1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

IE keeps popping up with unwanted sites

Discussion in 'Malware and Virus Removal Archive' started by ptsyu, 2008/03/30.

  1. 2008/03/30
    ptsyu

    ptsyu Inactive Thread Starter

    Joined:
    2008/03/29
    Messages:
    16
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:36:18 AM, on 3/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\Documents and Settings\Ty Reiber\lsass.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\mrofinu1188.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\nvcoi\nvcoi.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\SCMain.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\JavaCore\JavaCore.exe
    C:\Documents and Settings\Ty Reiber\Application Data\Microsoft\Windows\rayiou.exe
    C:\WINDOWS\system32\DOBE~1\wuauboot.exe
    C:\Documents and Settings\Ty Reiber\Application Data\??pPatch\w?nspool.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\WINDOWS\VHkgUmVpYmVy\command.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\Rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Ty Reiber\Application Data\WinTouch\WinTouch.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/outlook/driv...Weather36HourInterstateCommand&from=whatwhere
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe "
    O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Ty Reiber\lsass.exe
    O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\atgban.dll" DllStart
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
    O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
    O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Ty Reiber\Application Data\WinTouch\WinTouch.exe
    O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Ty Reiber\Application Data\Microsoft\Windows\rayiou.exe
    O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\DOBE~1\wuauboot.exe" -vt yazb
    O4 - HKCU\..\Run: [Dtgam] "C:\Documents and Settings\Ty Reiber\Application Data\??pPatch\w?nspool.exe "
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Stardust Screen Saver Control 2003.lnk = C:\WINDOWS\SCMain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BCMLogon - Broadcom Corporation - C:\WINDOWS\System32\BCMLogon.dll
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHkgUmVpYmVy\command.exe
    O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 9866 bytes
     
    ptsyu,
    #1
  2. 2008/03/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS ptsyu :)

    Download ComboFix by sUBs from here, saving the file to your desktop.

    Please disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/03/30
    ptsyu

    ptsyu Inactive Thread Starter

    Joined:
    2008/03/29
    Messages:
    16
    Likes Received:
    0
    ComboFix 08-03-30.2 - Ty Reiber 2008-03-30 12:04:20.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.407 [GMT -4:00]Running from: C:\Documents and Settings\Ty Reiber\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\LocalService\Application Data\NetMon
    C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
    C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
    C:\Documents and Settings\Ty Reiber\Application Data\PPATCH~1
    C:\Documents and Settings\Ty Reiber\Application Data\PPATCH~1\w?nspool.exe
    C:\Documents and Settings\Ty Reiber\Application Data\WinTouch
    C:\Documents and Settings\Ty Reiber\Application Data\WinTouch\wintouch.cfg
    C:\Documents and Settings\Ty Reiber\Application Data\WinTouch\WinTouch.exe
    C:\Documents and Settings\Ty Reiber\Application Data\WinTouch\WTUninstaller.exe
    C:\Documents and Settings\Ty Reiber\lsass.exe
    C:\Documents and Settings\Ty Reiber\Start Menu\Programs\Outerinfo
    C:\Documents and Settings\Ty Reiber\Start Menu\Programs\Outerinfo\Terms.lnk
    C:\Documents and Settings\Ty Reiber\Start Menu\Programs\Outerinfo\Uninstall.lnk
    C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
    C:\Program Files\inetget2
    C:\Program Files\JavaCore
    C:\Program Files\JavaCore\JavaCore.exe
    C:\Program Files\JavaCore\UnInstall.exe
    C:\Program Files\network monitor
    C:\Program Files\network monitor\netmon.exe
    C:\Program Files\Online Services\vibajuvu89104.dll
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\FF\chrome.manifest
    C:\Program Files\outerinfo\FF\components\FF.dll
    C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
    C:\Program Files\outerinfo\FF\install.rdf
    C:\Program Files\outerinfo\Terms.rtf
    C:\Program Files\Temporary
    C:\Program Files\Temporary\InsiDERInst.exe
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\gbRve12
    C:\Temp\gbRve12\csLioes.log
    C:\temp\tn3
    C:\WINDOWS\b104.exe
    C:\WINDOWS\b116.exe
    C:\WINDOWS\b138.exe
    C:\WINDOWS\b152.exe
    C:\WINDOWS\b153.exe
    C:\WINDOWS\b155.exe
    C:\WINDOWS\Fonts\'
    C:\WINDOWS\Fonts\a.zip
    C:\WINDOWS\Fonts\Setup.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\WINDOWS\mrofinu1188.exe
    C:\WINDOWS\mrofinu1188.exe.tmp
    C:\WINDOWS\system32\aqVreo18
    C:\WINDOWS\system32\aqVreo18\aqVreo182328.exe
    C:\WINDOWS\system32\atgban.dll
    C:\WINDOWS\system32\atmtd.dll
    C:\WINDOWS\system32\atmtd.dll._
    C:\WINDOWS\system32\awtsTJax.dll
    C:\WINDOWS\system32\dobe~1
    C:\WINDOWS\system32\dobe~1\?dobe\
    C:\WINDOWS\system32\dobe~1\wuauboot.exe
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\GEARAspiWDMM.sys
    C:\WINDOWS\system32\efcYQHXo.dll
    C:\WINDOWS\system32\mkbuuj.dll
    C:\WINDOWS\system32\nnnmLcCt.dll
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\xaJTstwa.ini
    C:\WINDOWS\system32\xaJTstwa.ini2
    C:\WINDOWS\uninstall_nmon.vbs
    C:\WINDOWS\VHkgUmVpYmVy\
    C:\WINDOWS\VHkgUmVpYmVy\\asappsrv.dll
    C:\WINDOWS\VHkgUmVpYmVy\\command.exe
    C:\WINDOWS\VHkgUmVpYmVy\\pJ40oApDsApV.vbs
    C:\WINDOWS\VHkgUmVpYmVy\command.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_CMDSERVICE
    -------\Legacy_GEARASPIWDMM
    -------\Legacy_NETWORK_MONITOR
    -------\Legacy_TNIDRIVER
    -------\Service_cmdService
    -------\Service_GEARAspiWDMM
    -------\Service_Network Monitor
    -------\Service_TnIDriver


    ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
    .

    2008-03-30 12:22 . 2008-03-30 12:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-30 12:22 . 2008-03-30 12:22 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-30 10:38 . 2008-03-30 10:38 <DIR> d-------- C:\Deckard
    2008-03-30 00:18 . 2008-03-30 00:18 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
    2008-03-29 18:38 . 2008-03-29 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2008-03-29 18:36 . 2008-03-29 18:36 <DIR> d-------- C:\Program Files\nvcoi
    2008-03-29 18:31 . 2008-03-29 18:31 <DIR> d-------- C:\Program Files\CPV
    2008-03-27 22:05 . 2008-03-27 22:05 <DIR> d-------- C:\Documents and Settings\Ty Reiber\DoctorWeb
    2008-03-27 21:22 . 2008-03-27 21:53 <DIR> d-------- C:\VundoFix Backups
    2008-03-27 21:01 . 2005-11-10 13:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
    2008-03-27 20:30 . 2008-03-27 20:30 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
    2008-03-27 20:27 . 2008-03-27 20:27 <DIR> d-------- C:\WINDOWS\system32\xTmp
    2008-03-27 20:27 . 2008-03-27 20:27 <DIR> d-------- C:\WINDOWS\system32\winz1
    2008-03-27 20:27 . 2008-03-27 20:27 <DIR> d-------- C:\WINDOWS\system32\usnv
    2008-03-27 20:27 . 2008-03-27 20:27 <DIR> d-------- C:\WINDOWS\system32\IDME
    2008-03-27 20:27 . 2008-03-30 12:07 <DIR> d-------- C:\Temp
    2008-03-27 20:27 . 2008-03-27 20:27 39,883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
    2008-03-27 16:41 . 2008-03-27 16:52 <DIR> d-------- C:\Program Files\REFPROP
    2008-03-27 16:41 . 2008-03-27 16:41 286,720 --------- C:\WINDOWS\Setup1.exe
    2008-03-27 16:41 . 2008-03-27 16:41 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
    2008-03-26 21:41 . 2008-03-26 21:41 <DIR> d-------- C:\Program Files\iPowerHour
    2008-03-24 22:13 . 2008-03-24 22:13 0 --a------ C:\WINDOWS\iPlayer.INI
    2008-03-04 22:15 . 2008-03-04 22:15 <DIR> d-------- C:\Program Files\iPod
    2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-30 14:35 --------- d-----w C:\Program Files\Trend Micro
    2008-03-29 22:47 10 ----a-w C:\Program Files\.autoreg
    2008-03-29 22:45 --------- d-----w C:\Documents and Settings\Ty Reiber\Application Data\LimeWire
    2008-03-28 00:56 --------- d-----w C:\Program Files\Azureus
    2008-03-28 00:16 --------- d-----w C:\Documents and Settings\Ty Reiber\Application Data\U3
    2008-03-24 19:15 --------- d-----w C:\Program Files\Dl_cats
    2008-03-05 02:15 --------- d-----w C:\Program Files\iTunes
    2008-03-05 02:13 --------- d-----w C:\Program Files\QuickTime
    2008-02-21 02:25 --------- d-----w C:\Program Files\Google
    2008-02-02 20:33 --------- d-----w C:\Program Files\Java
    2008-02-02 00:25 --------- d-----w C:\Documents and Settings\Ty Reiber\Application Data\Azureus
    2008-01-30 19:02 --------- d-----w C:\Program Files\A9Tech
    2007-02-08 06:37 251 ----a-w C:\Program Files\wt3d.ini
    2006-10-24 02:17 88 --sh--r C:\WINDOWS\system32\AB5937B8DB.sys
    2006-10-24 02:17 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
    2008-03-29 18:31 51200 --a------ C:\Program Files\CPV\CPV7.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
    "AIM "= "C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-20 22:25 171448]
    "nvcoi "= "C:\Program Files\nvcoi\nvcoi.exe" [2008-03-29 18:36 57344]
    "Uaol "= "C:\WINDOWS\system32\DOBE~1\wuauboot.exe" [ ]
    "Dtgam "= "C:\Documents and Settings\Ty Reiber\Application Data\??pPatch\w?nspool.exe" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
    "SigmatelSysTrayApp "= "stsystra.exe" [2006-02-10 18:17 282624 C:\WINDOWS\stsystra.exe]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
    "DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
    "ISUSPM Startup "= "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
    "Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-22 15:10 169984]
    "BuildBU "= "c:\dell\bldbubg.exe" [2006-08-22 14:38 61440]
    "pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [ ]
    "DLCFCATS "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 06:55 73728]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
    "MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 20:34 169984]
    "NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
    "NapsterShell "= "C:\Program Files\Napster\napster.exe" [ ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

