View Full Version : PC Posessed by Virtumonde
tcharmon
2008-07-28, 18:40
Hello everyone..
I despereately need some help.. My other computer is infected by Virtumonde and am not quite sure what to do.. Any help would be greatly appreciated. I currently use WinXP with AVG AntiVirus. I have included in my post a HackThis log for viewing..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:11 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Documents and Settings\ToddnLaurie\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {0FFF2DA8-4A77-4ED4-8EB9-063988AE73A4} - (no file)
O2 - BHO: (no name) - {1891AB2B-9AED-42F5-A7FE-361F77C0FC19} - C:\WINDOWS\system32\ljJYSllJ.dll (file missing)
O2 - BHO: (no name) - {2A096A44-69ED-4016-9512-5691A7656221} - (no file)
O2 - BHO: (no name) - {313907D9-4A98-43BD-BDD6-020BC0B5FB0C} - C:\WINDOWS\system32\awtutqQI.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {041eec71-2b1c-8c59-e0d4-0070a4829b47} - {74b9284a-0700-4d0e-95c8-c1b217cee140} - C:\WINDOWS\system32\bqwuwh.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {B54D4C7F-5511-4554-B614-1E87124B5D9E} - C:\WINDOWS\system32\rqRJDwvu.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [08194ebb] rundll32.exe "C:\WINDOWS\system32\rsjwwgmh.dll",b
O4 - HKLM\..\Run: [BM0b2a7d27] Rundll32.exe "C:\WINDOWS\system32\wuktdxno.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LOTRO Launcher] C:\Program Files\Turbine\The Lord of the Rings Online\TurbineLauncher.exe -Boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://autoins1.progressivedirect.com/ptt/cv/CVALAX.CAB
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://webcam.atomicmods.com//activex/AMC.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8ACDC08B-DC64-4613-97F2-299B65F66E1D} (DigiMeldOcx Control) - http://www.digimeld.com/download/digimeldOcx.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://webcam.atomicmods.com/activex/AMC.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup163.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: awtutqQI - awtutqQI.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
Hello tcharmon
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Click on My Computer > C: drive and go into Program Files and create a new folder and name it Hijackthis, cut HJT from where you have it on the desktop and paste it into the new folder , HJT needs to be in its own folder for backup purposes.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {0FFF2DA8-4A77-4ED4-8EB9-063988AE73A4} - (no file)
O2 - BHO: (no name) - {1891AB2B-9AED-42F5-A7FE-361F77C0FC19} - C:\WINDOWS\system32\ljJYSllJ.dll (file missing)
O2 - BHO: (no name) - {2A096A44-69ED-4016-9512-5691A7656221} - (no file)
O2 - BHO: (no name) - {313907D9-4A98-43BD-BDD6-020BC0B5FB0C} - C:\WINDOWS\system32\awtutqQI.dll (file missing)
O2 - BHO: {041eec71-2b1c-8c59-e0d4-0070a4829b47} - {74b9284a-0700-4d0e-95c8-c1b217cee140} - C:\WINDOWS\system32\bqwuwh.dll
O2 - BHO: (no name) - {B54D4C7F-5511-4554-B614-1E87124B5D9E} - C:\WINDOWS\system32\rqRJDwvu.dll
O4 - HKLM\..\Run: [08194ebb] rundll32.exe "C:\WINDOWS\system32\rsjwwgmh.dll",b
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\wuktdxno.dll",s
O20 - Winlogon Notify: awtutqQI - awtutqQI.dll (file missing)
You also have a ton of games installed, the sites that host them sometime include malware so look over your Hijackthis log and you can remove any of the 016 entries that are game related.
Please download Malwarebytes' Anti-Malware from [b]Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- Don't forget to do this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
tcharmon
2008-07-29, 17:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:18 AM, on 7/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HIJACKTHIS\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM0b2a7d27] Rundll32.exe "C:\WINDOWS\system32\wuktdxno.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LOTRO Launcher] C:\Program Files\Turbine\The Lord of the Rings Online\TurbineLauncher.exe -Boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
Malwarebytes' Anti-Malware 1.23
Database version: 1007
Windows 5.1.2600 Service Pack 3
11:37:32 AM 7/29/2008
mbam-log-7-29-2008 (11-37-32).txt
Scan type: Quick Scan
Objects scanned: 37686
Time elapsed: 5 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Hello,
Those 016s will come back next time you visit the site, just be real careful where you go to download games.
