Downloaded.obfuskated help please [Archive]

View Full Version : Downloaded.obfuskated help please

drewclifford

2007-11-10, 18:54

Can you please help me fix this problem? I followed the instructions for Before You Post and here are my logs. I am getting tons of pop ups from "CID" and AVG keeps warning me that I have a threat even after I have moved the virus to the vault. Any help would be greatly appreciated so I am not required to format my whole computer for the 2nd time in like 3 months!Thanks Again!
Drew

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 12:52:12 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 456063
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 63933
Number of viruses found: 5
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 00:31:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Drew\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\cert8.db Object is locked skipped
C:\Documents and Settings\Drew\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\history.dat Object is locked skipped
C:\Documents and Settings\Drew\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\key3.db Object is locked skipped
C:\Documents and Settings\Drew\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\parent.lock Object is locked skipped
C:\Documents and Settings\Drew\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Drew\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Drew\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Application Data\Mozilla\Firefox\Profiles\qv1cmc10.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\History\History.IE5\MSHist012007111020071111\index.dat Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Drew\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Drew\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Drew\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files\Morpheus\mymorpheusToolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP119\A0016146.exe/file11 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP119\A0016146.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP119\A0016147.exe/file6 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP119\A0016147.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP120\A0016192.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP121\A0016399.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP122\A0016442.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP123\A0016535.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP124\A0016544.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP126\A0016583.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP126\A0016587.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP127\A0016627.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP127\A0016628.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP127\A0016629.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP127\A0016635.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP128\A0016728.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP129\A0016745.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP130\A0016746.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP131\A0016769.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP132\A0016788.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP132\A0016818.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP133\A0016842.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP133\A0016853.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP133\A0016854.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP134\A0016860.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP134\A0016895.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP134\A0016902.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP134\A0016908.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP134\A0016909.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP134\A0016910.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP134\A0016911.exe Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP137\change.log Object is locked skipped
C:\System Volume Information\_restore{A35C0AB7-4BFC-4274-991E-6DECBB43EA6B}\RP56\A0006412.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{26639895-4A59-476C-ADC2-21BB10D420A4}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:55 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Morpheus\Morpheus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IE 4.x-6.x BHO - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\PROGRA~1\BEGONE~1\IEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [shim spam] C:\DOCUME~1\Drew\APPLIC~1\PROXYF~1\Bolt Open.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185353558984
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4448 bytes

steamwiz

2007-11-10, 19:59

Hi

This is what you get from p2p programs ...

C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files\Morpheus\mymorpheusToolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

the other infected files are in system restore ...

We can clean your KASPERSKY by uninstalling Morpheus & purging your restore points ...

Hijackthis shows a LOP infection ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O4 - HKCU\..\Run: [shim spam] C:\DOCUME~1\Drew\APPLIC~1\PROXYF~1\Bolt Open.exe

REBOOT... find and delete :-

C:\documents and settings\Drew\Application Data\PROXYF~1 ... folder (These are just the first 6 letters of this folder - I have no way of knowing it's full name )

THEN ...

Run hijackthis ...

Click Open the Misc tools section

Click open uninstall manager

Click save list

save the uninstall_list.txt to your desktop

Copy & past the list in your next post here ...

THEN ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-

1. uninstall list
2. SUPERAntiSpyware Scan Log
3. C:\ComboFix.txt
4. a new hijackthis log.( run after everything else)

steam

drewclifford

2007-11-11, 18:11

Here it all is, hope this can be fixed! I have some questions in regards to avoiding this happening again once we can get this all fixed! Thanks so Much for all the help!
Drew

Adobe Flash Player ActiveX
ArcSoft PhotoImpression 5
AVG 7.5
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Ease Audio Converter 4.50
Enemy Territory - QUAKE Wars(TM) Demo
EPSON CX5000 Series User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX5000 Scanner Driver Update
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Intel Audio Studio 2.0
Intel(R) Active Client Manager 2.0 HECI Driver
Intel(R) PRO Network Connections
IrfanView (remove only)
Kaspersky Online Scanner
Logitech Gaming Software
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Morpheus 5.3 (remove only)
Mozilla Firefox (2.0.0.9)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
NBA LIVE 07
Nero 7 Ultra Edition
NVIDIA Drivers
OpenOffice.org 2.0
POPUP BEGONE TRIAL V2.0
RollerCoaster Tycoon 3 Platinum
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
SigmaTel Audio
Spybot - Search & Destroy
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.6c
Vodei Multimedia Processor 2.10
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/11/2007 at 11:49 AM

