PDA

View Full Version : My computer has something



indiancexi
2007-12-31, 17:08
From false internet wanings to AVG saying trijan Horse Dropper.Generic.thc,gneric9.AHRD and Adware Generic2..xwp I ran the Kaspersky scan but could never get the cmputer to go in safe mode.I have tried for three days and have done this dozens of times. and ran spybot and ran hijackthis listed as nijackthislog1
Thanks in advance for your help.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 30, 2007 8:52:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/12/2007
Kaspersky Anti-Virus database records: 500388
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 99343
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 05:35:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12302007-130009.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AA3F1F9C-035F-4099-9FC4-D0E44D0DEB3C} Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\D3389.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\user\Local Settings\Temp\D3389.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\user\Local Settings\Temp\D338E.tmp/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\Documents and Settings\user\Local Settings\Temp\D338E.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\Documents and Settings\user\Local Settings\Temp\D338E.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\user\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\hsperfdata_user\3136 Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF7D6F.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF7DC4.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DFF181.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Windows Defender\MSASCui.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DE8EA6E1-509B-4F6A-9F86-CE15892ADC67}\RP514\A0075369.EXE Object is locked skipped
C:\System Volume Information\_restore{DE8EA6E1-509B-4F6A-9F86-CE15892ADC67}\RP514\A0075370.exe Object is locked skipped
C:\System Volume Information\_restore{DE8EA6E1-509B-4F6A-9F86-CE15892ADC67}\RP522\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F6F4B736-479A-4E69-979B-191705285207}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\mljif.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

indiancexi
2007-12-31, 17:14
Here is the hijackthislog1 file copy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:33 AM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\HP\PRODUC~1\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.roanoke.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} -

C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program

Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro

2007\XPRepairPro.exe /r
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

(User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak

EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common

Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program

Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol

toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} -

C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

(file missing)
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/download/ipixx.cab
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) -

http://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWe

b.1.0.0.8.cab
O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) -

http://www.umediaserver.net/bin/UMediaControl5.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) -

http://games.bigfishgames.com/en_ricochetlostworlds/online/ReflexiveWebGameLoader

.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_sit

e.cab?1152448988654
O16 - DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} (Abx(gh) Control) -

http://aolsvc.aol.com/onlinegames/ghadventureball/abxgh.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object)

- http://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -

http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) -

http://aolsvc.aol.com/onlinegames/free-trial-mystery-solitaire-secret-island/Spin

TopGamesLauncher.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} -

http://games.bigfishgames.com/en_mysterysolitairese/online/SpinTopGamesLauncher.c

ab
O16 - DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} (Jolly Bear Games Player) -

http://games.bigfishgames.com/en_bigcityadventuresa/online/JBGamePlayer.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -

http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) -

http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) -

http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) -

http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) -

http://aolsvc.aol.com/onlinegames/sonybewitched/main.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) -

http://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab
O16 - DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} (UMediaPlayer Class) -

http://www.umediaserver.net/bin/UMediaControl4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl

Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -

http://download.abacast.com/download/files/abasetup163.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program

Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc -

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program

Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 11218 bytes

Please let me know what to do next.

shelf life
2008-01-07, 00:15
hi,

log looks ok as far as malware goes.
looking at the online scan i would do this:

rather than do it all manually download and run atfcleaner, much easier.

http://www.atribune.org/content/view/19/2/

shelf life

indiancexi
2008-01-10, 18:19
First I am so sorry it took me so long to respond. I ran this but I was having trouble getting my computer in safe mode to run a good scan and AVG is telling me I have a trojan horses Dropper.Generic.THTin C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe and also in C:\WINDOWS\system32\mljif.exe. I ran this scan in safe mode and it deleted both these files. But I had it put msconfig back cause I didn't know if I could switch my computer without this file so of course I am back where I started. So if you could please help me rid my computer of this.

shelf life
2008-01-11, 00:29
hi,

try running vundofix;
you are doing it like this??

restart your computer, tap the f8 key to bring up the menu. chose the first option on the list: safe mode.

vundo:
download and run vundofix.exe:

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
----------------------------------------------
also download and run:
Download combofix from one of these links and save it to your Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

as a precaution, before using combofix:
Close any open windows
Close/disable anti virus and any anti malware programs you might have running so they do not interfere with the running of ComboFix.


Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

post the vundo log, a new hjt log and the combofix log please.

shelf life

indiancexi
2008-01-13, 05:52
ok the different viruses and trojans that are on my computer have deleted the msconfig For some reason I can not start my computer in safe mode. I can not start it by start\run\msconfig\boot.ini\safe boot. because msconfig has been deleted cause it had a virus. So I need a little more help. Avg says I have
object name A0000129.exe
path C:\system volume information\_restore(DE8E6E1-509B-4F6A-9F86-CE15892ADc67)\RP3\
virus identified Win32/Prepender.C

object name A0000138.exe
path C:\system volume information\_restore(DE8E6E1-509B-4F6A-9F86-CE15892ADc67)\RP3\
virus identified Win32/Prepender.C

object name mljif.exe
path C:\WINDOWS\system32\
virus identified Win32/Prepender.C

So now what do I do without msconfig

shelf life
2008-01-13, 06:19
hi indiancexi,

this:
C:\system volume information\_restore
is your system restore points, which we can clean out later.
---------------------------------

Download combofix from one of these links and save it to Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

as a precaution, before using combofix:
Close any open windows
Close/disable anti virus and any antimalware programs that might have real time protection running.Usually this can be done by clicking on the icons by the clock and selecting exit etc. This is done to prevent any possible interference while Combofix is running. After combofix is done you can restart them.


Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

indiancexi
2008-01-13, 18:02
here is the file you requested

ComboFix 08-01-13.1 - user 2008-01-13 10:09:40.1 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\user\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\user\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1196045357.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\fijlm.ini
C:\WINDOWS\system32\fijlm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljif.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 10:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 22:54 . 2008-01-13 09:48 <DIR> d-------- C:\VundoFix Backups
2008-01-12 22:00 . 2008-01-12 22:00 3,584 --a------ C:\WINDOWS\system32\mljif.exe
2008-01-12 12:00 . 2008-01-12 12:28 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVG7
2008-01-12 11:58 . 2008-01-12 11:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-12 11:57 . 2008-01-12 11:57 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2008-01-12 11:56 . 2008-01-12 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 11:56 . 2008-01-12 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-10 09:27 . 2008-01-10 09:38 196,608 -ra------ C:\icei5_12_05use this.QBW.TLG
2008-01-09 16:50 . 2008-01-09 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-06 14:18 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-03 08:37 . 2008-01-07 07:01 <DIR> d-------- C:\Program Files\SpywareGuard
2008-01-03 08:27 . 2008-01-03 08:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-30 20:58 . 2007-12-30 20:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 15:03 . 2007-12-30 15:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-30 15:03 . 2007-12-30 15:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 12:59 . 2008-01-02 13:48 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-30 12:13 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-30 12:13 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-30 12:13 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-30 12:13 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-30 12:13 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-30 12:13 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-30 12:13 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-30 12:13 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-30 12:13 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-29 20:49 . 2007-12-30 01:08 <DIR> d-------- C:\Program Files\AOL 9.1c
2007-12-27 09:53 . 2007-12-28 12:01 <DIR> d-------- C:\Program Files\AOL 9.1b
2007-12-26 09:35 . 2007-12-30 01:08 <DIR> d-------- C:\Program Files\AOL 9.1a
2007-12-25 09:57 . 2007-12-25 09:57 <DIR> d-------- C:\WINDOWS\aolshare
2007-12-25 09:56 . 2007-12-30 01:08 <DIR> d-------- C:\Program Files\AOL 9.1
2007-12-24 23:25 . 2008-01-12 22:13 33,053 --a------ C:\logfile
2007-12-24 23:00 . 2007-12-24 23:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-24 22:59 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-24 22:59 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-24 22:58 . 2007-12-24 22:58 <DIR> d-------- C:\Program Files\Common Files\Kodak
2007-12-24 22:41 . 2007-12-24 23:00 <DIR> d-------- C:\Program Files\Kodak
2007-12-24 22:38 . 2007-12-24 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-24 15:51 . 2007-12-24 15:51 <DIR> d-------- C:\Program Files\Legacy Interactive
2007-12-19 16:07 . 2007-12-19 16:07 <DIR> d-------- C:\Documents and Settings\user\Application Data\Snapfish
2007-12-16 21:14 . 2007-12-16 21:14 <DIR> d-------- C:\Program Files\Disney
2007-12-15 15:40 . 2007-12-15 15:40 <DIR> d-------- C:\Program Files\Simple Star

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 22:11 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-01-05 08:01 --------- d-----w C:\Program Files\LimeWire
2007-12-31 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 02:05 --------- d-----w C:\Documents and Settings\user\Application Data\AOL
2007-12-30 01:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-30 01:51 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-30 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-30 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-29 16:37 --------- d-----w C:\Program Files\AOL Games
2007-12-26 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 05:59 --------- d-----w C:\Program Files\AOL 9.0a
2007-12-25 08:29 --------- d-----w C:\Program Files\QuickTime
2007-12-24 04:54 --------- d-----w C:\Program Files\John Deere American Farmer
2007-12-15 21:05 --------- d-----w C:\Documents and Settings\user\Application Data\Simple Star
2007-12-15 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simple Star
2007-12-15 20:53 --------- d-----w C:\Program Files\Common Files\Simple Star Shared
2007-12-14 14:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-11-30 08:54 --------- d-----w C:\Program Files\iTunes
2007-11-18 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simple Star Shared
2007-11-16 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-13 03:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-03-26 00:47 45,240 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
.