Remove this with HJT
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\wuktdxno.dll",s
You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
C:\WINDOWS\system32\wuktdxno.dll <-- Delete this file
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click [b]ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
There may be more hiding, lets run this tool.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
tcharmon
2008-07-31, 06:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:55 AM, on 7/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\HIJACKTHIS\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LOTRO Launcher] C:\Program Files\Turbine\The Lord of the Rings Online\TurbineLauncher.exe -Boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
--
End of file - 9469 bytes
ComboFix 08-07-29.1 - ToddnLaurie 2008-07-30 10:07:22.1 - NTFSx86
Running from: C:\Documents and Settings\ToddnLaurie\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\ToddnLaurie\Application Data\macromedia\Flash Player\#SharedObjects\PM34C9NH\interclick.com
C:\Documents and Settings\ToddnLaurie\Application Data\macromedia\Flash Player\#SharedObjects\PM34C9NH\interclick.com\ud.sol
C:\Documents and Settings\ToddnLaurie\Application Data\macromedia\Flash Player\#SharedObjects\PM34C9NH\www.broadcaster.com
C:\Documents and Settings\ToddnLaurie\Application Data\macromedia\Flash Player\#SharedObjects\PM34C9NH\www.broadcaster.com\played_list.sol
C:\Documents and Settings\ToddnLaurie\Application Data\macromedia\Flash Player\#SharedObjects\PM34C9NH\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\ToddnLaurie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\ToddnLaurie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\ToddnLaurie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\ToddnLaurie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\ToddnLaurie\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\dycxjtjr.ini
C:\WINDOWS\system32\JllSYJjl.ini
C:\WINDOWS\system32\JllSYJjl.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\sklghkxj.ini
C:\WINDOWS\system32\uvwDJRqr.ini
C:\WINDOWS\system32\uvwDJRqr.ini2
C:\WINDOWS\system32\vfbxffmc.ini
C:\WINDOWS\system32\xebtqove.ini
C:\WINDOWS\system32\xopylpmj.ini
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.
2008-08-01 00:50 . 2008-08-01 00:50 <DIR> d-------- C:\Documents and Settings\ToddnLaurie\Application Data\FarmerJane
2008-07-30 10:33 . 2008-07-22 12:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-30 10:33 . 2008-07-30 10:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-29 11:09 . 2008-07-29 11:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-29 11:09 . 2008-07-29 11:09 <DIR> d-------- C:\Documents and Settings\ToddnLaurie\Application Data\Malwarebytes
2008-07-29 11:09 . 2008-07-29 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 11:09 . 2008-07-23 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-29 11:09 . 2008-07-23 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 00:28 . 2008-07-29 00:28 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-29 00:28 . 2008-07-29 00:28 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-29 00:28 . 2008-07-29 00:28 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-29 00:28 . 2008-07-29 00:28 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-29 00:25 . 2008-07-29 00:29 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-29 00:17 . 2008-07-29 00:17 <DIR> d-------- C:\WINDOWS\EHome
2008-07-29 00:08 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-07-29 00:07 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-23 00:28 . 2008-07-23 10:20 <DIR> d-------- C:\Program Files\Build in Time
2008-07-22 12:08 . 2008-07-23 10:14 43,941 ---hs---- C:\WINDOWS\system32\khqnnyah.ini
2008-07-22 10:17 . 2008-07-22 11:57 43,581 ---hs---- C:\WINDOWS\system32\cckgigqe.ini
2008-07-21 12:41 . 2008-07-23 14:15 311 --a------ C:\WINDOWS\wininit.ini
2008-07-21 10:23 . 2008-07-21 10:23 <DIR> d-------- C:\Program Files\WizardWorks
2008-07-20 10:14 . 2008-07-21 14:04 <DIR> d-------- C:\Program Files\John Deere North American Farmer
2008-07-19 22:17 . 2008-07-19 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 22:03 . 2008-07-19 22:03 0 --a------ C:\WINDOWS\DXT73.tmp
2008-07-19 22:03 . 2008-07-19 22:03 0 --a------ C:\WINDOWS\DXT72.tmp
2008-07-19 22:03 . 2008-07-19 22:03 0 --a------ C:\WINDOWS\DXT71.tmp
2008-07-19 22:03 . 2008-07-19 22:03 0 --a------ C:\WINDOWS\DXT70.tmp
2008-07-19 22:03 . 2008-07-19 22:03 0 --a------ C:\WINDOWS\DXT6F.tmp
2008-07-19 22:03 . 2008-07-19 22:03 0 --a------ C:\WINDOWS\DXT6E.tmp
2008-07-19 22:02 . 2008-07-20 10:17 9 --a------ C:\WINDOWS\sierra.ini
2008-07-19 22:01 . 2008-07-19 22:01 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-07-19 21:48 . 2008-07-19 21:48 <DIR> d-------- C:\Sierra
2008-07-19 00:26 . 2008-07-29 10:35 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-19 00:11 . 2008-07-30 09:51 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-19 00:11 . 2008-07-19 00:11 <DIR> d-------- C:\Program Files\AVG
2008-07-19 00:11 . 2008-07-19 01:46 <DIR> d-------- C:\Documents and Settings\ToddnLaurie\Application Data\AVGTOOLBAR