Application Version : 3.9.1008

Core Rules Database Version : 3342
Trace Rules Database Version: 1343

Scan type : Complete Scan
Total Scan Time : 01:05:29

Memory items scanned : 468
Memory threats detected : 0
Registry items scanned : 4798
Registry threats detected : 7
File items scanned : 62904
File threats detected : 37

Trojan.Downloader/Dialer-LiveCall
HKLM\Software\Classes\CLSID\{49E0E0F0-5C30-11D4-945D-000000000000}
HKCR\CLSID\{49E0E0F0-5C30-11D4-945D-000000000000}
HKCR\CLSID\{49E0E0F0-5C30-11D4-945D-000000000000}
HKCR\CLSID\{49E0E0F0-5C30-11D4-945D-000000000000}\InprocServer32
HKCR\CLSID\{49E0E0F0-5C30-11D4-945D-000000000000}\InprocServer32#ThreadingModel
HKCR\CLSID\{49E0E0F0-5C30-11D4-945D-000000000000}\ProgID
C:\PROGRA~1\BEGONE~1\IEHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49E0E0F0-5C30-11D4-945D-000000000000}

Adware.Tracking Cookie
C:\Documents and Settings\Drew\Cookies\drew@edge.ru4[2].txt
C:\Documents and Settings\Drew\Cookies\drew@adopt.specificclick[2].txt
C:\Documents and Settings\Drew\Cookies\drew@realmedia[2].txt
C:\Documents and Settings\Drew\Cookies\drew@azjmp[1].txt
C:\Documents and Settings\Drew\Cookies\drew@ads.realtechnetwork[2].txt
C:\Documents and Settings\Drew\Cookies\drew@ads.revsci[1].txt
C:\Documents and Settings\Drew\Cookies\drew@publishers.clickbooth[2].txt
C:\Documents and Settings\Drew\Cookies\drew@adserver5.teracent[1].txt
C:\Documents and Settings\Drew\Cookies\drew@www.incentaclick[1].txt
C:\Documents and Settings\Drew\Cookies\drew@login.tracking101[2].txt
C:\Documents and Settings\Drew\Cookies\drew@interclick[2].txt
C:\Documents and Settings\Drew\Cookies\drew@ilead.itrack[2].txt
C:\Documents and Settings\Drew\Cookies\drew@revsci[1].txt
C:\Documents and Settings\Drew\Cookies\drew@msnportal.112.2o7[1].txt
C:\Documents and Settings\Drew\Cookies\drew@omahasteaks.122.2o7[1].txt
C:\Documents and Settings\Drew\Cookies\drew@precisionclick[1].txt
C:\Documents and Settings\Drew\Cookies\drew@ads.morpheus[1].txt
C:\Documents and Settings\Drew\Cookies\drew@adopt.euroclick[1].txt
C:\Documents and Settings\Drew\Cookies\drew@adserver6.teracent[1].txt
C:\Documents and Settings\Drew\Cookies\drew@tremor.adbureau[1].txt
C:\Documents and Settings\Drew\Cookies\drew@adultfriendfinder[1].txt
C:\Documents and Settings\Drew\Cookies\drew@ads.adbrite[1].txt
C:\Documents and Settings\Drew\Cookies\drew@ads.glispa[2].txt
C:\Documents and Settings\Drew\Cookies\drew@tribalfusion[2].txt
C:\Documents and Settings\Drew\Cookies\drew@ads.realtechnetwork[3].txt
C:\Documents and Settings\Drew\Cookies\drew@questionmarket[2].txt
C:\Documents and Settings\Drew\Cookies\drew@advertising[1].txt
C:\Documents and Settings\Drew\Cookies\drew@adserver.easyad[1].txt
C:\Documents and Settings\Drew\Cookies\drew@ads.diet[1].txt
C:\Documents and Settings\Drew\Cookies\drew@atdmt[2].txt
C:\Documents and Settings\Drew\Cookies\drew@adbrite[1].txt
C:\Documents and Settings\Drew\Cookies\drew@2o7[1].txt
C:\Documents and Settings\Drew\Cookies\drew@server.iad.liveperson[2].txt
C:\Documents and Settings\Drew\Cookies\drew@adtech[1].txt
C:\Documents and Settings\Drew\Cookies\drew@www.adserver5[2].txt
C:\Documents and Settings\Mom\Cookies\mom@msnportal.112.2o7[1].txt