<pre>
----a-w 50,736 2007-12-23 04:52:03 C:\Program Files\AOL 9.0a\AOL .EXE
----a-w 50,736 2007-12-23 04:20:15 C:\Program Files\Common Files\AOL\1137963347\EE\AOLSoftware .exe
----a-w 579,072 2007-12-23 04:19:45 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 1,694,208 2007-12-23 04:20:07 C:\Program Files\Messenger\msmsgs .exe
</pre>


((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 313,472 2006-03-30 20:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

----a-w 335,872 2003-07-29 18:30:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 42,032 2007-04-12 21:23:31 C:\Program Files\Common Files\AOL\1137963347\EE\bak\AOLSoftware.exe

----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

----a-w 180,269 2006-02-25 21:34:28 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 421,888 2007-09-21 11:31:42 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe

----a-w 49,152 2005-02-17 04:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 278,528 2006-06-14 20:24:14 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-w 290,816 2005-04-18 20:35:10 C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\bak\LYRAHD2TrayApp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 11:56 219136]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-07-26 15:59:44]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2006-06-05 20:35:54]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 14:21:00]
Wireless-G Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-01-20 14:28:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-12 11:57 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuspon]
vtuspon.dll

R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
S3 DCamUSBSTK016;STK016 Camera;C:\WINDOWS\system32\DRIVERS\STK016W2.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 03:39:19 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.20.2.sxt _RegistrationOffer@16
"2008-01-13 15:32:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 10:29:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 10:47:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 15:47:09
.
2008-01-13 08:02:41 --- E O F ---

shelf life
2008-01-13, 19:03
hi,

thanks for the info. two things:


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

i have never seen this before in a combofix log.
its possible that due to malware or other problems the recovery console might have to be used. Let me find out the significance of it in relation to combofix before we continue.

next: you have the new vundo infection making the rounds. normally i like to get these trojans on my own machine first before i help somebody else. I havent "gotten" this one yet so you will be my first. we can stumble through it together.

to start:
download RenV.exe by sUBs:

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Save it to your Desktop
Double click it to run it
When it has finished, it will produce a log for you
Copy and paste that log (Log.txt) in your next reply.

shelf life

indiancexi
2008-01-13, 21:26
Here is the renV log you requested



Ran on Sun 01/13/2008 - 14:14:15.84

----a-w 50,736 2007-12-23 04:52:03 C:\Program Files\AOL 9.0a\AOL .EXE
----a-w 50,736 2007-12-23 04:20:15 C:\Program Files\Common Files\AOL\1137963347\EE\AOLSoftware .exe
----a-w 579,072 2007-12-23 04:19:45 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 1,694,208 2007-12-23 04:20:07 C:\Program Files\Messenger\msmsgs .exe

Entries: 4 (4)
Directories: 0 Files: 4
Bytes: 2,374,752 Blocks: 4,640


I keep seeing AOL come up in these tests. Whatever this is it messes up AOL and I have to go threw internet Explorer to get to aol without downloading it again. I have also removed AVG and reinstalled itjust to make sure it was working properly. I did this yesterday.

indiancexi
2008-01-14, 00:58
This mess my computer has started with what I listed in the first post. Then later scans with AGV showed this

C:\Documents and Settings\user\Local Settings\Temp\npftmhow.exe Deleted
Trojan horse backdoor.Agent.PTA
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4SEPU7FR\hctp[1] Moved to Vault
Virus found LOP
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4SEPU7FR\ptch[1] Moved to Vault
Virus found LOP
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\G2HP8B9G\ptch[1] Moved to Vault
Virus found LOP
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\IWSCQPKL\gamadril20071203[1] Deleted
Trojan horse backdoor.Agent.PTA
C:\Program Files\Grisoft\AVG7\avgcc.exe Moved to Vault
Virus identified WIN32/Prepender.C
C:\System Volume Information\_restore{DE8EA6E1-509B-4F6A-9F86-CE15892ADC67}\RP3\A0000129.exe Moved to Vault
Virus identified WIN32/Prepender.C
C:\System Volume Information\_restore{DE8EA6E1-509B-4F6A-9F86-CE15892ADC67}\RP3\A0000138.exe Moved to Vault
Virus identified WIN32/Prepender.C
C:\WINDOWS\system32\mljif.exe Moved to Vault
Virus identified WIN32/Prepender.C
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe Deleted
Virus identified WIN32/Prepender.C

