[blue screen notification of spyware]

Hi, I'm having a problem with spyware, it seems. AVG Anti-Virus popped up and said I had a couple of different trojans, I healed them and then scanned my whole computer. It came up clean.

I tried to run Spybot, but it won't open (Firefox also won't open). I ran AdAware, got rid of all the problems, then ran it again and there were still problems. My desktop has turned to a blue screen that tells me I have a problem with spyware.

Here's is my Hijack This log, can someone please help? Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 3:13:25 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\444.471
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ant\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vbpdtvdp.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe "
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Swarmcast for MLB-TV-Mosaic.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132341596170
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.471.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

Hi bgfoot
Welcome to Windowsbbs.

You are using a old version of HJT, Please delete it and follow the instructions here.

Please download and install HijackThis and Run a scan then close HJT, then run Deckard's System Scanner and post the main.txt log here. Links and instructions here.

Thanks
Geri

 

Done.

Deckard's System Scanner v20071014.68
Run by Ant on 2008-06-08 20:33:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
53: 2008-06-09 00:34:41 UTC - RP375 - Deckard's System Scanner Restore Point
52: 2008-06-08 15:40:22 UTC - RP374 - Restore Operation
51: 2008-06-08 15:34:23 UTC - RP373 - Restore Operation
50: 2008-06-08 15:23:27 UTC - RP372 - Restore Operation
49: 2008-06-02 11:02:33 UTC - RP371 - Restore Operation


-- First Restore Point --
1: 2008-03-01 23:30:10 UTC - RP323 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Ant.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:39 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Ant\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ant.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...hEB6j9saIFIWw0mrUMsz0EbgEYqYYNqQ5MO5Zv2OW65E=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Swarmcast for MLB-TV-Mosaic.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132341596170
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: RoxMediaDB - Unknown owner - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe (file missing)

--
End of file - 7987 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TVALD (Toshiba ACPI-Based Value Added Logical Device Driver) - c:\windows\system32\drivers\tvald.sys <Not Verified; Toshiba Corporation; Toshiba ACPI-Compliant Value Added Logical Device>
R0 TVALG (Toshiba Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalg.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Value Added Logical and General Purpose Device Driver>

S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 RimUsb (BlackBerry Device) - c:\windows\system32\drivers\rimusb.sys (file missing)
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LicCtrlService (LicCtrl Service) - c:\windows\runservice.exe

S2 PlugPlayRPC (Plug and Play (RPC)) - c:\windows\portsv.exe service
S3 RoxMediaDB - "c:\program files\common files\roxio shared\sharedcom8\roxmediadb.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-08 20:36:01 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-05-08 and 2008-06-08 -----------------------------

2008-06-08 20:30:53 0 d-------- C:\Program Files\Trend Micro
2008-06-08 11:38:08 0 dr-h----- C:\Documents and Settings\Joanne\Recent
2008-06-08 11:38:07 0 d-------- C:\WINDOWS\system32\vntiho06
2008-06-08 11:38:07 0 d-------- C:\WINDOWS\system32\5336
2008-06-08 11:37:49 0 d-------- C:\Program Files\alot
2008-06-08 11:37:49 0 d-------- C:\Documents and Settings\Ant\Application Data\alot
2008-06-08 11:01:27 0 d-a------ C:\Program Files\webHancer
2008-06-08 11:01:11 32768 --a------ C:\WINDOWS\system32\sockins32.dll <Not Verified; ThinkPad; ThinkPad repl>
2008-06-08 11:00:28 41984 --a------ C:\WINDOWS\mrofinu72.exe
2008-06-08 10:59:49 55808 --a------ C:\WINDOWS\portsv.exe
2008-06-06 20:01:46 70144 --a------ C:\WINDOWS\system32\000090.exe
2008-06-04 22:14:30 0 d-------- C:\Documents and Settings\Joanne\Application Data\alot
2008-06-01 10:10:09 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-01 10:05:33 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-30 13:16:43 2359296 --a------ C:\Documents and Settings\Joanne\ntuser.dat
2008-05-30 13:16:41 4718592 --a------ C:\Documents and Settings\Ant\ntuser.dat
2008-05-13 21:34:44 841 --ahs---- C:\WINDOWS\system32\mmf.sys
2008-05-13 21:34:40 2560 --a------ C:\WINDOWS\Runservice.exe
2008-05-13 21:34:40 48640 --a------ C:\WINDOWS\mmfs.dll
2008-05-13 21:26:18 0 d-------- C:\Documents and Settings\Ant\Application Data\Out of the Park Developments
2008-05-13 21:25:39 0 d-------- C:\WINDOWS\Out of the Park Baseball
2008-05-13 21:25:38 0 d-------- C:\Program Files\Out of the Park Developments