    C:\Documents and Settings\Ty Reiber\Start Menu\Programs\Startup\
    PowerReg Scheduler.exe [2006-09-11 15:26:17 256000]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Stardust Screen Saver Control 2003.lnk - C:\WINDOWS\SCMain.exe [2004-01-02 22:15:19 355328]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcYQHXo]
    efcYQHXo.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WZCSVC "=2 (0x2)
    "WMPNetworkSvc "=3 (0x3)
    "wltrysvc "=2 (0x2)
    "iPod Service "=3 (0x3)
    "gusvc "=3 (0x3)
    "Apple Mobile Device "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe "=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\WINDOWS\\system32\\dpvsetup.exe "=
    "C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD "=
    "C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD "=
    "C:\\Program Files\\AIM\\aim.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=

    R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
    S2 BCMLogon;BCMLogon;C:\WINDOWS\System32\BCMLogon.dll [2007-06-14 16:53]
    S3 NdisWDM;Dynex Wireless G USB Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ndiswdm.sys [2007-08-31 16:20]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    \Shell\AutoRun\command - F:\LaunchU3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
    \Shell\AutoRun\command - I:\loader.exe
    \Shell\langenglish\command - I:\setup\i386\msetup.exe lang:english

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    \Shell\AutoRun\command - E:\setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8f4871e-3e92-11db-8b8a-001372e2cf99}]
    \Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-28 13:46:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-30 12:22:04
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    .
    **************************************************************************
    .
    Completion time: 2008-03-30 12:25:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-03-30 16:25:45
    Pre-Run: 91,744,272,384 bytes free
    Post-Run: 95,343,747,072 bytes free
    .
    2008-03-17 07:01:49 --- E O F ---