Every scan I run wether it be spybot or AVG or ad-aware come up with these files

TrackingCookie.2o7 Family TrackingCookie.2o7 Spyware Family
TrackingCookie.Advertising Family TrackingCookie.Advertising Spyware Family
TrackingCookie.Tacoda Family TrackingCookie.Tacoda Spyware Family
TrackingCookie.Ru4 Family TrackingCookie.Ru4 Spyware Family
TrackingCookie.Revsci Family TrackingCookie.Revsci Spyware Family
C:\Documents and Settings\user\Local Settings\Temp\TMP33A0.tmp Potentially Unwanted Program, Moved to Vault
C:\Documents and Settings\user\Local Settings\Temp\TMP33A3.tmp Potentially Unwanted Program, Moved to Vault
C:\Documents and Settings\user\Cookies\user@2o7[2].txt Potentially Unwanted Program, Moved to Vault
C:\Documents and Settings\user\Cookies\user@advertising[2].txt Potentially Unwanted Program, Moved to Vault
C:\Documents and Settings\user\Cookies\user@anad.tacoda[1].txt Potentially Unwanted Program, Moved to Vault
C:\Documents and Settings\user\Cookies\user@edge.ru4[2].txt Potentially Unwanted Program, Moved to Vault
C:\Documents and Settings\user\Cookies\user@revsci[1].txt Potentially Unwanted Program, Moved to Vault
C:\Documents and Settings\user\Cookies\user@tacoda[1].txt

I even had it set so every cookie prompted me to accept it or not and told all first and third party NO and these still appeared.

shelf life
2008-01-14, 04:08
hi,

ok thanks for the info. we can continue on.

Copy the entire contents of the Code Box below to Notepad.

Name the file as Log.txt (overwrite the existing one)
Change the Save as Type to: All Files
and Save it on your desktop



C:\Program Files\AOL 9.0a\AOL .EXE
C:\Program Files\Common Files\AOL\1137963347\EE\AOLSoftware .exe
C:\Program Files\Grisoft\AVG7\avgcc .exe
C:\Program Files\Messenger\msmsgs .exe


drag the Log.txt you just saved right onto the RenV.exe icon
RenV will run:
it will produce another log, post the new RenV log in next reply.
next rerun combofix and post that log as well as a new hjt log please

shelf life

indiancexi
2008-01-14, 15:58
RenV log



Ran on Mon 01/14/2008 - 8:34:09.24

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0



ComboFix 08-01-13.1 - user 2008-01-14 8:40:04.2 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 10:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 22:54 . 2008-01-13 09:48 <DIR> d-------- C:\VundoFix Backups
2008-01-12 22:00 . 2008-01-12 22:00 3,584 --a------ C:\WINDOWS\system32\mljif.exe
2008-01-12 12:00 . 2008-01-12 12:28 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVG7
2008-01-12 11:58 . 2008-01-12 11:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-12 11:57 . 2008-01-12 11:57 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2008-01-12 11:56 . 2008-01-12 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 11:56 . 2008-01-12 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-10 09:27 . 2008-01-10 09:38 196,608 -ra------ C:\icei5_12_05use this.QBW.TLG
2008-01-09 16:50 . 2008-01-09 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-06 14:18 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-03 08:37 . 2008-01-07 07:01 <DIR> d-------- C:\Program Files\SpywareGuard
2008-01-03 08:27 . 2008-01-03 08:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-30 20:58 . 2007-12-30 20:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 15:03 . 2007-12-30 15:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-30 15:03 . 2007-12-30 15:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 12:59 . 2008-01-02 13:48 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-30 12:13 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-30 12:13 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-30 12:13 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-30 12:13 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-30 12:13 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-30 12:13 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-30 12:13 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-30 12:13 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-30 12:13 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-29 20:49 . 2007-12-30 01:08 <DIR> d-------- C:\Program Files\AOL 9.1c
2007-12-27 09:53 . 2007-12-28 12:01 <DIR> d-------- C:\Program Files\AOL 9.1b
2007-12-26 09:35 . 2007-12-30 01:08 <DIR> d-------- C:\Program Files\AOL 9.1a
2007-12-25 09:57 . 2007-12-25 09:57 <DIR> d-------- C:\WINDOWS\aolshare
2007-12-25 09:56 . 2007-12-30 01:08 <DIR> d-------- C:\Program Files\AOL 9.1
2007-12-24 23:25 . 2008-01-13 10:39 33,205 --a------ C:\logfile
2007-12-24 23:00 . 2007-12-24 23:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-24 22:59 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-24 22:59 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-24 22:58 . 2007-12-24 22:58 <DIR> d-------- C:\Program Files\Common Files\Kodak
2007-12-24 22:41 . 2007-12-24 23:00 <DIR> d-------- C:\Program Files\Kodak
2007-12-24 22:38 . 2007-12-24 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-24 15:51 . 2007-12-24 15:51 <DIR> d-------- C:\Program Files\Legacy Interactive
2007-12-19 16:07 . 2007-12-19 16:07 <DIR> d-------- C:\Documents and Settings\user\Application Data\Snapfish
2007-12-16 21:14 . 2007-12-16 21:14 <DIR> d-------- C:\Program Files\Disney
2007-12-15 15:40 . 2007-12-15 15:40 <DIR> d-------- C:\Program Files\Simple Star