ComboFix 07-11-01.1 - Drew 2007-11-11 11:56:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.638 [GMT -5:00]
Running from: C:\Documents and Settings\Drew\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-11 10:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-11 10:36 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\SUPERAntiSpyware.com
2007-11-11 10:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 12:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-09 00:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-09 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 00:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-08 18:13 <DIR> d-------- C:\Documents and Settings\Drew\Deck.The.Halls.DVDRip.XviD-DMT
2007-11-08 18:11 <DIR> d-------- C:\Documents and Settings\Drew\-= American Gangster =-
2007-11-08 18:10 <DIR> d-------- C:\Documents and Settings\Drew\Blow[2001][Eng][Dvdrip]-freakzilla
2007-11-07 20:31 <DIR> d-------- C:\Program Files\proxy find
2007-11-04 16:11 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\proxy find
2007-11-01 00:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 23:34 <DIR> d-------- C:\Program Files\BegoneTrial
2007-10-31 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-31 23:30 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-10-27 14:03 <DIR> d-------- C:\Program Files\DivX
2007-10-25 21:55 <DIR> d-------- C:\Program Files\DivoCodec
2007-10-25 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Long slow road itch
2007-10-25 00:24 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\vlc
2007-10-25 00:11 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-21 23:42 <DIR> d-------- C:\Documents and Settings\Drew\Dexter Season 2
2007-10-21 18:11 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-20 15:56 <DIR> d-------- C:\Program Files\id Software
2007-10-15 17:46 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-10-15 17:46 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-10-15 14:27 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\Atari
2007-10-15 14:27 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-15 14:14 <DIR> d-------- C:\Program Files\Atari
2007-10-13 20:34 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\Talkback
2007-10-13 20:34 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\AVG7
2007-10-13 20:23 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\PC Suite
2007-10-13 15:43 <DIR> d-------- C:\Documents and Settings\Drew\Grey's Anatomy Season 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 15:26 --------- d-----w C:\Documents and Settings\Drew\Application Data\uTorrent
2007-11-11 13:00 --------- d-----w C:\Documents and Settings\Drew\Application Data\AVG7
2007-11-10 17:58 --------- d-----w C:\Program Files\Morpheus
2007-11-09 05:53 --------- d-----w C:\Program Files\EA SPORTS
2007-11-06 13:00 --------- d-----w C:\Documents and Settings\Mom\Application Data\AVG7
2007-11-05 05:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-01 05:24 --------- d-----w C:\Program Files\MorpheusBar
2007-10-29 05:04 --------- d-----w C:\Documents and Settings\Drew\Application Data\RipIt4Me
2007-10-27 16:29 --------- d-----w C:\Program Files\GameSpy Arcade
2007-10-25 05:14 --------- d-----w C:\Program Files\Vodei
2007-10-21 23:20 --------- d-----w C:\Program Files\Intel Audio Studio
2007-10-20 20:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 04:39 --------- d-----w C:\Program Files\DAEMON Tools
2007-10-08 04:11 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-05 03:48 --------- d-----w C:\Documents and Settings\Drew\Application Data\OpenOffice.org2
2007-10-05 03:38 --------- d-----w C:\Program Files\Ascentive
2007-10-04 11:45 --------- d-----w C:\Documents and Settings\Drew\Application Data\DVD Flick
2007-10-04 04:19 --------- d-----w C:\Program Files\Common Files\Real
2007-10-03 22:19 --------- d-----w C:\Program Files\easetech
2007-10-03 22:18 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-03 22:15 --------- d-----w C:\Documents and Settings\Drew\Application Data\Nokia
2007-10-03 22:08 --------- d-----w C:\Documents and Settings\Drew\Application Data\PC Suite
2007-10-03 22:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-03 22:07 --------- d-----w C:\Program Files\DIFX
2007-10-03 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-09-12 11:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_ 1.33.54.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 22:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-11 15:36:49 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-11 15:36:49 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-11 15:36:49 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-07-25 20:55:52 45,612 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-06 23:10:43 45,612 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-07-25 20:55:52 364,064 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-06 23:10:43 364,064 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-22 22:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 03:04]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-07 16:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 07:20]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 12:26]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 12:26]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 16:00:14 C:\WINDOWS\Tasks\B5B17958942AEBD4.job"
- c:\docume~1\drew\applic~1\proxyf~1\Meal Mess Trans.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 11:57:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 1331994 bytes
C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 283648 bytes executable
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log 20762 bytes
C:\WINDOWS\wmsetup10.log 1290 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes

scan completed successfully
hidden files: 12

**************************************************************************
.
Completion time: 2007-11-11 11:58:06
C:\ComboFix2.txt ... 2007-11-01 00:34
.
--- E O F ---

drewclifford

2007-11-11, 18:12

The Hijack This log wouldn't fit on the other post so here it is....Thanks
Drew

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:20 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Nero\Nero 7\Core\nero.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185353558984
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4572 bytes

steamwiz

2007-11-11, 22:45

Hi

Did you delete the "PROXYF~1" folder ?

Are you still getting the pop-ups & AVG warnings ?

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\Tasks\B5B17958942AEBD4.job
c:\docume~1\drew\applic~1\proxyf~1\Meal Mess Trans.exe

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam

drewclifford

2007-11-12, 06:32

Yes I did delete the folder. So far, I am not having any problems with the popups, the AVG scan did not find any threats. It did find some changes in several dll files. I dont know if that is anything to worry about. My computer seems to be freezing up a little bit still, I have defragged and all that good stuff. Also, a folder that I keep deleting on my desktop, will reappear after I empty it out of the recycle bin. This kind of worries me. What do you suggest?

ComboFix 07-11-08.3 - Drew 2007-11-11 21:28:12.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.454 [GMT -5:00]
Running from: C:\Documents and Settings\Drew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Drew\Desktop\CFScript.txt
* Created a new restore point

FILE
c:\docume~1\drew\applic~1\proxyf~1\Meal Mess Trans.exe
C:\WINDOWS\Tasks\B5B17958942AEBD4.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\B5B17958942AEBD4.job