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:28:33 PM, on 3/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\nvcoi\nvcoi.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\SCMain.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/outlook/driv...Weather36HourInterstateCommand&from=whatwhere
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe "
    O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
    O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\DOBE~1\wuauboot.exe" -vt yazb
    O4 - HKCU\..\Run: [Dtgam] "C:\Documents and Settings\Ty Reiber\Application Data\??pPatch\w?nspool.exe "
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Stardust Screen Saver Control 2003.lnk = C:\WINDOWS\SCMain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: efcYQHXo - efcYQHXo.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BCMLogon - Broadcom Corporation - C:\WINDOWS\System32\BCMLogon.dll
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8463 bytes
     
    ptsyu,
    #3
  5. 2008/03/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    File::
C:\WINDOWS\system32\vbzip10.dll
C:\Documents and Settings\Ty Reiber\Start Menu\Programs\Startup\PowerReg Scheduler.exe
Folder::
C:\Program Files\nvcoi
C:\Program Files\CPV
C:\WINDOWS\system32\xTmp
C:\WINDOWS\system32\winz1
C:\WINDOWS\system32\usnv
C:\WINDOWS\system32\IDME
C:\WINDOWS\system32\targetedbanner-uninst.exe
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV] 
[-HKEY_CURRENT_USER\Software\Classes\CLSID\{F0CD1A40-0C77-1033-0410-0710070001}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "nvcoi "=-
 "Uaol "=-
 "Dtgam "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "MSConfig "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcYQHXo]
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
     
    noahdfear,
    #4
  6. 2008/03/30
    ptsyu

    ptsyu Inactive Thread Starter

    Joined:
    2008/03/29
    Messages:
    16
    Likes Received:
    0
    ComboFix 08-03-30.2 - Ty Reiber 2008-03-30 14:46:55.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT -4:00]
    Running from: C:\Documents and Settings\Ty Reiber\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Ty Reiber\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Documents and Settings\Ty Reiber\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    C:\WINDOWS\system32\vbzip10.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Ty Reiber\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    C:\Program Files\CPV
    C:\Program Files\CPV\CPV7.dll
    C:\Program Files\nvcoi
    C:\Program Files\nvcoi\mst.stt
    C:\Program Files\nvcoi\nvcoi.exe
    C:\WINDOWS\system32\IDME
    C:\WINDOWS\system32\IDME\dimnet201.exe
    C:\WINDOWS\system32\IDME\TGbn1dll.exe
    C:\WINDOWS\system32\targetedbanner-uninst.exe\
    C:\WINDOWS\system32\usnv
    C:\WINDOWS\system32\usnv\pax89104.exe
    C:\WINDOWS\system32\vbzip10.dll
    C:\WINDOWS\system32\winz1
    C:\WINDOWS\system32\xTmp

    .
    ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
    .

    2008-03-30 10:38 . 2008-03-30 10:38 <DIR> d-------- C:\Deckard
    2008-03-30 00:18 . 2008-03-30 00:18 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
    2008-03-29 18:38 . 2008-03-29 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2008-03-27 22:05 . 2008-03-27 22:05 <DIR> d-------- C:\Documents and Settings\Ty Reiber\DoctorWeb
    2008-03-27 21:22 . 2008-03-27 21:53 <DIR> d-------- C:\VundoFix Backups
    2008-03-27 21:01 . 2005-11-10 13:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
    2008-03-27 20:27 . 2008-03-30 12:07 <DIR> d-------- C:\Temp
    2008-03-27 20:27 . 2008-03-27 20:27 39,883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
    2008-03-27 16:41 . 2008-03-27 16:52 <DIR> d-------- C:\Program Files\REFPROP
    2008-03-27 16:41 . 2008-03-27 16:41 286,720 --------- C:\WINDOWS\Setup1.exe
    2008-03-27 16:41 . 2008-03-27 16:41 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
    2008-03-26 21:41 . 2008-03-26 21:41 <DIR> d-------- C:\Program Files\iPowerHour
    2008-03-24 22:13 . 2008-03-24 22:13 0 --a------ C:\WINDOWS\iPlayer.INI
    2008-03-04 22:15 . 2008-03-04 22:15 <DIR> d-------- C:\Program Files\iPod
    2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-30 18:01 --------- d-----w C:\Program Files\Dl_cats
    2008-03-30 14:35 --------- d-----w C:\Program Files\Trend Micro
    2008-03-29 22:47 10 ----a-w C:\Program Files\.autoreg
    2008-03-29 22:45 --------- d-----w C:\Documents and Settings\Ty Reiber\Application Data\LimeWire
    2008-03-28 00:56 --------- d-----w C:\Program Files\Azureus
    2008-03-28 00:16 --------- d-----w C:\Documents and Settings\Ty Reiber\Application Data\U3
    2008-03-05 02:15 --------- d-----w C:\Program Files\iTunes
    2008-03-05 02:13 --------- d-----w C:\Program Files\QuickTime
    2008-02-21 02:25 --------- d-----w C:\Program Files\Google
    2008-02-02 20:33 --------- d-----w C:\Program Files\Java
    2008-02-02 00:25 --------- d-----w C:\Documents and Settings\Ty Reiber\Application Data\Azureus
    2008-01-30 19:02 --------- d-----w C:\Program Files\A9Tech
    2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
    2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
    2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
    2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
    2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
    2007-02-08 06:37 251 ----a-w C:\Program Files\wt3d.ini
    2006-10-24 02:17 88 --sh--r C:\WINDOWS\system32\AB5937B8DB.sys
    2006-10-24 02:17 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
    "AIM "= "C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-20 22:25 171448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
    "SigmatelSysTrayApp "= "stsystra.exe" [2006-02-10 18:17 282624 C:\WINDOWS\stsystra.exe]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
    "DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
    "ISUSPM Startup "= "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
    "Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-22 15:10 169984]
    "BuildBU "= "c:\dell\bldbubg.exe" [2006-08-22 14:38 61440]
    "pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [ ]
    "DLCFCATS "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 06:55 73728]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
    "NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
    "NapsterShell "= "C:\Program Files\Napster\napster.exe" [ ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Stardust Screen Saver Control 2003.lnk - C:\WINDOWS\SCMain.exe [2004-01-02 22:15:19 355328]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WZCSVC "=2 (0x2)
    "WMPNetworkSvc "=3 (0x3)
    "wltrysvc "=2 (0x2)
    "iPod Service "=3 (0x3)
    "gusvc "=3 (0x3)
    "Apple Mobile Device "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe "=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\WINDOWS\\system32\\dpvsetup.exe "=
    "C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD "=
    "C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD "=
    "C:\\Program Files\\AIM\\aim.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=