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 13:34 --------- d-----w C:\Program Files\AOL 9.0a
2008-01-11 22:11 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-01-05 08:01 --------- d-----w C:\Program Files\LimeWire
2007-12-31 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 02:05 --------- d-----w C:\Documents and Settings\user\Application Data\AOL
2007-12-30 01:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-30 01:51 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-30 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-30 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-29 16:37 --------- d-----w C:\Program Files\AOL Games
2007-12-26 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 08:29 --------- d-----w C:\Program Files\QuickTime
2007-12-24 04:54 --------- d-----w C:\Program Files\John Deere American Farmer
2007-12-15 21:05 --------- d-----w C:\Documents and Settings\user\Application Data\Simple Star
2007-12-15 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simple Star
2007-12-15 20:53 --------- d-----w C:\Program Files\Common Files\Simple Star Shared
2007-12-14 14:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-11-30 08:54 --------- d-----w C:\Program Files\iTunes
2007-11-18 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simple Star Shared
2007-11-16 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:45 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-27 17:45 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-07-13 03:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-03-26 00:47 45,240 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-13_10.45.21.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-26 15:15:10 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:47 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:10 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:47 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:17 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:01 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:10 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:48 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:18 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:02 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:11 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:48 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:18 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:03 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:11 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:49 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:18 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:03 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:19 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut14_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:04 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut14_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:11 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:50 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:19 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:04 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:12 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:51 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:20 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:05 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:12 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:51 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:20 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:05 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:12 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:52 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:20 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:06 49,152 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:21 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:06 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:13 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:52 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:13 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:54 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:21 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:07 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:13 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:54 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:14 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut25_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2008-01-13 15:39:56 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut25_6C2287199EDD4CAA8285D3095F51E522.exe
- 2007-03-26 15:15:21 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut26_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2008-01-13 15:40:08 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut26_6C2287199EDD4CAA8285D3095F51E522.exe
- 2007-03-26 15:15:15 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut27_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2008-01-13 15:39:57 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut27_6C2287199EDD4CAA8285D3095F51E522.exe
- 2007-03-26 15:15:22 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut28_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2008-01-13 15:40:08 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut28_6C2287199EDD4CAA8285D3095F51E522.exe
- 2007-03-26 15:15:15 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:57 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:22 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:09 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:16 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:58 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:22 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:09 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:16 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:58 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:23 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:09 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:23 40,960 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
+ 2008-01-13 15:40:10 40,960 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
- 2007-03-26 15:15:16 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:39:59 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:23 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:10 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:17 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:00 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:24 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:11 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:17 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:01 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
- 2007-03-26 15:15:24 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
+ 2008-01-13 15:40:12 65,536 ----a-r C:\WINDOWS\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
.

indiancexi
2008-01-14, 15:59
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 11:56 219136]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-07-26 15:59:44]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2006-06-05 20:35:54]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 14:21:00]
Wireless-G Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-01-20 14:28:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-12 11:57 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuspon]
vtuspon.dll

R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
S3 DCamUSBSTK016;STK016 Camera;C:\WINDOWS\system32\DRIVERS\STK016W2.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 03:39:19 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-01-14 06:37:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 08:45:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 8:46:55
ComboFix-quarantined-files.txt 2008-01-14 13:46:27
ComboFix2.txt 2008-01-13 15:47:17
.
2008-01-14 08:02:26 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:42 AM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roanoke.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl5.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://games.bigfishgames.com/en_ricochetlostworlds/online/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152448988654
O16 - DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} (Abx(gh) Control) - http://aolsvc.aol.com/onlinegames/ghadventureball/abxgh.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-trial-mystery-solitaire-secret-island/SpinTopGamesLauncher.cab
O16 - DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} (Jolly Bear Games Player) - http://games.bigfishgames.com/en_bigcityadventuresa/online/JBGamePlayer.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/sonybewitched/main.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab
O16 - DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.72.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: vtuspon - vtuspon.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10445 bytes

shelf life
2008-01-15, 00:44
hi,

thanks for the info. please refrain from using limewire for now disable it from running at start up.

we will use combofix now.