-- Find3M Report ---------------------------------------------------------------

2008-06-08 11:48:35 0 d-------- C:\Documents and Settings\Ant\Application Data\uTorrent
2008-06-08 11:37:24 0 d-------- C:\Program Files\BearShare
2008-06-06 20:01:46 70144 --a------ C:\WINDOWS\system32\userinit.exe
2008-06-01 15:18:41 0 d-------- C:\Documents and Settings\Ant\Application Data\AVG7
2008-05-31 00:14:16 0 d-------- C:\Program Files\LimeWire
2008-05-23 21:02:51 0 d-------- C:\Documents and Settings\Ant\Application Data\LimeWire
2008-05-16 18:33:08 364 --a------ C:\drmHeader.bin
2008-04-16 14:01:35 0 d-------- C:\Program Files\NetRatingsNetSight
2008-04-09 22:54:20 0 d-------- C:\Program Files\PokerStars


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}]
05/20/2008 11:52 AM 672040 --a------ C:\Program Files\alot\bin\alot.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK "= "000StTHK.exe" [06/23/2001 11:28 PM C:\WINDOWS\system32\000StTHK.exe]
"nwiz "= "nwiz.exe" [04/19/2002 05:13 PM C:\WINDOWS\system32\nwiz.exe]
"TFNF5 "= "TFNF5.exe" [08/03/2001 08:08 PM C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray "= "TPWRTRAY.EXE" [03/19/2002 11:38 PM C:\WINDOWS\system32\TPWRTRAY.EXE]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_Px.exe" [07/03/2002 08:17 PM]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [11/14/2001 05:37 AM]
"TSysSMon "= "c:\toshiba\sysstability\tsyssmon.exe" [04/05/2002 05:44 PM]
"BJCFD "= "C:\Program Files\BroadJump\Client Foundation\CFD.exe" [05/18/2002 01:09 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [11/19/2005 02:24 AM]
"HostManager "= "C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe" [05/09/2006 08:24 PM]
"IVPServiceMgr "= "C:\toshiba\ivp\ism\ivpsvmgr.exe" [07/15/2002 05:27 PM]
"IPHSend "= "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 12:59 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/24/2008 05:37 PM]
"HelpCenter4.1 "= "C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [06/28/2007 07:02 PM]
"basicsmssmenu "= "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [10/09/2007 05:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate "=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr "=1 (0x1)
"DisableRegistryTools "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll "=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop "=0 (0x0)
"ForceActiveDesktopOn "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy "= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule



-- End of Deckard's System Scanner: finished at 2008-06-08 20:41:07 ------------

 

Hi bgfoot

mrofinu72.exe

Is a backdoor trojan
Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, collect confidential data and information from the computer, log activity on the computer and more.

I would suggest you change all passwords using a Non-infected computer (Not this one) and refrain from any credit card or financial dealings until clean. If you do any financial dealings with this computer Contact any credit card or banks for possible fraud on your account.


I see you have P2P software ([color= "Red"] Limewire, BearShare, BitTorrent uTorrent etc… [/color]) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Virus and Spyware removal.


Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the combofix log.