    R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
    S2 BCMLogon;BCMLogon;C:\WINDOWS\System32\BCMLogon.dll [2007-06-14 16:53]
    S3 NdisWDM;Dynex Wireless G USB Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ndiswdm.sys [2007-08-31 16:20]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    \Shell\AutoRun\command - F:\LaunchU3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
    \Shell\AutoRun\command - I:\loader.exe
    \Shell\langenglish\command - I:\setup\i386\msetup.exe lang:english

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    \Shell\AutoRun\command - E:\setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8f4871e-3e92-11db-8b8a-001372e2cf99}]
    \Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-28 13:46:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-30 14:47:52
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-03-30 14:48:26
    ComboFix-quarantined-files.txt 2008-03-30 18:48:09
    ComboFix2.txt 2008-03-30 16:25:49
    Pre-Run: 95,303,507,968 bytes free
    Post-Run: 95,290,052,608 bytes free
    .
    2008-03-17 07:01:49 --- E O F ---

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:49:02 PM, on 3/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\SCMain.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\dlcfcoms.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/outlook/driv...Weather36HourInterstateCommand&from=whatwhere
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe "
    O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Stardust Screen Saver Control 2003.lnk = C:\WINDOWS\SCMain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BCMLogon - Broadcom Corporation - C:\WINDOWS\System32\BCMLogon.dll
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7868 bytes
     
    ptsyu,
    #5
  7. 2008/03/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks pretty good. Scan with HijackThis and place a check next to the following entries.

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


    Close all other windows then click Fix Checked. Close HijackThis.

    Delete the file C:\WINDOWS\system32\targetedbanner-uninst.exe

    Download ATF Cleaner by Atribune and save it to your Desktop.
    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache
      • Recycle bin

    • The rest are optional - if you want it to remove everything check "Select All ".
    • Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.
    Reboot


    Now, do an online scan with Kaspersky WebScanner

    Click Scan Now and accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Post the Kaspersky log and one more fresh HijackThis log.
     
    noahdfear,
    #6
  8. 2008/03/30
    ptsyu

    ptsyu Inactive Thread Starter

    Joined:
    2008/03/29
    Messages:
    16
    Likes Received:
    0
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, March 30, 2008 6:11:02 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 30/03/2008
    Kaspersky Anti-Virus database records: 673501
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 51991
    Number of viruses found: 26
    Number of infected objects: 88
    Number of suspicious objects: 0
    Duration of the scan process: 00:50:47