Click Start > Run and type Notepad and click OK.
Open notepad
Copy/paste the text in the code box below into notepad:



File::
C:\WINDOWS\system32\mljif.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuspon]
vtuspon.dll



Name the Notepad file CFScript.txt and Save it to your desktop.

locate both the file you just saved and the combofix icon. using your mouse drag the txt file right on top of the combofix icon and release. combofix will run (and may reboot your machine)
and produce a new log. please post the new log and a new hjt log also.

last do a online scan here:

ESET online scanner:

http://www.eset.com/onlinescan/
uses Internet Explorer only

check "YES" to accept terms

click start button

allow the ActiveX component to install

click the start button. the Scanner will update.

Do not check either of : "Remove found threats" and "Scan unwanted applications"

click scan

when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt

please copy/paste that log in next reply. along with the new combofix and the new hjt log.

shelf life

indiancexi
2008-01-15, 01:40
Here is the new combofix log. Will post the hijackthis log and results of the scan in next log

ComboFix 08-01-13.1 - user 2008-01-14 18:23:18.3 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\mljif.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mljif.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 10:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 22:54 . 2008-01-13 09:48 <DIR> d-------- C:\VundoFix Backups
2008-01-12 12:00 . 2008-01-12 12:28 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVG7
2008-01-12 11:58 . 2008-01-12 11:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-12 11:57 . 2008-01-12 11:57 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2008-01-12 11:56 . 2008-01-12 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 11:56 . 2008-01-12 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-10 09:27 . 2008-01-10 09:38 196,608 -ra------ C:\icei5_12_05use this.QBW.TLG
2008-01-09 16:50 . 2008-01-09 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-06 14:18 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-03 08:37 . 2008-01-07 07:01 <DIR> d-------- C:\Program Files\SpywareGuard
2008-01-03 08:27 . 2008-01-03 08:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-30 20:58 . 2007-12-30 20:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 15:03 . 2007-12-30 15:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-30 15:03 . 2007-12-30 15:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 12:59 . 2008-01-02 13:48 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-30 12:13 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-30 12:13 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-30 12:13 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-30 12:13 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-30 12:13 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-30 12:13 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-30 12:13 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-30 12:13 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-30 12:13 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-29 20:49 . 2007-12-30 01:08 <DIR> d-------- C:\Program Files\AOL 9.1c
2007-12-27 09:53 . 2007-12-28 12:01 <DIR> d-------- C:\Program Files\AOL 9.1b
2007-12-26 09:35 . 2007-12-30 01:08 <DIR> d-------- C:\Program Files\AOL 9.1a
2007-12-25 09:57 . 2007-12-25 09:57 <DIR> d-------- C:\WINDOWS\aolshare
2007-12-25 09:56 . 2007-12-30 01:08 <DIR> d-------- C:\Program Files\AOL 9.1
2007-12-24 23:25 . 2008-01-14 17:49 34,794 --a------ C:\logfile
2007-12-24 23:00 . 2007-12-24 23:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-24 22:59 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-24 22:59 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-24 22:58 . 2007-12-24 22:58 <DIR> d-------- C:\Program Files\Common Files\Kodak
2007-12-24 22:41 . 2007-12-24 23:00 <DIR> d-------- C:\Program Files\Kodak
2007-12-24 22:38 . 2007-12-24 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-24 15:51 . 2007-12-24 15:51 <DIR> d-------- C:\Program Files\Legacy Interactive
2007-12-19 16:07 . 2007-12-19 16:07 <DIR> d-------- C:\Documents and Settings\user\Application Data\Snapfish
2007-12-16 21:14 . 2007-12-16 21:14 <DIR> d-------- C:\Program Files\Disney
2007-12-15 15:40 . 2007-12-15 15:40 <DIR> d-------- C:\Program Files\Simple Star