Thanks
Geri

 

ComboFix 08-06-08.7 - Ant 2008-06-09 7:06:04.1 - NTFSx86
Running from: C:\Documents and Settings\Ant\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Ant\Application Data\Microsoft\dtsc
C:\Documents and Settings\Ant\Application Data\Microsoft\dtsc\13486.exe
C:\Documents and Settings\Ant\Application Data\Microsoft\dtsc\16987.exe
C:\Documents and Settings\Ant\Application Data\Microsoft\dtsc\4240.exe~
C:\Documents and Settings\Ant\Application Data\Microsoft\dtsc\7442.exe
C:\Documents and Settings\Ant\Application Data\Microsoft\dtsc\id
C:\Documents and Settings\Ant\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\Ant\Application Data\Microsoft\dtsc\SlySoft AnyDVD v3.6.2.1.torrent
C:\Documents and Settings\Ant\Application Data\Microsoft\dtsc\SlySoft AnyDVD v3.6.2.1.zip
C:\Temp\vtmp2
C:\WINDOWS\homepage.html
C:\WINDOWS\index.html
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\promo1.html
C:\WINDOWS\promo2.html
C:\WINDOWS\promo3.html
C:\WINDOWS\promo4.html
C:\WINDOWS\promo5.html
C:\WINDOWS\promo6.html
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\promogif3.gif
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\adult.txt
C:\WINDOWS\system32\finance.txt
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\other.txt
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pharma.txt
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\sn.txt
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\spywarewarning2.mht

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
hxxp://dna65.fastaccess.com
.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-08 20:33 . 2008-06-08 20:33 <DIR> d-------- C:\Deckard
2008-06-08 20:30 . 2008-06-08 20:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 11:38 . 2008-06-08 11:38 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-06-08 11:38 . 2008-06-09 06:46 <DIR> d-------- C:\WINDOWS\system32\5336
2008-06-08 11:37 . 2008-06-08 11:37 <DIR> d-------- C:\Program Files\alot
2008-06-08 11:37 . 2008-06-08 11:37 <DIR> d-------- C:\Documents and Settings\Ant\Application Data\alot
2008-06-08 10:59 . 2008-06-08 10:59 55,808 --a------ C:\WINDOWS\portsv.exe
2008-06-08 10:59 . 2008-06-08 10:58 49,158 --a------ C:\WINDOWS\444.0
2008-06-04 22:14 . 2008-06-04 22:14 <DIR> d-------- C:\Documents and Settings\Joanne\Application Data\alot
2008-06-01 10:04 . 2008-06-01 10:04 30,728 --a------ C:\WINDOWS\444.471
2008-05-13 21:34 . 2008-05-13 21:34 126,976 --a------ C:\WINDOWS\lcmmfu.cpl
2008-05-13 21:34 . 2008-05-13 21:34 48,640 --a------ C:\WINDOWS\mmfs.dll
2008-05-13 21:34 . 2008-05-13 21:34 2,560 --a------ C:\WINDOWS\Runservice.exe
2008-05-13 21:34 . 2008-06-09 06:46 841 --ahs---- C:\WINDOWS\system32\mmf.sys
2008-05-13 21:26 . 2008-05-13 21:26 <DIR> d-------- C:\Documents and Settings\Ant\Application Data\Out of the Park Developments
2008-05-13 21:25 . 2008-05-13 21:25 <DIR> d-------- C:\WINDOWS\Out of the Park Baseball
2008-05-13 21:25 . 2008-05-13 21:25 <DIR> d-------- C:\Program Files\Out of the Park Developments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 03:02 --------- d-----w C:\Documents and Settings\chris\Application Data\LimeWire
2008-06-08 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 15:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 15:37 --------- d-----w C:\Program Files\BearShare
2008-06-01 19:18 --------- d-----w C:\Documents and Settings\Ant\Application Data\AVG7
2008-06-01 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-31 04:14 --------- d-----w C:\Program Files\LimeWire
2008-05-24 01:02 --------- d-----w C:\Documents and Settings\Ant\Application Data\LimeWire
2008-05-16 22:33 364 ----a-w C:\drmHeader.bin
2008-04-17 05:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-16 18:01 --------- d-----w C:\Program Files\NetRatingsNetSight
2008-04-10 02:54 --------- d-----w C:\Program Files\PokerStars
2006-06-15 19:32 28,880 -c--a-w C:\Documents and Settings\Ant\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}]
2008-05-20 11:52 672040 --a------ C:\Program Files\alot\bin\alot.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7} "= "C:\Program Files\alot\bin\alot.dll" [2008-05-20 11:52 672040]