.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-11 10:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-11 10:36 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\SUPERAntiSpyware.com
2007-11-11 10:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 12:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-09 00:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-09 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 00:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-08 18:13 <DIR> d-------- C:\Documents and Settings\Drew\Deck.The.Halls.DVDRip.XviD-DMT
2007-11-08 18:11 <DIR> d-------- C:\Documents and Settings\Drew\-= American Gangster =-
2007-11-08 18:10 <DIR> d-------- C:\Documents and Settings\Drew\Blow[2001][Eng][Dvdrip]-freakzilla
2007-11-07 20:31 <DIR> d-------- C:\Program Files\proxy find
2007-11-04 16:11 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\proxy find
2007-11-01 00:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 23:34 <DIR> d-------- C:\Program Files\BegoneTrial
2007-10-31 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-31 23:30 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-10-27 14:03 <DIR> d-------- C:\Program Files\DivX
2007-10-25 21:55 <DIR> d-------- C:\Program Files\DivoCodec
2007-10-25 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Long slow road itch
2007-10-25 00:24 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\vlc
2007-10-25 00:11 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-21 23:42 <DIR> d-------- C:\Documents and Settings\Drew\Dexter Season 2
2007-10-21 18:11 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-20 15:56 <DIR> d-------- C:\Program Files\id Software
2007-10-15 17:46 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-10-15 17:46 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-10-15 14:27 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\Atari
2007-10-15 14:27 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-15 14:14 <DIR> d-------- C:\Program Files\Atari
2007-10-13 20:34 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\Talkback
2007-10-13 20:34 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\AVG7
2007-10-13 20:23 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\PC Suite
2007-10-13 15:43 <DIR> d-------- C:\Documents and Settings\Drew\Grey's Anatomy Season 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 02:01 --------- d-----w C:\Documents and Settings\Drew\Application Data\AVG7
2007-11-11 15:26 --------- d-----w C:\Documents and Settings\Drew\Application Data\uTorrent
2007-11-10 17:58 --------- d-----w C:\Program Files\Morpheus
2007-11-09 05:53 --------- d-----w C:\Program Files\EA SPORTS
2007-11-06 13:00 --------- d-----w C:\Documents and Settings\Mom\Application Data\AVG7
2007-11-05 05:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-01 05:24 --------- d-----w C:\Program Files\MorpheusBar
2007-10-29 05:04 --------- d-----w C:\Documents and Settings\Drew\Application Data\RipIt4Me
2007-10-27 16:29 --------- d-----w C:\Program Files\GameSpy Arcade
2007-10-25 05:14 --------- d-----w C:\Program Files\Vodei
2007-10-21 23:20 --------- d-----w C:\Program Files\Intel Audio Studio
2007-10-20 20:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 04:39 --------- d-----w C:\Program Files\DAEMON Tools
2007-10-08 04:11 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-05 03:48 --------- d-----w C:\Documents and Settings\Drew\Application Data\OpenOffice.org2
2007-10-05 03:38 --------- d-----w C:\Program Files\Ascentive
2007-10-04 11:45 --------- d-----w C:\Documents and Settings\Drew\Application Data\DVD Flick
2007-10-04 04:19 --------- d-----w C:\Program Files\Common Files\Real
2007-10-03 22:19 --------- d-----w C:\Program Files\easetech
2007-10-03 22:18 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-03 22:15 --------- d-----w C:\Documents and Settings\Drew\Application Data\Nokia
2007-10-03 22:08 --------- d-----w C:\Documents and Settings\Drew\Application Data\PC Suite
2007-10-03 22:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-03 22:07 --------- d-----w C:\Program Files\DIFX
2007-10-03 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-09-12 11:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 03:04]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-07 16:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 07:20]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 12:26]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 12:26]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 21:30:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 1331994 bytes
C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 283648 bytes executable
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log 20762 bytes
C:\WINDOWS\wmsetup10.log 1290 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes
**************************************************************************
.
Completion time: 2007-11-11 21:31:01
C:\ComboFix2.txt ... 2007-11-11 21:26
C:\ComboFix3.txt ... 2007-11-11 11:58
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:09 AM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185353558984
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4460 bytes

Thanks
Drew

steamwiz

2007-11-12, 22:10

Hi

Your logs are clean now ...

Two of the most common causes of computer freezes are ...

Too full a hard-drive
Bad RAM

Do you get any BSOD's ?

What is the name of this folder on your desktop ?

What's in it ?

steam

drewclifford

2007-11-13, 04:53

Thank you for all the help, i really appreciate it...so since the logs are clean, I should be good to go? Is there anything you recommend to avoid this kinda stuff from happening again? I thought I was careful but obviously not. I have a 298 GB hard Drive and 177 of it is free so I should be fine I think...

What is a BSOD?

The name of the folder on my desktop is Brenda...it was a folder I made to put songs that I ripped from cds to make a mix cd for someone..There is nothing at all in the folder, but it will NOT delete and its driving me crazy.not really a big deal but I have never had this happen before...anyways,thanks again!

Drew

drewclifford

2007-11-13, 04:55

Also, when AVG moves threats to the virus vault, are they safe? Do you just empty the virus vault and they are gone for good or what are u supposed to do with them? I never removed Morpheus, should I?

Thanks
Drew

steamwiz

2007-11-13, 21:24

Hi

1. BSOD = Blue Screen of Death ...

http://exception-fault.de/

2. Can you post the FULL path to the folder on your desktop ? we'll use a very good program to delete it ...

3. Once in the virus vault they are safe & can do no harm ... if you are sure there is nothing in there accidentally, then yes, empty the vault 7 they are gone for good.

