater.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\OutKast Endangerment\Application Data\alot\Updater\Updater.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM33c39bdf.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM33c39bdf.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SysNotifier.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\index.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator.JESTASIA\Local Settings\Temp\atmadm2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
So far the pop ups have not come up. but I still can't make changes to computer settings

I uploaded a pic of my desktop so that you can get a better idea of what I am talking about
Desktop pic

Edited by handmedown, 18 August 2008 - 09:36 AM.

  • 0

#25
Ltangelic
Posted 19 August 2008 - 09:05 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey handmedown,

Seems like some hidden malware is on your computer, time to run a stronger tool.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

Advertisements

#26
handmedown
Posted 19 August 2008 - 02:07 PM

handmedown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Combofix

ComboFix 08-08-18.05 - Compaq_Administrator 08/19/2008 15:09:01.1 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Administrator.JESTASIA\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\macromedia\Flash Player\#SharedObjects\YLZRRCSV\interclick.com
C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\macromedia\Flash Player\#SharedObjects\YLZRRCSV\interclick.com\ud.sol
C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Compaq_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\GRG9P7SP\interclick.com
C:\Documents and Settings\Compaq_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\GRG9P7SP\interclick.com\ud.sol
C:\Documents and Settings\Compaq_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Compaq_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Uninstall.lnk
C:\Documents and Settings\Compaq_Administrator\UserData
C:\Documents and Settings\Compaq_Administrator\UserData\2F6NELAZ\oWindowsUpdate[1].xml
C:\Documents and Settings\Compaq_Administrator\UserData\4T412ROH\dmtstore[1].xml
C:\Documents and Settings\Compaq_Administrator\UserData\index.dat
C:\Documents and Settings\Convict 4Lif3\Application Data\macromedia\Flash Player\#SharedObjects\3H5LDRHS\interclick.com
C:\Documents and Settings\Convict 4Lif3\Application Data\macromedia\Flash Player\#SharedObjects\3H5LDRHS\interclick.com\ud.sol
C:\Documents and Settings\Convict 4Lif3\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Convict 4Lif3\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Convict 4Lif3\Cookies\[email protected][2].txt
C:\Documents and Settings\Convict 4Lif3\Cookies\[email protected][1].txt
C:\Documents and Settings\Convict 4Lif3\Cookies\convict_4lif3@bluestreak[2].txt
C:\Documents and Settings\Convict 4Lif3\Cookies\[email protected][2].txt
C:\Documents and Settings\Convict 4Lif3\Cookies\convict_4lif3@insightexpressai[2].txt
C:\Documents and Settings\Convict 4Lif3\Cookies\convict_4lif3@myspace[2].txt
C:\Documents and Settings\Convict 4Lif3\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\OutKast Endangerment\Application Data\macromedia\Flash Player\#SharedObjects\8KAZG3K5\interclick.com
C:\Documents and Settings\OutKast Endangerment\Application Data\macromedia\Flash Player\#SharedObjects\8KAZG3K5\interclick.com\ud.sol
C:\Documents and Settings\OutKast Endangerment\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\OutKast Endangerment\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\OutKast Endangerment\Cookies\[email protected][1].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\[email protected][1].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\[email protected][2].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\outkast_endangerment@bluestreak[2].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\[email protected][2].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\[email protected][2].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\[email protected][2].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\outkast_endangerment@fastclick[2].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\outkast_endangerment@insightexpressai[1].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\outkast_endangerment@questionmarket[1].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\outkast_endangerment@specificclick[1].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\[email protected][2].txt
C:\Documents and Settings\OutKast Endangerment\Cookies\outkast_endangerment@turn[1].txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\dMVGMnpo.ini
C:\WINDOWS\system32\IiSsBcfe.ini