[HKEY_CLASSES_ROOT\clsid\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate "= "C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-20 20:04 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK "= "000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"nwiz "= "nwiz.exe" [2002-04-19 17:13 364544 C:\WINDOWS\system32\nwiz.exe]
"TFNF5 "= "TFNF5.exe" [2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray "= "TPWRTRAY.EXE" [2002-03-19 23:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_Px.exe" [2002-07-03 20:17 40960]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 05:37 147456]
"TSysSMon "= "c:\toshiba\sysstability\tsyssmon.exe" [2002-04-05 17:44 49152]
"BJCFD "= "C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-05-18 01:09 368706]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-11-19 02:24 155648]
"HostManager "= "C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe" [2006-05-09 20:24 50760]
"IVPServiceMgr "= "C:\toshiba\ivp\ism\ivpsvmgr.exe" [2002-07-15 17:27 475136]
"IPHSend "= "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59 124520]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-24 17:37 579072]
"HelpCenter4.1 "= "C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 19:02 198184]
"basicsmssmenu "= "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 17:37 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Common Files\\AOL\\1132959732\\ee\\aolsoftware.exe "=
"C:\\Program Files\\Common Files\\AOL\\1132959732\\ee\\aim6.exe "=
"C:\\Program Files\\mIRC\\mirc.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\DAP\\DAP.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=

R2 Basics Service;Basics Service; "C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 17:21]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2008-05-13 21:34]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:04]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 11:20:59 C:\WINDOWS\Tasks\Symantec NetDetect.job "
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 07:16:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-09 7:23:30
ComboFix-quarantined-files.txt 2008-06-09 11:23:09

Pre-Run: 4,195,262,464 bytes free
Post-Run: 4,597,305,344 bytes free

160 --- E O F --- 2008-05-29 11:22:46



Also, here is a new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:20 AM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - (no file)
O2 - BHO: (no name) - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - (no file)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Swarmcast for MLB-TV-Mosaic.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132341596170
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: RoxMediaDB - Unknown owner - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe (file missing)

--
End of file - 7679 bytes

 

Hi bgfoot
OK please do the following.

Please go to Start > Control Panel > Add/Remove Programs (Windows Vista it’s Programs and Features) and remove the following (if present):


ALOT Toolbar


Please note any other programs that you dont recognize in that list and post them in your next response


Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\portsv.exe

Folder::
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\5336
C:\Program Files\alot
C:\Documents and Settings\Ant\Application Data\alot
C:\WINDOWS\444.0
C:\Documents and Settings\Joanne\Application Data\alot
C:\WINDOWS\444.471

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
 "{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7} "= -
[-HKEY_CLASSES_ROOT\clsid\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7}]

Please post the combofix log and a new HJT log.

Thanks
Geri

 

I removed the ALOT toolbar.

ComboFix 08-06-08.7 - Ant 2008-06-09 14:00:44.2 - NTFSx86
Running from: C:\Documents and Settings\Ant\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ant\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\portsv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ant\Application Data\alot
C:\Documents and Settings\Joanne\Application Data\alot
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Button_0\images\alot_icon_35x16.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Button_1\images\alot_search_24x16.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Button_2\images\default_216_alot_recipe_recipesearch.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Button_3\images\default_281_alot_weather_widget.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Button_4\images\default_338_alot_recipe_reciperssfeed.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Button_5\images\default_218_alot_recipe_cupboard.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Button_6\images\default_219_alot_recipe_recipevideos.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Button_7\images\default_205_alot_mrkt_harry_david.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Button_8\images\default_441_alot_mrkt_tv.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\domains.dat
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\alot_brand.png
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\spinner.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\widget_btnmin0.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\widget_btnmin1.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\widget_caption.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
C:\Documents and Settings\Joanne\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
C:\Documents and Settings\Joanne\Application Data\alot\toolbar.xml
C:\WINDOWS\444.0\
C:\WINDOWS\444.471\
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\5336
C:\WINDOWS\system32\5336\~!15279p.spt
C:\WINDOWS\system32\vntiho06