2008-07-19 00:11 . 2008-07-19 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-19 00:11 . 2008-07-19 00:11 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-19 00:11 . 2008-07-19 00:11 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-19 00:11 . 2008-07-19 00:11 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-13 00:02 . 2008-07-13 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreshGames
2008-07-03 10:45 . 2008-07-11 10:40 1,077 --a------ C:\WINDOWS\GTA-SA_Trn_Settings.ini
2008-06-26 11:45 . 2008-06-26 11:45 <DIR> d-------- C:\Documents and Settings\ToddnLaurie\Application Data\Atari
2008-06-26 11:10 . 2008-06-26 11:10 <DIR> d-------- C:\Program Files\Atari
2008-06-22 23:07 . 2008-06-22 23:07 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-20 13:46 . 2008-06-20 13:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 13:46 . 2008-06-20 13:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 07:51 . 2008-06-20 07:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 07:40 . 2008-06-20 07:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 07:08 . 2008-06-20 07:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-15 22:45 . 2008-06-15 22:45 <DIR> d-------- C:\Program Files\CrystalVoice
2008-06-15 01:12 . 2008-06-15 01:17 <DIR> d-------- C:\Documents and Settings\ToddnLaurie\Application Data\Hoyle FaceCreator
2008-06-15 01:12 . 2008-06-20 23:44 <DIR> d-------- C:\Documents and Settings\ToddnLaurie\Application Data\Hoyle Casino
2008-06-12 23:37 . 2008-06-13 01:18 <DIR> d-------- C:\Program Files\Airport Mania
2008-06-11 13:36 . 2008-07-21 23:49 <DIR> d-------- C:\Program Files\PlayFirst
2008-06-10 17:14 . 2008-06-13 07:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 17:14 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 17:14 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 17:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 05:13 --------- d-----w C:\Documents and Settings\ToddnLaurie\Application Data\LimeWire
2008-07-22 03:49 --------- d-----w C:\Documents and Settings\ToddnLaurie\Application Data\PlayFirst
2008-07-21 14:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-21 13:59 --------- d-----w C:\Documents and Settings\ToddnLaurie\Application Data\BitTorrent
2008-07-20 14:23 --------- d-----w C:\Documents and Settings\ToddnLaurie\Application Data\GetRightToGo
2008-07-20 02:17 --------- d-----w C:\Program Files\Lavasoft
2008-07-20 02:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-19 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 15:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 06:58 --------- d-----w C:\Program Files\GameSpy Arcade
2008-07-19 03:51 --------- d-----w C:\Documents and Settings\ToddnLaurie\Application Data\DNA
2008-07-18 17:57 --------- d-----w C:\Program Files\Coupons
2008-07-11 14:57 --------- d-----w C:\Program Files\Shockwave.com
2008-07-05 17:21 --------- d-----w C:\Documents and Settings\ToddnLaurie\Application Data\Move Networks
2008-06-21 14:34 --------- d-----w C:\Program Files\EA GAMES
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-30 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Frozen Codebase LLC
2008-04-26 02:30 68,608 ----a-w C:\WINDOWS\ScEdUnin.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msinfo.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2008-04-03 02:50 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-03-11 15:49 0 ----a-w C:\Program Files\temp01
2008-03-11 03:50 251 ----a-w C:\Documents and Settings\ToddnLaurie\WINREMRU.SYS
2007-12-21 21:32 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-08-31 23:17 389,120 ----a-w C:\Documents and Settings\ToddnLaurie\GoToAssist_phone__268_en.exe
2007-07-25 22:31 476,752 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2006-11-10 00:25 389,120 ----a-w C:\Documents and Settings\ToddnLaurie\remote.exe
2007-05-07 03:04 61 --sh--w C:\WINDOWS\cnerolf.dat
2007-10-02 00:53 88 --sh--r C:\WINDOWS\system32\B214D05F76.sys
2007-10-02 00:53 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-10-30 18:05 4662776]
"LOTRO Launcher"="C:\Program Files\Turbine\The Lord of the Rings Online\TurbineLauncher.exe" [2008-06-12 11:58 2413840]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-01 13:52 196608]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 02:35 36352]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43 86016]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2008-05-21 14:59 57344]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-19 00:11 1232152]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^ToddnLaurie^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\ToddnLaurie\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^ToddnLaurie^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\ToddnLaurie\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A Verizon App]
--a------ 2005-05-23 14:20 50744 C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-03-20 12:46 217544 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2008-02-21 10:24 91432 C:\Program Files\CyberLink\Shared files\brs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-04-08 14:52 587568 C:\Program Files\BitTorrent\bittorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-05-08 15:49 289088 C:\Program Files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
--a------ 2005-07-26 17:52 184408 C:\Program Files\Executive Software\Diskeeper\DkIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 13:57 1103480 C:\Program Files\IGN\Download Manager\DLM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Itiva Media Accelerator]