4. Morpheus:-

Description - P2P file sharing program that installs a number of adware programs. Morpheus also displays its own popup advertising.

http://research.sunbelt-software.com/threatdisplay.aspx?name=Morpheus&threatid=8646

Your decision ...

5. Have a look here for ways to help protect yourself on-line :-

http://forums.spybot.info/showthread.php?t=279

steam

drewclifford

2007-11-20, 23:50

Hey, the full path for the folder i cant delete is C:\Documents and Settings\Drew\Desktop\brenda cd...there is nothing in the cd...but it will not go away no matter how many times i delete it. i know its not a virus because all it had in it was music that i ripped from a cd i bought from a store...thanks for all the info about protecting my computer. it is working so much better now! i havent had any problems at all. do u recommend firefox or ie explorer for my browser? i prefer firefox but as far as security is concerned, which do you like? thanks again!

Drew

drewclifford

2007-11-21, 07:08

Hi again, I also was wondering if you could help me get the Vodie MP codec off my computer. I made the mistake of downloading it a while ago, before you helped me fix everything, and I thought it was gone, but it is still prompting me to upgrade even when I play movies that dont need it. Thanks again

Drew

steamwiz

2007-11-21, 23:22

Hi

First ... the folder ...

1. Download and unzip Avenger (by Swandog46) to your desktop. > http://swandog46.geekstogo.com/avenger.zip
2. Double click the Avenger.exe file
3. Click OK
4. Select Input script manually
5. Click the Magnifying Glass icon
6. Highlight the text in the code box below, & copy and paste it into the View/edit script box

Folders to delete:
C:\Documents and Settings\Drew\Desktop\brenda cd

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

7. Click Done
8. Click the Traffic Light icon to start the program.
9. click Yes to execute the script and click Yes when asked to reboot your computer
10. Post the contents of the file C:\Avenger.txt

Don't forget to Post the contents of the file C:\Avenger.txt

---
There's no denying firefox is a more secure browser than IE, but if you take all the neccessary precautions then there is nothing wrong with IE ... I prefer IE myself, but everyone should make there own decision ... if you prefer firefox, then stick with it, my daughter prefers firefox & keeps telling me I should use it.

---
I don't know anything about the Vodie MP codec

According to their website :-

http://www.vodei.com/faq.html#18

Follow these steps to properly uninstall and then reinstall Vodei MP:

1. Uninstall by going to Start --> All Programs --> Vodei MP --> Uninstall
2. Restart your computer
3. Delete C:\Program Files\Vodei if it hasn't been automatically deleted
4. Install Vodei MP

Obviously you don't want to reinstall ....

You also have an entry in your add\remove programs which should uninstall the program :-

Vodei Multimedia Processor 2.10

steam

drewclifford

2007-11-23, 01:21

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nmfddgif

*******************

Script file located at: \??\C:\dcdwqdla.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\Documents and Settings\Drew\Desktop\brenda cd deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Does it look right?

Thanks!

Drew

steamwiz

2007-11-23, 19:53

Hi

That looks fine :bigthumb:

Is everything resolved now ?

steam

drewclifford

2007-11-25, 07:53

well, i thought so at first but i noticed tonight that the folder is back....i guess its not that big of a deal but it is just kinda annoying that it wont go away. worries me that maybe its a virus or something hiding, you know? what else could we possibly try to get rid of it? Thanks

Drew

steamwiz

2007-11-25, 21:41

Are you running a program which protects/locks files/folders ... have you inadvertently protected this folder ?

There isn't a more powerful program than Avenger to delete stubborn files/folders ... & it did delete it didn't it ...

I've really no idea why an empty folder which you originally created wont stay deleted ... it certainly doesn't sound viral.

steam

drewclifford

2007-11-28, 02:47

no i havent protected it that im aware of....when i delete it, it goes to the recycle bin, but then sometime it comes back to my desktop...there is nothing in the folder, but it will not go away and is driving me crazy! oh well i guess i will have to deal with it.Thanks anyways

Drew

steamwiz

2007-11-28, 19:04

Sorry, Occasionally you come across something which betrays reason, & this is one of them ...

As you've seen, we can delete it, but why it come back is a mystery...

Still ... I wouldn't worry about an empty folder ;)

steam