    Infected Object Name / Virus Name / Last Action
    C:\Deckard\System Scanner\backup\DOCUME~1\TYREIB~1\LOCALS~1\Temp\cmdinst.exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\TYREIB~1\LOCALS~1\Temp\cmdinst.exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\TYREIB~1\LOCALS~1\Temp\cmdinst.exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\TYREIB~1\LOCALS~1\Temp\cmdinst.exe Inno: infected - 3 skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_335910836_1126891520_17074 Object is locked skipped
    C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{BEC884A1-8705-4999-BCD2-BAFB71CE7495}.TmpSBE Object is locked skipped
    C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp Object is locked skipped
    C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Microsoft\Windows\rayiou.exe Infected: Trojan-Downloader.Win32.Agent.lhu skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\cert8.db Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\history.dat Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\key3.db Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\parent.lock Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-5d801d97/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-5d801d97 ZIP: infected - 1 skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\40\3cda1268-77c47bfe/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\40\3cda1268-77c47bfe ZIP: infected - 1 skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-454aa69d/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-454aa69d ZIP: infected - 1 skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-7ca29d85/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-7ca29d85 ZIP: infected - 1 skipped
    C:\Documents and Settings\Ty Reiber\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Application Data\Mozilla\Firefox\Profiles\ikwedq45.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Temp\~DFADCB.tmp Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Temp\~DFAEB8.tmp Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Ty Reiber\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Ty Reiber\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Ty Reiber\Shared\Adobe Photoshop CS4.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\Documents and Settings\Ty Reiber\Shared\Adobe Photoshop CS4.zip ZIP: infected - 1 skipped
    C:\QooBox\Quarantine\C\Documents and Settings\Ty Reiber\Application Data\PPATCH~1\wіnspool.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
    C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1560OinAdmin.exe.vir Infected: Trojan.Win32.Scapur.k skipped
    C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1560OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
    C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1560OinUninstaller.exe.vir NSIS: infected - 1 skipped
    C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.c skipped
    C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
    C:\QooBox\Quarantine\C\Program Files\nvcoi\nvcoi.exe.vir Infected: Trojan-Downloader.Win32.Agent.ltf skipped
    C:\QooBox\Quarantine\C\Program Files\Online Services\vibajuvu89104.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.d skipped
    C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
    C:\QooBox\Quarantine\C\Program Files\Temporary\InsiDERInst.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.d skipped
    C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
    C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
    C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
    C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped
    C:\QooBox\Quarantine\C\WINDOWS\b116.exe.vir Infected: Trojan-Downloader.Win32.Agent.ezc skipped
    C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
    C:\QooBox\Quarantine\C\WINDOWS\b152.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.c skipped
    C:\QooBox\Quarantine\C\WINDOWS\b153.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.d skipped
    C:\QooBox\Quarantine\C\WINDOWS\b155.exe.vir Infected: Trojan.Win32.BHO.bfl skipped
    C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir ZIP: infected - 1 skipped
    C:\QooBox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\QooBox\Quarantine\C\WINDOWS\Fonts\svchost.exe.vir Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\QooBox\Quarantine\C\WINDOWS\mrofinu1188.exe.tmp.vir Infected: Trojan-Downloader.Win32.Homles.at skipped
    C:\QooBox\Quarantine\C\WINDOWS\mrofinu1188.exe.vir Infected: Trojan-Downloader.Win32.Homles.at skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\aqVreo18\aqVreo182328.exe.vir Infected: Trojan-Downloader.Win32.VB.dht skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\DOBE~1\wuauboot.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\mkbuuj.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\nnnmLcCt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\usnv\pax89104.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\usnv\pax89104.exe.vir NSIS: infected - 1 skipped
    C:\QooBox\Quarantine\C\WINDOWS\VHkgUmVpYmVy\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\QooBox\Quarantine\C\WINDOWS\VHkgUmVpYmVy\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\QooBox\Quarantine\catchme2008-03-30_122156.12.zip/GEARAspiWDMM.sys Infected: Rootkit.Win32.Agent.to skipped
    C:\QooBox\Quarantine\catchme2008-03-30_122156.12.zip/awtsTJax.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\catchme2008-03-30_122156.12.zip/efcYQHXo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\catchme2008-03-30_122156.12.zip/WinTouch.exe Infected: Trojan-Downloader.Win32.Agent.ktb skipped
    C:\QooBox\Quarantine\catchme2008-03-30_122156.12.zip ZIP: infected - 4 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP471\A0053322.dll Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP558\A0057818.exe Infected: Trojan-Downloader.Win32.Homles.at skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP563\A0058069.exe Infected: Trojan-Downloader.Win32.VB.dht skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP563\A0058070.exe Infected: Trojan-Downloader.Win32.Homles.at skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058190.exe Infected: Trojan-Downloader.Win32.VB.dht skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058191.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058193.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058195.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058196.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058197.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058198.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058200.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058201.exe Infected: Trojan.Win32.Scapur.k skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058202.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058202.exe NSIS: infected - 1 skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058205.exe Infected: Trojan-Downloader.Win32.Homles.at skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058207.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058207.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058207.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058207.exe NSIS: infected - 3 skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058208.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058209.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058210.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058211.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058212.exe Infected: Trojan.Win32.BHO.bfl skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058213.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058214.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058215.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058216.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058219.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP567\A0058222.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP568\A0058298.exe Infected: Trojan-Downloader.Win32.Agent.ltf skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP568\A0058301.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP568\A0058301.exe NSIS: infected - 1 skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP568\change.log Object is locked skipped
    C:\VundoFix Backups\nnnmLcCt.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4FDFDB0E-816D-4D8E-92AB-8FA6BBB16AFB}.crmlog Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{1449B721-3450-4435-848F-7DC6D47DDFF5}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:12:14 PM, on 3/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\SCMain.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/outlook/driv...Weather36HourInterstateCommand&from=whatwhere
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe "
    O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Stardust Screen Saver Control 2003.lnk = C:\WINDOWS\SCMain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BCMLogon - Broadcom Corporation - C:\WINDOWS\System32\BCMLogon.dll
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8016 bytes
     