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 23:16 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-01-14 13:34 --------- d-----w C:\Program Files\AOL 9.0a
2008-01-05 08:01 --------- d-----w C:\Program Files\LimeWire
2007-12-31 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 02:05 --------- d-----w C:\Documents and Settings\user\Application Data\AOL
2007-12-30 01:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-30 01:51 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-30 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-30 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-29 16:37 --------- d-----w C:\Program Files\AOL Games
2007-12-26 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 08:29 --------- d-----w C:\Program Files\QuickTime
2007-12-24 04:54 --------- d-----w C:\Program Files\John Deere American Farmer
2007-12-15 21:05 --------- d-----w C:\Documents and Settings\user\Application Data\Simple Star
2007-12-15 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simple Star
2007-12-15 20:53 --------- d-----w C:\Program Files\Common Files\Simple Star Shared
2007-12-14 14:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-11-30 08:54 --------- d-----w C:\Program Files\iTunes
2007-11-18 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simple Star Shared
2007-11-16 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:45 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-27 17:45 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-07-13 03:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-03-26 00:47 45,240 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-01-14_ 8.45.47.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 15:04:59 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 23:23:06 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 15:04:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 23:23:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 15:05:01 5,861,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-14 23:23:06 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 15:05:01 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 23:23:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 15:05:01 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-14 23:23:07 5,873,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 15:05:01 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 23:23:07 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 11:56 219136]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-07-26 15:59:44]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2006-06-05 20:35:54]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 14:21:00]
Wireless-G Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-01-20 14:28:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-12 11:57 9216 C:\WINDOWS\system32\avgwlntf.dll

R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
S2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 13:29]
S3 DCamUSBSTK016;STK016 Camera;C:\WINDOWS\system32\DRIVERS\STK016W2.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 03:39:19 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-01-14 06:37:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 18:33:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 18:34:34
ComboFix-quarantined-files.txt 2008-01-14 23:34:00
ComboFix2.txt 2008-01-14 13:46:55
ComboFix3.txt 2008-01-13 15:47:17
.
2008-01-14 08:02:26 --- E O F ---

shelf life
2008-01-15, 03:09
hi,

ok thanks, you forgot the online scan log?

shelf life

indiancexi
2008-01-15, 04:17
here is the hjt log and the esetonline scan log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:48 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roanoke.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl5.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://games.bigfishgames.com/en_ricochetlostworlds/online/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152448988654
O16 - DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} (Abx(gh) Control) - http://aolsvc.aol.com/onlinegames/ghadventureball/abxgh.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-trial-mystery-solitaire-secret-island/SpinTopGamesLauncher.cab
O16 - DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} (Jolly Bear Games Player) - http://games.bigfishgames.com/en_bigcityadventuresa/online/JBGamePlayer.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/sonybewitched/main.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab
O16 - DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.72.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10311 bytes


# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2791 (20080114)
# vers_arch_module=1.061 (20080110)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=3137351cdc8f6f4586fd05247c380f69
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-15 02:12:17
# local_time=2008-01-14 09:12:17 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=306215
# found=1
# scan_time=8306
C:\QooBox\Quarantine\C\WINDOWS\system32\mljif.exe.vir Win32/Adware.Virtumonde.CLI application 15E6D8768CD05D6F6160648ACEC29FF0

shelf life
2008-01-16, 00:42
hi,

ok thanks, hows it looking on your end now?

indiancexi
2008-01-16, 04:21
There doesn't seem to be any pop ups what scans do you want me to run. Do I need to reinstall AVG. or is it fine.

indiancexi
2008-01-16, 18:56
When I run ad-aware I got 30 cookies the first time and when I ran it a second time I got 15. I am still getting the
207.net and tacoda and zedo and several others but they are not the same. Also when I run Spybot i got 5 problems all of which are cookies. AVG has

mljif.exe.vir
C:\QooBox\Quarantine\C\WINDOWS\system\32
virus identified Win32\Prepender.C

A0000523.exe
C:\System Volume Information\_restore{DE8EA6EA6E1-509B-46FA-9F86-CE15892ADC67}\RP10\
virus identified Win32\Prepender.C

A0000156.exe
C:\System Volume Information\_restore{DE8EA61-509B-46FA-9F86-CE15892ADC67}\RP5\
virus identified Win32\Prepender.C

Plus 15 of the same cookies even after the three scans.

shelf life
2008-01-17, 01:42
hi,

cookies arent to much to be concerned about.
you dont have to uninstall AVG.

heres a good tool to use every few days or so the will take care of cookies, temp files etc:

http://www.atribune.org/content/view/19/2/

this:
C:\QooBox\Quarantine
is combofix's quarantine folder, your safe. we will clean later

this:
C:\System Volume Information\_restore
is your machines restore points which we will also clean out.

please do this to see what java runtime you are using:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the Open Uninstall Manager... button. You'll see a list of currently installed programs.
5. Click on the Save list... button and specify where you would like to save the uninstall list.
6. Click Save.
Notepad will open up with the contents of that file.
7. Copy and paste the contents of that Notepad file (uninstall_list.txt) as a reply to this topic.