----- BITS: Possible infected sites -----

http://pornotube8.net
.
((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 02:39 --------- d-----w C:\Documents and Settings\Convict 4Lif3\Application Data\Malwarebytes
2008-08-18 14:54 --------- d-----w C:\Documents and Settings\Convict 4Lif3\Application Data\DivX
2008-08-18 14:11 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 14:11 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\Malwarebytes
2008-08-18 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 13:53 --------- d-----w C:\Program Files\ERUNT
2008-08-17 19:01 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 19:01 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 14:59 --------- d-----w C:\Program Files\Java
2008-08-16 20:30 --------- d-----w C:\Program Files\MP4Tool
2008-08-15 14:44 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\BitTorrent
2008-08-14 17:03 --------- d-----w C:\Program Files\Trend Micro
2008-08-14 15:59 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\DNA
2008-08-14 11:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-14 01:37 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\LimeWire
2008-08-14 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-14 00:22 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 00:22 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 00:22 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-08-14 00:22 --------- d-----w C:\Program Files\AVG
2008-08-14 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-12 17:09 --------- d-----w C:\Program Files\Sonic the Hedgehog Adventure 2
2008-08-12 17:09 --------- d-----w C:\Program Files\Quicken
2008-08-12 17:09 --------- d-----w C:\Program Files\MSN Encarta Standard
2008-08-12 17:09 --------- d-----w C:\Program Files\Microsoft Works
2008-08-12 17:09 --------- d-----w C:\Program Files\Lexmark X125
2008-08-12 17:09 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-12 17:09 --------- d-----w C:\Program Files\EA GAMES
2008-08-12 17:09 --------- d-----w C:\Program Files\DivX
2008-08-12 16:55 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\Apple Computer
2008-08-12 15:29 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\Symantec
2008-08-12 15:21 --------- d-----r C:\Program Files\TypingMaster
2008-08-10 14:39 --------- d-----w C:\Program Files\Common Files\DAZ
2008-08-10 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 23:22 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\InterVideo
2008-08-09 23:13 --------- d-----w C:\Program Files\Prima Games
2008-08-08 01:32 3,932 ----a-w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\LMLayout.dat
2008-08-08 01:32 268 ----a-w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\LMCPaper.dat
2008-08-07 23:14 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\HPQ
2008-08-07 20:56 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-07 13:06 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\OpenOffice.org2
2008-08-07 00:14 --------- d-----w C:\Program Files\MSBuild
2008-08-06 21:46 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-04 15:02 --------- d-----w C:\Program Files\DNA
2008-08-04 15:02 --------- d-----w C:\Program Files\BitTorrent
2008-08-04 14:45 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-26 12:51 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-26 12:51 --------- d-----w C:\Program Files\Windows Live
2008-07-26 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-24 03:30 --------- d-----w C:\Documents and Settings\Convict 4Lif3\Application Data\LimeWire
2008-07-22 02:45 --------- d-----w C:\Program Files\ffdshow
2008-07-17 15:11 0 ----a-w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\wklnhst.dat
2008-07-17 15:11 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\Template
2008-07-17 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\NMEPHNDBYG
2008-07-17 13:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WIEPHNDBYG
2008-07-17 13:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AZEPHNDBYG
2008-07-17 12:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 12:43 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-07-15 13:46 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\WinBatch
2008-07-13 18:31 --------- d-----w C:\Program Files\Unity
2008-07-08 21:21 --------- d--h--r C:\Documents and Settings\Convict 4Lif3\Application Data\SecuROM
2008-07-02 11:23 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\ArcSoft
2008-07-02 11:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-02 11:20 --------- d-----w C:\Program Files\ArcSoft
2008-06-26 00:24 --------- d-----w C:\Program Files\IVCsoft
2008-06-23 21:35 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-23 21:35 --------- d--h--r C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\SecuROM
2008-06-23 15:37 --------- d-----w C:\Documents and Settings\Convict 4Lif3\Application Data\Search Settings
2008-06-23 15:37 --------- d-----w C:\Documents and Settings\Convict 4Lif3\Application Data\Dealio
2008-06-23 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-23 00:02 --------- d-----w C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\DivX
2008-06-23 00:01 --------- d-----w C:\Program Files\A-Z
2008-06-20 20:09 --------- d-----w C:\Program Files\GIMPshop
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock(2).dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dnsapi(2).dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 05:00 225,280 ----a-w C:\WINDOWS\system32\TubeFinder.exe
2008-06-13 00:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-06-09 03:58 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll
2008-06-04 22:42 9,728 ----a-w C:\WINDOWS\system32\PCCLPFR.DLL
2008-06-04 22:42 32,768 ----a-w C:\WINDOWS\system32\CMDLGFR.DLL
2008-06-04 22:42 141,312 ----a-w C:\WINDOWS\system32\MSCMCFR.DLL
2008-06-04 22:42 119,568 ----a-w C:\WINDOWS\system32\VB6FR.DLL
2008-06-04 22:42 101,888 ----a-w C:\WINDOWS\system32\VB6STKIT.DLL
2008-06-04 22:42 1,386,496 ------w C:\WINDOWS\system32\msvbvm60.dll
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 10:04 PM 59392]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/26/2005 01:34 AM 245760]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [09/05/2002 10:05 AM 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM 413696]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [05/16/2008 11:52 PM 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/16/2008 11:52 PM 185896]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM 61440]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/13/2008 08:22 PM 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [04/17/2008 07:27 PM 9117696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll zpdevp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\System32\Drivers\avgldx86.sys [08/13/2008 08:22 PM]
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [08/13/2008 08:22 PM]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [08/13/2008 08:22 PM]
S2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\System32\Drivers\avgtdix.sys [08/13/2008 08:22 PM]


*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [04/11/2008 05:57 PM]

2008-08-19 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{E6062720-CD57-415F-8D36-9DD576FCB56D} - C:\WINDOWS\system32\nnnnNHaA.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\DOCUME~1\COMPAQ~1.JES\APPLIC~1\Mozilla\Firefox\Profiles\s8etz0fc.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
.
.
------- File Associations (Beta) -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 15:18:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 08/19/2008 15:24:09
ComboFix-quarantined-files.txt 2008-08-19 19:24:05

Pre-Run: 124,656,287,744 bytes free
Post-Run: 131,038,638,080 bytes free

257 --- E O F --- 2008-07-29 11:30:49

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:24 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll zpdevp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7564 bytes
  • 0

#27
Ltangelic
Posted 22 August 2008 - 07:11 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Sorry for the long delay, I'll be posting a fix to you soon. Please stay with me. :)
  • 0

#28
Ltangelic
Posted 23 August 2008 - 06:47 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey handmedown,

1) Run ComboFix

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Dirlook::
C:\Documents and Settings\All Users\Application Data\NMEPHNDBYG
C:\Documents and Settings\All Users\Application Data\WIEPHNDBYG
C:\Documents and Settings\All Users\Application Data\AZEPHNDBYG

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

2) Run Kaspersky

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Next reply (please include):

Fresh HijackThis log
ComboFix.txt
Kaspersky scan log
  • 0

#29
Rorschach112
Posted 26 August 2008 - 03:29 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP