Another Virtumonde victim [Archive] - Safer-Networking Forums

View Full Version : Another Virtumonde victim

guitarhawg

2008-08-18, 23:00

Yep...another one. Me. Please help. Here is my log from HJT. I have Mozilla Firefox...I deleted IE 7

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:36 PM, on 8/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Maxtor\OneTouch\Utils\MaxSync.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://help.bellsouth.net/fastaccess/launch.asp
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BM474e1b2b] Rundll32.exe "C:\WINDOWS\system32\cxrnwrsk.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151162249406
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: evmvlc.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Nero BackItUp Scheduler 3 (nero backitup scheduler 3) - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService (nmindexingservice) - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7082 bytes

I ran malwarebytes anti malware, and this is the log from that:

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 3

12:10:50 AM 8/19/2008
mbam-log-08-19-2008 (00-10-50).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 221496
Time elapsed: 3 hour(s), 57 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtUnmmK.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ddcDtRIA.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\evmvlc.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{514979a5-ffd4-4f83-b104-64c468b9d0b0} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcdtria (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{514979a5-ffd4-4f83-b104-64c468b9d0b0} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{784204c8-0418-4b8d-8fd2-20be1f9d1ca0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{784204c8-0418-4b8d-8fd2-20be1f9d1ca0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e07469e8-c98b-4d0d-82d9-3a57f3dfa919} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e07469e8-c98b-4d0d-82d9-3a57f3dfa919} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{514979a5-ffd4-4f83-b104-64c468b9d0b0} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm474e1b2b (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtunmmk -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtunmmk -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\Jason and Cherie\Application Data\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason and Cherie\Application Data\ErrorKiller\Log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason and Cherie\Application Data\ErrorKiller\Registry Backups (Rogue.ErrorKiller) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ddcDtRIA.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\evmvlc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awtUnmmK.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\KmmnUtwa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\KmmnUtwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mkkispiw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wipsikkm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qexfxxqw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wqxxfxeq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ujqicxcx.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsdusejd.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qmjbyowh.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftrxolmq.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vlxfnyms.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pqyauxjp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\b6af86a3.sys (Backdoor.Rustock) -> Delete on reboot.
C:\Documents and Settings\Jason and Cherie\Application Data\ErrorKiller\Errors.stg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason and Cherie\Application Data\ErrorKiller\Results.stg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason and Cherie\Application Data\ErrorKiller\Registry Backups\2007-07-01_00-55-34.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason and Cherie\Application Data\ErrorKiller\Registry Backups\2007-07-01_01-04-23.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason and Cherie\Application Data\ErrorKiller\Registry Backups\2007-07-01_01-04-38.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\k86.bin (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM474e1b2b.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM474e1b2b.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

I then re-ran Hijack This, and here is that log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:37 AM, on 8/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://help.bellsouth.net/fastaccess/launch.asp
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1d4ff333-b03c-404f-b99a-020b1c4e044d} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {aa58ed58-01dd-4d91-8333-cf10577473f7} - (no file)
O2 - BHO: (no name) - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151162249406
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: evmvlc.dll
O20 - Winlogon Notify: cryptmd5 - C:\WINDOWS\SYSTEM32\cryptmd5.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Nero BackItUp Scheduler 3 (nero backitup scheduler 3) - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService (nmindexingservice) - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7484 bytes

Please let me know if I need to do anything else. Your help is greatly appreciated.

guitarhawg

ken545

2008-08-21, 02:51

Hello guitarhawg

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {1d4ff333-b03c-404f-b99a-020b1c4e044d} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O20 - AppInit_DLLs: evmvlc.dll
O20 - Winlogon Notify: cryptmd5 - C:\WINDOWS\SYSTEM32\cryptmd5.dll

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Malwarebytes got rid of some nasty stuff, there may be more.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

guitarhawg

2008-08-21, 17:55

I followed your instructions, combofix re-started my system then generated a log.

Here is the combofix log:

ComboFix 08-08-19.06 - Jason and Cherie 2008-08-21 10:35:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1467 [GMT -5:00]
Running from: C:\Documents and Settings\Jason and Cherie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jason and Cherie\Application Data\macromedia\Flash Player\#SharedObjects\MMK2VJZ3\interclick.com
C:\Documents and Settings\Jason and Cherie\Application Data\macromedia\Flash Player\#SharedObjects\MMK2VJZ3\interclick.com\ud.sol
C:\Documents and Settings\Jason and Cherie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jason and Cherie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\cryptmd5.dll
C:\WINDOWS\system32\eWebControl.dll
C:\WINDOWS\system32\guqaiv.dll
C:\WINDOWS\system32\jxhrfkxy.dll
C:\WINDOWS\system32\lsfipsov.ini
C:\WINDOWS\system32\nhmtiwma.dll
C:\WINDOWS\system32\okjtkdxw.dll
C:\WINDOWS\system32\tsdvstxl.dll
C:\WINDOWS\system32\ybkgdr.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-19 01:38 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-19 00:59 . 2008-08-19 00:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-19 00:59 . 2008-08-19 01:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-18 15:49 . 2008-08-18 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 15:19 . 2008-08-18 15:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 15:19 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\Jason and Cherie\Application Data\Malwarebytes
2008-08-18 15:19 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 15:19 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 15:19 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-16 01:11 . 2008-08-16 01:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-16 01:07 . 2008-08-16 01:07 <DIR> d-------- C:\WINDOWS\AdWare Pro
2008-08-16 01:06 . 2008-08-16 01:08 <DIR> d-------- C:\Program Files\AdWare Pro
2008-08-15 15:43 . 2008-08-15 15:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-15 15:28 . 2008-08-15 15:28 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-14 15:57 . 2008-08-14 15:57 4 --a------ C:\WINDOWS\msoffice.ini
2008-08-12 18:26 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 18:25 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-10 10:00 . 2008-08-13 00:16 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-09 17:18 . 2008-08-09 17:18 <DIR> d-------- C:\Documents and Settings\Jason and Cherie\Application Data\Nero
2008-08-09 17:14 . 2008-08-09 17:14 <DIR> d-------- C:\Program Files\Nero
2008-08-09 17:14 . 2008-08-09 17:16 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-08-09 17:14 . 2008-08-09 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-08 22:25 . 2008-08-08 22:25 <DIR> d-------- C:\Program Files\Ahead
2008-08-08 21:55 . 2008-08-08 21:55 7 --a------ C:\WINDOWS\system32\ngxt.bin
2008-08-08 21:39 . 2008-08-08 21:39 2 --a------ C:\1149052952
2008-08-08 21:38 . 2008-08-08 21:38 153,581 --a------ C:\pxbuecnp.exe
2008-08-02 20:31 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-02 20:31 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-02 20:31 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-02 20:31 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-02 20:28 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-01 16:30 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 15:41 --------- d-----w C:\Program Files\Dl_cats
2008-08-21 15:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-20 18:54 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-19 06:38 --------- d-----w C:\Program Files\Java
2008-08-19 06:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-18 14:13 38,364 ----a-w C:\Documents and Settings\Jason and Cherie\Application Data\wklnhst.dat
2008-08-14 21:10 --------- d-----w C:\Program Files\Google
2008-08-14 20:57 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-14 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-14 19:45 --------- d-----w C:\Documents and Settings\Jason and Cherie\Application Data\Move Networks
2008-08-06 21:51 --------- d-----w C:\Program Files\Apple Software Update
2008-08-06 21:06 --------- d-----w C:\Program Files\iTunes
2008-08-06 21:05 --------- d-----w C:\Program Files\iPod
2008-08-04 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-30 22:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 22:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 22:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-27 21:34 --------- d-----w C:\Program Files\Guitar Pro 5
2008-07-26 22:33 --------- d-----w C:\Documents and Settings\Jason and Cherie\Application Data\ErrorSmart
2008-07-21 22:14 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-07-14 21:14 --------- d-----w C:\Program Files\QuickTime
2008-07-10 14:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-09 06:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-02 05:30 --------- d-----w C:\Program Files\Norton 360
2008-06-28 23:09 --------- d-----w C:\Program Files\Electronic Arts
2008-06-28 22:32 --------- d-----w C:\Program Files\GameSpy Arcade
2008-06-24 21:06 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-06-06 19:54 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-11-12 03:51 22,328 ----a-w C:\Documents and Settings\Jason and Cherie\Application Data\PnkBstrK.sys
2007-09-12 22:02 2,018 ----a-w C:\Program Files\config.cfg
2007-05-20 23:49 11,175 ----a-w C:\Program Files\uninstal.log
2007-05-20 23:49 10,714 ----a-w C:\Program Files\setuplog.txt
2007-04-14 20:06 92,064 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmmdm.sys
2007-04-14 20:06 9,232 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmmdfl.sys
2007-04-14 20:06 79,328 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmserd.sys
2007-04-14 20:06 66,656 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmbus.sys
2007-04-14 20:06 6,208 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmcmnt.sys
2007-04-14 20:06 5,936 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmwhnt.sys
2007-04-14 20:06 4,048 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmcr.sys
2007-04-14 20:06 25,600 ----a-w C:\Documents and Settings\Jason and Cherie\usbsermptxp.sys
2007-04-14 20:06 22,768 ----a-w C:\Documents and Settings\Jason and Cherie\usbsermpt.sys
2004-10-19 21:38 11,052,037 ----a-w C:\Documents and Settings\Jason and Cherie\Application Data\HCSetup2.0_IW.5.1.exe
2006-08-05 22:21 88 --sh--r C:\WINDOWS\system32\8711F919CA.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:00 AM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Maxtor\OneTouch\Utils\MaxSync.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://help.bellsouth.net/fastaccess/launch.asp
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {aa58ed58-01dd-4d91-8333-cf10577473f7} - (no file)
O2 - BHO: (no name) - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151162249406
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Nero BackItUp Scheduler 3 (nero backitup scheduler 3) - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService (nmindexingservice) - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8033 bytes

Thanks for the help so far....let me know what's next.

Jason

ken545

2008-08-21, 18:44

Hi,

Want to point this out to you , you may want to uninstall it via the Add Remove Programs in the Control Panel

C:\Program Files\GameSpy Arcade <---Adware
http://vil.nai.com/vil/content/v_131038.htm

This program also, its listed on the site for Rogue Anti Spyware Programs This is not the legitimate Ad-Aware Program
C:\Program Files\AdWare Pro

You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, Just use the Browse Feature and then Submit , you will get a report back, post the report into this thread for me to see.

C:\pxbuecnp.exe <---This file

You did not post the entire Combofix log, I need to see the entire log along with the Virus Total report please

guitarhawg

2008-08-21, 20:17

Here is the combofix log

ComboFix 08-08-19.06 - Jason and Cherie 2008-08-21 10:35:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1467 [GMT -5:00]
Running from: C:\Documents and Settings\Jason and Cherie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jason and Cherie\Application Data\macromedia\Flash Player\#SharedObjects\MMK2VJZ3\interclick.com
C:\Documents and Settings\Jason and Cherie\Application Data\macromedia\Flash Player\#SharedObjects\MMK2VJZ3\interclick.com\ud.sol
C:\Documents and Settings\Jason and Cherie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jason and Cherie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\cryptmd5.dll
C:\WINDOWS\system32\eWebControl.dll
C:\WINDOWS\system32\guqaiv.dll
C:\WINDOWS\system32\jxhrfkxy.dll
C:\WINDOWS\system32\lsfipsov.ini
C:\WINDOWS\system32\nhmtiwma.dll
C:\WINDOWS\system32\okjtkdxw.dll
C:\WINDOWS\system32\tsdvstxl.dll
C:\WINDOWS\system32\ybkgdr.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-19 01:38 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-19 00:59 . 2008-08-19 00:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-19 00:59 . 2008-08-19 01:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-18 15:49 . 2008-08-18 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 15:19 . 2008-08-18 15:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 15:19 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\Jason and Cherie\Application Data\Malwarebytes
2008-08-18 15:19 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 15:19 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 15:19 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-16 01:11 . 2008-08-16 01:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-16 01:07 . 2008-08-16 01:07 <DIR> d-------- C:\WINDOWS\AdWare Pro
2008-08-16 01:06 . 2008-08-16 01:08 <DIR> d-------- C:\Program Files\AdWare Pro
2008-08-15 15:43 . 2008-08-15 15:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-15 15:28 . 2008-08-15 15:28 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-14 15:57 . 2008-08-14 15:57 4 --a------ C:\WINDOWS\msoffice.ini
2008-08-12 18:26 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 18:25 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-10 10:00 . 2008-08-13 00:16 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-09 17:18 . 2008-08-09 17:18 <DIR> d-------- C:\Documents and Settings\Jason and Cherie\Application Data\Nero
2008-08-09 17:14 . 2008-08-09 17:14 <DIR> d-------- C:\Program Files\Nero
2008-08-09 17:14 . 2008-08-09 17:16 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-08-09 17:14 . 2008-08-09 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-08 22:25 . 2008-08-08 22:25 <DIR> d-------- C:\Program Files\Ahead
2008-08-08 21:55 . 2008-08-08 21:55 7 --a------ C:\WINDOWS\system32\ngxt.bin
2008-08-08 21:39 . 2008-08-08 21:39 2 --a------ C:\1149052952
2008-08-08 21:38 . 2008-08-08 21:38 153,581 --a------ C:\pxbuecnp.exe
2008-08-02 20:31 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-02 20:31 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-02 20:31 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-02 20:31 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-02 20:28 . 2008-08-02 20:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-01 16:30 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 15:41 --------- d-----w C:\Program Files\Dl_cats
2008-08-21 15:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-20 18:54 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-19 06:38 --------- d-----w C:\Program Files\Java
2008-08-19 06:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-18 14:13 38,364 ----a-w C:\Documents and Settings\Jason and Cherie\Application Data\wklnhst.dat
2008-08-14 21:10 --------- d-----w C:\Program Files\Google
2008-08-14 20:57 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-14 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-14 19:45 --------- d-----w C:\Documents and Settings\Jason and Cherie\Application Data\Move Networks
2008-08-06 21:51 --------- d-----w C:\Program Files\Apple Software Update
2008-08-06 21:06 --------- d-----w C:\Program Files\iTunes
2008-08-06 21:05 --------- d-----w C:\Program Files\iPod
2008-08-04 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-30 22:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 22:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 22:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-27 21:34 --------- d-----w C:\Program Files\Guitar Pro 5
2008-07-26 22:33 --------- d-----w C:\Documents and Settings\Jason and Cherie\Application Data\ErrorSmart
2008-07-21 22:14 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-07-14 21:14 --------- d-----w C:\Program Files\QuickTime
2008-07-10 14:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-09 06:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-02 05:30 --------- d-----w C:\Program Files\Norton 360
2008-06-28 23:09 --------- d-----w C:\Program Files\Electronic Arts
2008-06-28 22:32 --------- d-----w C:\Program Files\GameSpy Arcade
2008-06-24 21:06 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-06-06 19:54 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-11-12 03:51 22,328 ----a-w C:\Documents and Settings\Jason and Cherie\Application Data\PnkBstrK.sys
2007-09-12 22:02 2,018 ----a-w C:\Program Files\config.cfg
2007-05-20 23:49 11,175 ----a-w C:\Program Files\uninstal.log
2007-05-20 23:49 10,714 ----a-w C:\Program Files\setuplog.txt
2007-04-14 20:06 92,064 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmmdm.sys
2007-04-14 20:06 9,232 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmmdfl.sys
2007-04-14 20:06 79,328 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmserd.sys
2007-04-14 20:06 66,656 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmbus.sys
2007-04-14 20:06 6,208 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmcmnt.sys
2007-04-14 20:06 5,936 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmwhnt.sys
2007-04-14 20:06 4,048 ----a-w C:\Documents and Settings\Jason and Cherie\mqdmcr.sys
2007-04-14 20:06 25,600 ----a-w C:\Documents and Settings\Jason and Cherie\usbsermptxp.sys
2007-04-14 20:06 22,768 ----a-w C:\Documents and Settings\Jason and Cherie\usbsermpt.sys
2004-10-19 21:38 11,052,037 ----a-w C:\Documents and Settings\Jason and Cherie\Application Data\HCSetup2.0_IW.5.1.exe
2006-08-05 22:21 88 --sh--r C:\WINDOWS\system32\8711F919CA.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 16:42 401491]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 16:04 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 17:24 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 14:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 09:50 988512]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-09-13 17:51 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"msacm.avis"= ff_acm.acm
"vidc.i263"= C:\WINDOWS\system32\i263_32.drv
"msacm.imc"= C:\WINDOWS\system32\imc32.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=
"C:\\Program Files\\Yahoo! Games\\Cubis Gold 2\\cubis2.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Westwood\\RA2\\game.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 14:37]
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-10-27 16:41]
R3 USB28xxBGA;easycap video grabber;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-16 15:58]
R3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-02-06 17:38]
S1 b6af86a3;b6af86a3;C:\WINDOWS\system32\drivers\b6af86a3.sys []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 14:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 14:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jason and Cherie\Application Data\Mozilla\Firefox\Profiles\xom58juv.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://home.bellsouth.net/
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 10:40:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\COMRes.dll
-> ?:\WINDOWS\system32\COMRes.dll
-> ?:\WINDOWS\system32\ACTXPRXY.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Maxtor\OneTouch\Utils\MaxSync.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-21 10:46:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-21 15:45:59

Pre-Run: 62,075,097,088 bytes free
Post-Run: 62,187,085,824 bytes free

260 --- E O F --- 2008-08-13 15:03:54

Here is the results of the scan of the file you requested:

File pxbuecnp.exe received on 08.21.2008 20:13:41 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/36 (25%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.21 -
AntiVir 7.8.1.23 2008.08.21 -
Authentium 5.1.0.4 2008.08.21 -
Avast 4.8.1195.0 2008.08.21 -
AVG 8.0.0.161 2008.08.21 FakeAlert.BI
BitDefender 7.2 2008.08.21 Trojan.Crypt.EQ
CAT-QuickHeal 9.50 2008.08.21 -
ClamAV 0.93.1 2008.08.21 -
DrWeb 4.44.0.09170 2008.08.21 Trojan.Packed.612
eSafe 7.0.17.0 2008.08.21 Suspicious File
eTrust-Vet 31.6.6039 2008.08.21 -
Ewido 4.0 2008.08.21 -
F-Prot 4.4.4.56 2008.08.20 -
F-Secure 7.60.13501.0 2008.08.21 -
Fortinet 3.14.0.0 2008.08.21 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.21 -
K7AntiVirus 7.10.423 2008.08.21 -
Kaspersky 7.0.0.125 2008.08.21 -
McAfee 5366 2008.08.21 -
Microsoft 1.3807 2008.08.21 -
NOD32v2 3375 2008.08.21 a variant of Win32/TrojanDownloader.FakeAlert.GU
Norman 5.80.02 2008.08.21 -
Panda 9.0.0.4 2008.08.21 -
PCTools 4.4.2.0 2008.08.21 -
Prevx1 V2 2008.08.21 -
Rising 20.58.32.00 2008.08.21 -
Sophos 4.32.0 2008.08.21 Mal/EncPk-EQ
Sunbelt 3.1.1564.1 2008.08.21 Trojan.Unidentified.Gen.FN
Symantec 10 2008.08.21 -
TheHacker 6.3.0.6.057 2008.08.21 -
TrendMicro 8.700.0.1004 2008.08.21 -
VBA32 3.12.8.4 2008.08.21 Hoax.Win32.Bravia.hf
ViRobot 2008.8.21.1344 2008.08.21 -
VirusBuster 4.5.11.0 2008.08.21 -
Webwasher-Gateway 6.6.2 2008.08.21 Win32.Malware.dam (suspicious)
Additional information
File size: 153581 bytes
MD5...: 77a8488620a6bbbc5bc70665c7b0aac8
SHA1..: 1b8dcbda793d036bb286648ab167a54a4f2b3abe
SHA256: c73365a8d197138fd8b2452318f658a86469c3c0e7c180953494c0be3e188339
SHA512: 4db884d75f9cafe86fde2ac8492d80336d029f1b838e079725a337d2430c7e08
0603b20119f68c15b34e95f073c31fea28ab175485bba339e8e3a1344dffb25a
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401003
timedatestamp.....: 0x489c8d14 (Fri Aug 08 18:14:44 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3000 0x1000 0.19 97a82197042f4ac95c03aed7332f8eeb
.data 0x4000 0x2f000 0x2c000 8.00 6875390df8e7b0be78538b7fada5365e
.idata 0x33000 0x1000 0x1000 0.00 d41d8cd98f00b204e9800998ecf8427e

( 4 imports )
> KERNEL32.DLL: EnumResourceLanguagesW, ExitProcess, GetEnvironmentVariableW, GetFullPathNameW, GetVolumeInformationA, GlobalGetAtomNameA, LockFile, QueueUserAPC, SetConsoleScreenBufferSize, SystemTimeToTzSpecificLocalTime, WaitForMultipleObjectsEx, lstrcpyW
> ADVAPI32.DLL: BuildImpersonateExplicitAccessWithNameA, CryptDestroyKey, LookupSecurityDescriptorPartsW, MapGenericMask, ObjectCloseAuditAlarmW, ReadEventLogW, RegDeleteKeyA, RegEnumKeyA
> USER32.DLL: CreateIcon, DefWindowProcA, EndMenu, GetAltTabInfo, GetClipboardSequenceNumber, GetGUIThreadInfo, GetWindowTextW, IsClipboardFormatAvailable, ModifyMenuA, PostQuitMessage, SetActiveWindow, SetUserObjectInformationA, SetWindowsHookA
> GDI32.DLL: CreateHatchBrush, EnumFontFamiliesExA, GetCharWidthW, GetEnhMetaFileDescriptionA, RemoveFontResourceA, SaveDC, SetBrushOrgEx, SetGraphicsMode, SetTextJustification

( 0 exports )
packers (Kaspersky): PE_Patch

I removed gamespy arcade as you suggested...I remember that came with my Starwars Battlefront game....

If I need to do more, please let me know...thank you again for all your time.

Jason

ken545

2008-08-22, 00:05

Hello Jason,

Want to give you another heads up on this, you may or may not still have it.

C:\\Program Files\\LimeWire

P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\pxbuecnp.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" Yellow Window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Post the OTMoveIt log and a New HJT log and lets take one more look. How are things running now??

guitarhawg

2008-08-22, 00:09

Things are running much much better now....thanks a lot. I will follow these latest instructions when I get home from work tonight, or if I go home for dinner. Thanks again. Will post back.

Jason

guitarhawg

2008-08-22, 04:23

Here is the move it results:

C:\pxbuecnp.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08212008_212009

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:02 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Maxtor\OneTouch\Utils\MaxSync.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Nero Web\SetupX.exe
C:\Program Files\Common Files\Nero\Nero Web\SetupX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://help.bellsouth.net/fastaccess/launch.asp
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {aa58ed58-01dd-4d91-8333-cf10577473f7} - (no file)
O2 - BHO: (no name) - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151162249406
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Nero BackItUp Scheduler 3 (nero backitup scheduler 3) - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService (nmindexingservice) - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8327 bytes

thanks again for your help.

Jason

ken545

2008-08-22, 14:17

Looking Good Jason :bigthumb:

These are optional as the file is missing. You can fix them with HJT

Yahoo Companion
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Google Toolbar
O2 - BHO: (no name) - {aa58ed58-01dd-4d91-8333-cf10577473f7} - (no file)
O2 - BHO: (no name) - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - (no file)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How is your system behaving now??

guitarhawg

2008-08-22, 16:34

Thanks, Ken for your persistent and patient help. My system is running well now. The only issue(s) I have, I believe are Norton related...the old "ccSvcHst" hangup at shutdown, and an occasional "page fault in non-paged area" BSD. (this one may be related to my Maxtor backup)

Overall, the improvement is stunning. I have followed all your advice, including ditching the P2P program. I think I am much more aware now of the problems I could cause for myself, and am better protected. Thank you again. Your time is valuable, and its wonderful that you dedicate so much of it to idiots like me who muck up the works of their systems.

Thanks,

Jason

ken545

2008-08-22, 16:47

Jason,

Don't go to hard on yourself, your not an idiot, you where just not aware of some of the dangers out there, but it appears you are a little more aware now:bigthumb:

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

guitarhawg

2008-08-23, 16:23

Ken,

Thank you for your help. I have followed the rest of your instructions and installed the new programs....I will be much more cautious in the future.

Come to the New Orleans area...I owe you a drink.

Jason

ken545

2008-08-23, 16:47

Hello Jason,

Thanks for the offer but don't know when I will ever be down that way .

Glad things are running well for you.

Take Care,
Ken:)