    ptsyu,
    #7
  9. 2008/03/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Since you still have ComboFix, lets just use another script to clean up the infected items. Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    File::
C:\Documents and Settings\Ty Reiber\Application Data\Microsoft\Windows\rayiou.exe
C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-5d801d97
C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\40\3cda1268-77c47bfe
C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-454aa69d
C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-7ca29d85
C:\Documents and Settings\Ty Reiber\Shared\Adobe Photoshop CS4.zip
Folder::
C:\VundoFix Backups
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and let me know how your computer is behaving.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
     
    noahdfear,
    #8
  10. 2008/03/31
    ptsyu

    ptsyu Inactive Thread Starter

    Joined:
    2008/03/29
    Messages:
    16
    Likes Received:
    0
    Thanks for you help. My computer is running a lot better. No pop ups or anything. It is also running a lot faster.

    Thanks again.
    ptsyu




    ComboFix 08-03-30.3 - Ty Reiber 2008-03-31 13:18:57.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.482 [GMT -4:00]
    Running from: C:\Documents and Settings\Ty Reiber\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Ty Reiber\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Documents and Settings\Ty Reiber\Application Data\Microsoft\Windows\rayiou.exe
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-5d801d97
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\40\3cda1268-77c47bfe
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-454aa69d
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-7ca29d85
    C:\Documents and Settings\Ty Reiber\Shared\Adobe Photoshop CS4.zip
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Ty Reiber\Application Data\Microsoft\Windows\rayiou.exe
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-5d801d97
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\40\3cda1268-77c47bfe
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-454aa69d
    C:\Documents and Settings\Ty Reiber\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-7ca29d85
    C:\Documents and Settings\Ty Reiber\Shared\Adobe Photoshop CS4.zip
    C:\VundoFix Backups
    C:\VundoFix Backups\addmorefiles.txt
    C:\VundoFix Backups\nnnmLcCt.dll.bad

    .
    ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
    .