shelf life

indiancexi
2008-01-17, 01:53
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Toolbar 5.0
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Auction Client
AVG 7.5
AVG Anti-Rootkit Free
Broadcom 440x 10/100 Integrated Controller
Carnival Cruise Lines Tycoon 2005 - Island Hopping
CCScore
C-Major Audio
Conexant D480 MDC V.9x Modem
Dell ResourceCD
DVCam 3 DRIVER
ESET Online Scanner
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
fflink
GdiplusUpgrade
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Update
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
John Deere American Farmer TM v1.0
Kaspersky Online Scanner
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
LimeWire 4.14.0
Lyra Jukebox Applications
Macromedia Flash Player
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard
Microsoft Picture It! 2000
Microsoft Streets and Trips 2004
Microsoft User-Mode Driver Framework Feature Pack 1.0
Movie Converter
Mozilla Firefox (2.0.0.11)
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
netbrdg
Nikon View 6
Odyssey Client
OfotoXMI
PhoTags Express
PhotoShow 5
Pure Networks Port Magic
QuickBooks Pro 2006
QuickTime
Rand McNally TripMaker 2000
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
SFR
SHASTA
skin0001
SKINXSDK
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
staticcr
tooltips
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player
Virtual Earth 3D (Beta)
VPRINTOL
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WIRELESS
Wireless-G Notebook Adapter
Yahoo! Install Manager
Yahoo! Toolbar
Zoo Vet

shelf life
2008-01-18, 00:07
hi,

looks like your version of Java is out of date. please see this sticky topic:

http://forums.spybot.info/showthread.php?t=17204

i see you use Limewire. there is much malware that is distributed on p2p networks that a unsuspecting user can download. i have some p2p info on my website. its not a how to guide, just presents some information.

speaking of cookies if you use firefox there are some options for cookie handling to automate the handling of cookies. probably also in IE but i dont use IE so couldnt help.
--------------------
if all is good on your end we can make new restore points. the how and why:

One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is agood idea after malware is removed.



To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.



(winXP)



1. Turn off System Restore. (deletes old possibly infected restore point)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.



2. Reboot.



3. Turn ON System Restore.( forces a new restore point on a clean system)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK, then reboot



How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;310405

shelf life

indiancexi
2008-01-18, 00:45
I have done steps 1 2 and 3 what next

indiancexi
2008-01-18, 18:43
it will not let me read this

http://forums.spybot.info/showthread.php?t=17204

shelf life
2008-01-19, 01:26
hi,

sorry i provided the wrong link. heres the information about java:

It is very important not only to keep Sun Java up to date, but also to remove older versions which have security holes and can be exploited by malware.

In preparation first download the latest version:

Java Runtime Environment (JRE) 6 Update 4

The Java SE Runtime Environment (JRE) allows end-users to run Java applications.

Download from http://java.sun.com/javase/downloads/index.jsp and save, do not install yet.

Release notes: http://java.sun.com/javase/6/webnote...es.html#160_04

* 1. Uninstall old versions of Sun Java via Add/Remove Programs.

* 2. Click the Remove or Change/Remove button.

* 3. Reboot your PC if prompted.

* 4. Install the latest version which you previously downloaded.
-------------------------
you can remove combofix like this:
start>run type in combofix /u click ok
note: there is a space after the x an before the /
that should take care of everything.

shelf life

indiancexi
2008-01-19, 02:21
It is telling me the installation package is not supported by this processor type. Contact your product vendor. It also won't let me download the second thing. What am I doing wrong.

shelf life
2008-01-19, 05:01
hi,

iam not sure. you have selected the windows version to download?

you clicked to download this:

Java Runtime Environment (JRE) 6 Update 4

indiancexi
2008-01-19, 22:28
OK I got it down loaded now

shelf life
2008-01-19, 23:54
hi,

ok good. logs look ok, you've made a new restore point and have updated java.

see first link below for some prevention tips

happy safe surfing out there.

shelf life

indiancexi
2008-01-20, 23:36
So all viruses are cleaned up. So what do I do with AVG virus vault where it has C:\QooBox\Quarantine\C\WINDOWS\system32\mljif.exe.vir
Do I delete this out of the virus vault or what

shelf life
2008-01-21, 01:00
hi,


Do I delete this out of the virus vault or what

its harmless in there, but you can delete it out of the virus vault.

also have a look here:
C:\QooBox -- you can delete the QooBox folder if present but i think uninstalling combofix removes it.

shelf life

tashi
2008-01-26, 06:06
Thank you shelf life. :)