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PlugPlayRPC
-------\Service_PlugPlayRPC


((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-09 13:49 . 2008-06-09 13:49 <DIR> d-------- C:\WINDOWS\system32\1023
2008-06-08 20:33 . 2008-06-08 20:33 <DIR> d-------- C:\Deckard
2008-06-08 20:30 . 2008-06-08 20:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 10:59 . 2008-06-08 10:58 49,158 --a------ C:\WINDOWS\444.0
2008-06-01 10:04 . 2008-06-01 10:04 30,728 --a------ C:\WINDOWS\444.471
2008-05-13 21:34 . 2008-05-13 21:34 126,976 --a------ C:\WINDOWS\lcmmfu.cpl
2008-05-13 21:34 . 2008-05-13 21:34 48,640 --a------ C:\WINDOWS\mmfs.dll
2008-05-13 21:34 . 2008-05-13 21:34 2,560 --a------ C:\WINDOWS\Runservice.exe
2008-05-13 21:34 . 2008-06-09 14:13 841 --ahs---- C:\WINDOWS\system32\mmf.sys
2008-05-13 21:26 . 2008-05-13 21:26 <DIR> d-------- C:\Documents and Settings\Ant\Application Data\Out of the Park Developments
2008-05-13 21:25 . 2008-05-13 21:25 <DIR> d-------- C:\WINDOWS\Out of the Park Baseball
2008-05-13 21:25 . 2008-05-13 21:25 <DIR> d-------- C:\Program Files\Out of the Park Developments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 03:02 --------- d-----w C:\Documents and Settings\chris\Application Data\LimeWire
2008-06-08 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 15:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 15:37 --------- d-----w C:\Program Files\BearShare
2008-06-01 19:18 --------- d-----w C:\Documents and Settings\Ant\Application Data\AVG7
2008-06-01 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-31 04:14 --------- d-----w C:\Program Files\LimeWire
2008-05-24 01:02 --------- d-----w C:\Documents and Settings\Ant\Application Data\LimeWire
2008-05-16 22:33 364 ----a-w C:\drmHeader.bin
2008-04-17 05:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-16 18:01 --------- d-----w C:\Program Files\NetRatingsNetSight
2008-04-10 02:54 --------- d-----w C:\Program Files\PokerStars
2006-06-15 19:32 28,880 -c--a-w C:\Documents and Settings\Ant\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-09_ 7.22.45.49 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 10:45:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 18:12:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate "= "C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-20 20:04 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK "= "000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"nwiz "= "nwiz.exe" [2002-04-19 17:13 364544 C:\WINDOWS\system32\nwiz.exe]
"TFNF5 "= "TFNF5.exe" [2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray "= "TPWRTRAY.EXE" [2002-03-19 23:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_Px.exe" [2002-07-03 20:17 40960]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 05:37 147456]
"TSysSMon "= "c:\toshiba\sysstability\tsyssmon.exe" [2002-04-05 17:44 49152]
"BJCFD "= "C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-05-18 01:09 368706]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-11-19 02:24 155648]
"HostManager "= "C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe" [2006-05-09 20:24 50760]
"IVPServiceMgr "= "C:\toshiba\ivp\ism\ivpsvmgr.exe" [2002-07-15 17:27 475136]
"IPHSend "= "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59 124520]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-24 17:37 579072]
"HelpCenter4.1 "= "C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 19:02 198184]
"basicsmssmenu "= "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 17:37 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Common Files\\AOL\\1132959732\\ee\\aolsoftware.exe "=
"C:\\Program Files\\Common Files\\AOL\\1132959732\\ee\\aim6.exe "=
"C:\\Program Files\\mIRC\\mirc.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\DAP\\DAP.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=

R2 Basics Service;Basics Service; "C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 17:21]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2008-05-13 21:34]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 18:26:01 C:\WINDOWS\Tasks\Symantec NetDetect.job "
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 14:13:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [1904] 0x81702B28

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-09 14:26:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 18:26:37
ComboFix2.txt 2008-06-09 11:23:31

Pre-Run: 4,790,796,288 bytes free
Post-Run: 4,823,240,704 bytes free

163 --- E O F --- 2008-05-29 11:22:46



New Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:07 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Swarmcast for MLB-TV-Mosaic.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132341596170
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RoxMediaDB - Unknown owner - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe (file missing)

--
End of file - 7045 bytes

 

Hi
OK lets try this again.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\444.0
C:\WINDOWS\444.471

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

Thanks
maranatha

 

ComboFix 08-06-08.7 - Ant 2008-06-09 15:40:26.3 - NTFSx86
Running from: C:\Documents and Settings\Ant\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ant\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\444.0
C:\WINDOWS\444.471
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\444.0
C:\WINDOWS\444.471

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-09 13:49 . 2008-06-09 13:49 <DIR> d-------- C:\WINDOWS\system32\1023
2008-06-08 20:33 . 2008-06-08 20:33 <DIR> d-------- C:\Deckard
2008-06-08 20:30 . 2008-06-08 20:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 21:34 . 2008-05-13 21:34 126,976 --a------ C:\WINDOWS\lcmmfu.cpl
2008-05-13 21:34 . 2008-05-13 21:34 48,640 --a------ C:\WINDOWS\mmfs.dll
2008-05-13 21:34 . 2008-05-13 21:34 2,560 --a------ C:\WINDOWS\Runservice.exe
2008-05-13 21:34 . 2008-06-09 14:13 841 --ahs---- C:\WINDOWS\system32\mmf.sys
2008-05-13 21:26 . 2008-05-13 21:26 <DIR> d-------- C:\Documents and Settings\Ant\Application Data\Out of the Park Developments
2008-05-13 21:25 . 2008-05-13 21:25 <DIR> d-------- C:\WINDOWS\Out of the Park Baseball
2008-05-13 21:25 . 2008-05-13 21:25 <DIR> d-------- C:\Program Files\Out of the Park Developments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 03:02 --------- d-----w C:\Documents and Settings\chris\Application Data\LimeWire
2008-06-08 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 15:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 15:37 --------- d-----w C:\Program Files\BearShare
2008-06-07 00:01 70,144 ----a-w C:\WINDOWS\system32\userinit.exe
2008-06-01 19:18 --------- d-----w C:\Documents and Settings\Ant\Application Data\AVG7
2008-06-01 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-31 04:14 --------- d-----w C:\Program Files\LimeWire
2008-05-24 01:02 --------- d-----w C:\Documents and Settings\Ant\Application Data\LimeWire
2008-05-16 22:33 364 ----a-w C:\drmHeader.bin
2008-04-17 05:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-16 18:01 --------- d-----w C:\Program Files\NetRatingsNetSight
2008-04-10 02:54 --------- d-----w C:\Program Files\PokerStars
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-06-15 19:32 28,880 -c--a-w C:\Documents and Settings\Ant\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-09_ 7.22.45.49 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 10:45:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 18:12:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate "= "C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-20 20:04 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK "= "000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"nwiz "= "nwiz.exe" [2002-04-19 17:13 364544 C:\WINDOWS\system32\nwiz.exe]
"TFNF5 "= "TFNF5.exe" [2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray "= "TPWRTRAY.EXE" [2002-03-19 23:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_Px.exe" [2002-07-03 20:17 40960]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 05:37 147456]
"TSysSMon "= "c:\toshiba\sysstability\tsyssmon.exe" [2002-04-05 17:44 49152]
"BJCFD "= "C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-05-18 01:09 368706]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-11-19 02:24 155648]
"HostManager "= "C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe" [2006-05-09 20:24 50760]
"IVPServiceMgr "= "C:\toshiba\ivp\ism\ivpsvmgr.exe" [2002-07-15 17:27 475136]
"IPHSend "= "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59 124520]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-24 17:37 579072]
"HelpCenter4.1 "= "C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 19:02 198184]
"basicsmssmenu "= "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 17:37 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Common Files\\AOL\\1132959732\\ee\\aolsoftware.exe "=
"C:\\Program Files\\Common Files\\AOL\\1132959732\\ee\\aim6.exe "=
"C:\\Program Files\\mIRC\\mirc.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\DAP\\DAP.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=

R2 Basics Service;Basics Service; "C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 17:21]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2008-05-13 21:34]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 19:51:00 C:\WINDOWS\Tasks\Symantec NetDetect.job "
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 15:47:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-09 15:53:32
ComboFix-quarantined-files.txt 2008-06-09 19:53:16
ComboFix2.txt 2008-06-09 18:26:46
ComboFix3.txt 2008-06-09 11:23:31

Pre-Run: 4,799,561,728 bytes free
Post-Run: 4,807,725,056 bytes free

121 --- E O F --- 2008-05-29 11:22:46





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:18 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132959732\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Swarmcast for MLB-TV-Mosaic.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132341596170
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RoxMediaDB - Unknown owner - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe (file missing)

--
End of file - 6919 bytes

 

Hi
Ok Good.

Please do this.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.


Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks the ActiveX download, allow it, click on "Accept" again

You will be prompted to install an ActiveX component from Kaspersky, Click Yes or Install.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 10, 2008 11:04:55
Records in database: 845635
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 69263
Threat name: 16
Infected objects: 23
Suspicious objects: 0
Duration of the scan: 02:36:58


File name / Threat name / Threats count
C:\Deckard\System Scanner\backup\DOCUME~1\Ant\LOCALS~1\Temp\bbti.exe Infected: Trojan.Win32.DNSChanger.ebg 1
C:\Deckard\System Scanner\backup\DOCUME~1\Ant\LOCALS~1\Temp\bti.exe Infected: Trojan.Win32.DNSChanger.ebg 1
C:\Deckard\System Scanner\backup\DOCUME~1\Ant\LOCALS~1\Temp\mmonHJ.exe Infected: Trojan-Downloader.Win32.VB.epp 1
C:\Deckard\System Scanner\backup\DOCUME~1\Ant\LOCALS~1\Temp\msiexec.exe Infected: Trojan-Clicker.Win32.Agent.tg 1
C:\Deckard\System Scanner\backup\DOCUME~1\Ant\LOCALS~1\Temp\syswcc32.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 1
C:\Deckard\System Scanner\backup\DOCUME~1\Ant\LOCALS~1\Temp\syswcc32.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 3
C:\Documents and Settings\Ant\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4de083c4 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Ant\Application Data\Sun\Java\Deployment\cache\6.0\39\4ae1eea7-1b47f390 Infected: Trojan.Java.ClassLoader.k 1
C:\Documents and Settings\Ant\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-4514b527 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Ant\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-58a70f5a Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Joanne\Desktop\recipes(2).exe Infected: not-a-virus:AdWare.Win32.Comet.ba 1
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: not-virus:Hoax.HTML.Secureinvites.b 1
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\QooBox\Quarantine\C\Documents and Settings\Ant\Application Data\Microsoft\dtsc\13486.exe.vir Infected: Trojan-Downloader.Win32.Agent.shg 1
C:\QooBox\Quarantine\C\Documents and Settings\Ant\Application Data\Microsoft\dtsc\16987.exe.vir Infected: Trojan-Downloader.Win32.Agent.shg 1
C:\QooBox\Quarantine\C\Documents and Settings\Ant\Application Data\Microsoft\dtsc\4240.exe~.vir Infected: Trojan-Dropper.Win32.Agent.seh 1
C:\QooBox\Quarantine\C\Documents and Settings\Ant\Application Data\Microsoft\dtsc\7442.exe.vir Infected: Trojan-Downloader.Win32.Agent.shg 1
C:\QooBox\Quarantine\C\WINDOWS\444.471.vir Infected: Trojan.Win32.DNSChanger.dxy 1
C:\QooBox\Quarantine\C\WINDOWS\mrofinu72.exe.vir Infected: Trojan-Downloader.Win32.Homles.br 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sockins32.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.awz 1

The selected area was scanned.

 

Hi bgfoot

We need to clear your Java Cache

• Go into the Control Panel and double-click the Java Icon.
• On the general tab, at the bottom it has "temporary internet files "
• Click the settings button. Then the Delete files button.
• There are two options in the window to clear the cache - Leave both Checked
  • 
    Applications and Applets
    Trace and Log files
• Click OK
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

Please delete these files.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\Documents and Settings\Joanne\Desktop\recipes(2).exe
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe

Now do this.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.

Delete these.
dss.exe and this folder C:\Deckard

Now please run Kaspersky again and post the log.

Thanks
Geri

 

Thank you for being so helpful.

Here is the new log.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 10, 2008 15:24:20
Records in database: 845734
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 68278
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:51:55


File name / Threat name / Threats count
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: not-virus:Hoax.HTML.Secureinvites.b 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\RECYCLER\S-1-5-21-2304659736-4264649163-3499916212-1006\Dc1.exe Infected: not-a-virus:AdWare.Win32.Comet.ba 1
C:\RECYCLER\S-1-5-21-2304659736-4264649163-3499916212-1006\Dc2.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1

The selected area was scanned.

 

Hi bgfoot
Ok from the Kaspersky log.

2 are in your recycle bin, so please empty your recycle bin.
1 is IRC so if you use that then there is no problem there.
1 is this, Desktop.htt - Secureinvites.b, not-virus:Hoax either you could not find it to delete it or you wanted to keep it.
either way it's not a threat.

So how are things running?

let me know.

Geri

 

Yeah, I couldn't find the desktop.htt file to delete it. Everything seems to be running smoothly.

Thanks again for all your help!

 

Hi bgfoot
Glad I could help out.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

I'll mark this one resolved.

Surf Safely
Geri

 

Pretty Much The Same Problem

Hi.
I have pretty much the same problem, with having to rename firefox (and others) in order to start it, and in that I'm prevented from visiting certain security-related URLs.

I got infected after installing Daemon Tools Lite I downloaded from bittorrent.
I don't know if it's OK to post a link to the torrent file here. If allowed, I'll do it in hope that it will help in pinpointing and thus solving the problem.

I use Zone Alarm but I accidentally allowed one or several malicious programs access while installing Daemon Tools Lite. Suddenly I had false security pop-ups and later found and got rid of a huge bunch of malware like 444.471, Cyberlog-X and WebHancer. They were logging keystrokes, registering randomly named dlls to be loaded on Windows startup and whatnot.
I used SpyBot SnD, CCleaner, AdAware and ZoneAlarm Security Suite for detection and removal. I also had to manually remove some DLLs by booting from an MS-DOS floppy.

One thing that I DIDN'T manage to fix is the aforementioned program/URL blacklist issue. I read the whole thread but I was unable to DL ATFCleaner or access Kaspersky Webscan, cause of browser block. I found a mirror for ATF but it just saved a zero-byte file to my drive.

I understand that this is a fairly new virus, and it apparently blocks more content than it did when this thread was started.

Please help!

 

Hi iLKke
Welcome to windowsbbs.

Please start a topic of your own and do the following.

Please download and install HijackThis (let it install to the default location) and Run a scan then close HJT, then run Deckard's System Scanner and post the main.txt log
In the topic that you start, And someone will help you out.
Links and instructions here.

Thanks
Geri

 

Ok, thanks