    2008-03-30 16:32 . 2008-03-30 16:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-30 16:32 . 2008-03-30 16:32 <DIR> d-------- C:\WINDOWS\LastGood
    2008-03-30 16:32 . 2008-03-30 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-30 16:28 . 2008-03-30 16:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-30 16:28 . 2008-03-30 16:28 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-30 10:38 . 2008-03-30 10:38 <DIR> d-------- C:\Deckard
    2008-03-30 00:18 . 2008-03-30 00:18 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
    2008-03-29 18:38 . 2008-03-29 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2008-03-27 22:05 . 2008-03-27 22:05 <DIR> d-------- C:\Documents and Settings\Ty Reiber\DoctorWeb
    2008-03-27 21:01 . 2005-11-10 13:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
    2008-03-27 20:27 . 2008-03-30 12:07 <DIR> d-------- C:\Temp
    2008-03-27 16:41 . 2008-03-27 16:52 <DIR> d-------- C:\Program Files\REFPROP
    2008-03-27 16:41 . 2008-03-27 16:41 286,720 --------- C:\WINDOWS\Setup1.exe
    2008-03-27 16:41 . 2008-03-27 16:41 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
    2008-03-26 21:41 . 2008-03-26 21:41 <DIR> d-------- C:\Program Files\iPowerHour
    2008-03-24 22:13 . 2008-03-24 22:13 0 --a------ C:\WINDOWS\iPlayer.INI
    2008-03-04 22:15 . 2008-03-04 22:15 <DIR> d-------- C:\Program Files\iPod
    2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-31 17:12 --------- d-----w C:\Program Files\Dl_cats
    2008-03-30 14:35 --------- d-----w C:\Program Files\Trend Micro
    2008-03-29 22:47 10 ----a-w C:\Program Files\.autoreg
    2008-03-29 22:45 --------- d-----w C:\Documents and Settings\Ty Reiber\Application Data\LimeWire
    2008-03-28 00:56 --------- d-----w C:\Program Files\Azureus
    2008-03-28 00:16 --------- d-----w C:\Documents and Settings\Ty Reiber\Application Data\U3
    2008-03-05 02:15 --------- d-----w C:\Program Files\iTunes
    2008-03-05 02:13 --------- d-----w C:\Program Files\QuickTime
    2008-02-21 02:25 --------- d-----w C:\Program Files\Google
    2008-02-02 20:33 --------- d-----w C:\Program Files\Java
    2008-02-02 00:25 --------- d-----w C:\Documents and Settings\Ty Reiber\Application Data\Azureus
    2008-01-30 19:02 --------- d-----w C:\Program Files\A9Tech
    2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
    2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
    2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
    2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
    2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
    2007-02-08 06:37 251 ----a-w C:\Program Files\wt3d.ini
    2006-10-24 02:17 88 --sh--r C:\WINDOWS\system32\AB5937B8DB.sys
    2006-10-24 02:17 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-03-30_12.25.34.87 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
    "AIM "= "C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-20 22:25 171448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
    "SigmatelSysTrayApp "= "stsystra.exe" [2006-02-10 18:17 282624 C:\WINDOWS\stsystra.exe]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
    "DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
    "ISUSPM Startup "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
    "Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-22 15:10 169984]
    "BuildBU "= "c:\dell\bldbubg.exe" [2006-08-22 14:38 61440]
    "pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [ ]
    "DLCFCATS "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 06:55 73728]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
    "NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
    "NapsterShell "= "C:\Program Files\Napster\napster.exe" [ ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Stardust Screen Saver Control 2003.lnk - C:\WINDOWS\SCMain.exe [2004-01-02 22:15:19 355328]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WZCSVC "=2 (0x2)
    "WMPNetworkSvc "=3 (0x3)
    "wltrysvc "=2 (0x2)
    "iPod Service "=3 (0x3)
    "gusvc "=3 (0x3)
    "Apple Mobile Device "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\WINDOWS\\system32\\dpvsetup.exe "=
    "C:\\Program Files\\AIM\\aim.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=

    R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
    S2 BCMLogon;BCMLogon;C:\WINDOWS\System32\BCMLogon.dll [2007-06-14 16:53]
    S3 NdisWDM;Dynex Wireless G USB Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ndiswdm.sys [2007-08-31 16:20]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    \Shell\AutoRun\command - F:\LaunchU3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
    \Shell\AutoRun\command - I:\loader.exe
    \Shell\langenglish\command - I:\setup\i386\msetup.exe lang:english

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    \Shell\AutoRun\command - E:\setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80ad45c6-07db-11dc-8bc0-001372e2cf99}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8f4871e-3e92-11db-8b8a-001372e2cf99}]
    \Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-28 13:46:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-31 13:20:32
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-03-31 13:21:01
    ComboFix-quarantined-files.txt 2008-03-31 17:20:59
    ComboFix2.txt 2008-03-30 18:48:26
    ComboFix3.txt 2008-03-30 16:25:49
    Pre-Run: 96,063,946,752 bytes free
    Post-Run: 96,052,555,776 bytes free
    .
    2008-03-17 07:01:49 --- E O F ---
     
    ptsyu,
    #9
  11. 2008/03/31
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks good. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


    That should wrap things up. Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

    http://www.windowsbbs.com/showthread.php?t=67958

    Surf safe!
     
    noahdfear,
    #10

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...