--a------ 2008-06-04 19:09 4994288 C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 12:06 62760 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
--a------ 2007-08-21 10:00 38128 C:\Program Files\NCSoft\Launcher\NCLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2008-01-22 14:23 81920 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-12-06 21:31 36975 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-26 20:07 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-03-28 21:24 28616 C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XDc]
--a------ 2006-10-03 00:09 1383478 C:\Program Files\Xtreme Desktop\xdc\startxdc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"dmadmin"=3 (0x3)
"Diskeeper"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"mnmsrvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-19 00:11]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-18 23:01]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-19 00:11]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-19 00:11]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-19 00:11]
S3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 10:56]
S3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 12:49]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys [2001-08-17 15:02]
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys []
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-08194ebb - C:\WINDOWS\system32\rjtjxcyd.dll
MSConfigStartUp-Antivirus - C:\Program Files\VAV\vav.exe
MSConfigStartUp-AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
MSConfigStartUp-PC Connection Agent - C:\PROGRA~1\MICROS~3\wcescomm.exe
MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe
MSConfigStartUp-PWRISOVM - C:\Program Files\PowerISO\PWRISOVM.EXE
MSConfigStartUp-Sys2 - C:\Windows\Sys2.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/ig?hl=en
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://home.sweetim.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 -: {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O16 -: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://webcam.atomicmods.com//activex/AMC.cab
C:\WINDOWS\Downloaded Program Files\setup.inf
O16 -: {8ACDC08B-DC64-4613-97F2-299B65F66E1D} - hxxp://www.digimeld.com/download/digimeldOcx.CAB
C:\WINDOWS\Downloaded Program Files\install.inf
C:\WINDOWS\Downloaded Program Files\Core.dll
C:\WINDOWS\Downloaded Program Files\DigiMeldOcx.ocx
O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam.atomicmods.com/activex/AMC.cab
C:\WINDOWS\Downloaded Program Files\setup.inf
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 10:16:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-30 10:32:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-30 14:30:53
Pre-Run: 11,708,444,672 bytes free
Post-Run: 11,767,881,728 bytes free
308 --- E O F --- 2008-07-10 14:15:37
tcharmon
2008-07-31, 06:38
Thanks for all of your help on this..
Do you suggest a good program to help me clean up my hard drive after we finish up this virus stuff.. Kinda like registry cleaners and such.. I am gonna delete a bunch of programs on my hard drive to make some room.. Please let me know..
Todd
Hello Todd,
A couple of things to go over.
1. Registry Cleaners, unless your a windows expert these are not recommended, there are some floating around the net that are trojans and even the legit ones can bork your system if the wrong entry is removed ( and they have been known to remove wrong entries). I have seen some with the only recourse was to reformat and do a clean install of windows. I have been in computing since Windows 3.1 and have never had any use for any registry cleaners so I would stay away from them.
2. I don't see it on your HJT log but there is an entry in your Combofix log for BitTorrent, I would like you to read this about P2P programs and these are also programs to stay away from, I would never have any of these type programs on my system either.
P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
The best thing to do to clean up your drive and gain more space is to look over all the programs you may have downloaded and installed and uninstall any that you do not use and have no intention of using in the future.
You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Delete the files in Red
C:\WINDOWS\system32\khqnnyah.ini
C:\WINDOWS\system32\cckgigqe.ini
If you uninstalled BitTorrent let me know and we can remove the reg entry for it.
The rest of your logs look fine :bigthumb: How is your system behaving now??
tcharmon
2008-07-31, 17:37
What is the entry for bittorrent?
Uninstall these via the Add Remove Programs, then run Combofix again and lets see if the registry entries are gone.
C:\\Program Files\\LimeWire
C:\Program Files\BitTorrent
C:\Program Files\DNA
FYI <---Our forum policy has just changed and we require anyone with P2P (File Sharing ) programs to uninstall them before we can offer any help, since we are done and your clean, you squeaked in under the wire, what will happen now is that if you get infected again and you still have P2P programs installed this forum ( along with many of the other major Malware Removal Forums ) will not offer any help until the programs are uninstalled.