PDA

View Full Version : virtumonde problem



realady
2009-03-28, 21:56
Hello, I hope you can help me, first I have the problem of the virtumonde virus and I can not update spybot, I have had to restore my pc twice now as the problems seem to be getting worst. I have down loaded ERUNT but when it came up I can't find system registry on the list as your instructions stated to click on. I have included a copy of the Hijack log here. Please help. I am a single mom of 4 and use this pc to take classes online in hopes of someday finding a way to support my family. I truly appreciate any help you can give me.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:04 PM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {462246dd-27be-4ab4-8191-bec9ea7cbb07} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWin.dll
O2 - BHO: (no name) - {defbb6db-76e2-47b9-a157-13ed49f4bbb0} - C:\WINDOWS\system32\pebopimi.dll (file missing)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zudirufawo] Rundll32.exe "C:\WINDOWS\system32\hewumoso.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\Antivirus2008\Antvrs.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [zudirufawo] Rundll32.exe "C:\WINDOWS\system32\hewumoso.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188062979771
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188063037414
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab75406.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\tejuviyo.dll cjgioo.dll c:\windows\system32\tojewote.dll
O22 - SharedTaskScheduler: chaplin - {257f6f44-2c64-46bb-acb4-55f9b9e0ae08} - C:\WINDOWS\system32\psqnuvo.dll (file missing)
O22 - SharedTaskScheduler: cypselomorphae - {6b9a461b-893f-45ee-8c59-06d3a2223b24} - C:\WINDOWS\system32\ebmkdz.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tojewote.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin Games\iWinTrusted.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10582 bytes
Thank you again!:

Hi, I see you moved my post and stated no hjt log? ok I am blonde so what else do I need? and how do I do it? Thank You so much

Edit:
No HJT logs in the Spybot-S&D forum, only in this forum which is why the thread was moved. ;)

Forum faq: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) If necessary please post in the Waiting Room after 4 days have passed, cheers. :)

peku006
2009-03-31, 19:53
Hello and welcome to Safer Networking.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html)

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

realady
2009-04-01, 05:23
Here is the scan results from combofix that came up. It did state I had avg 7.5 running but this had been deleted over a week ago when I tried to update to avg8 but it would not run so I deleted the also. I will run the HJT scan next and post that next. Thank you for all you help.
ComboFix 09-03-31.01 - Owner 2009-03-31 22:03:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.206 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\My Documents.url
c:\documents and settings\Owner\My Documents\My Music\My Music.url
c:\documents and settings\Owner\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Owner\My Documents\My Videos\My Video.url
c:\windows\system32\ahtn.htm
c:\windows\system32\e2ttBL1K.exe.a_a

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_TDIDRV32.SYS


((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-03-28 15:05 . 2009-03-29 09:41 <DIR> d-------- c:\program files\RegCure
2009-03-25 17:14 . 2009-03-25 17:39 <DIR> d-------- c:\program files\Groove Games
2009-03-25 13:06 . 2009-03-25 13:06 10,520 --a------ c:\windows\system32\avgrsstx(3).dll
2009-03-25 13:05 . 2009-03-25 13:09 <DIR> d-------- c:\windows\system32\drivers\Avg(3)
2009-03-25 12:06 . 2009-03-25 12:06 <DIR> d-------- c:\documents and settings\Owner\Application Data\Grisoft
2009-03-23 17:28 . 2009-03-23 17:28 244 --ah----- C:\sqmnoopt19.sqm
2009-03-23 17:28 . 2009-03-23 17:28 232 --ah----- C:\sqmdata19.sqm
2009-03-21 14:37 . 2009-03-21 16:23 <DIR> d-------- c:\windows\system32\drivers\Avg(2)
2009-03-21 14:37 . 2009-03-25 13:48 <DIR> d-------- c:\program files\AVG
2009-03-18 10:25 . 2009-03-20 22:54 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-18 10:18 . 2009-03-25 13:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-17 19:59 . 2009-03-17 20:00 <DIR> d-------- c:\program files\Haunted Hotel II - Believe the Lies
2009-03-12 07:13 . 2009-03-12 07:13 2,713 ---hs---- c:\windows\system32\halukozo.exe
2009-03-03 00:29 . 2009-03-03 00:29 <DIR> d-------- c:\documents and settings\Owner\C
2009-03-03 00:05 . 2009-03-03 00:05 <DIR> d-------- c:\documents and settings\Owner\Application Data\Sony
2009-03-03 00:05 . 2009-03-03 00:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-03-02 23:47 . 2009-03-02 23:47 <DIR> d-------- c:\program files\Sony
2009-03-02 23:43 . 2009-03-02 23:49 <DIR> d-------- c:\program files\QuickTime
2009-03-02 23:43 . 2009-03-02 23:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-02 23:18 . 2009-03-02 23:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\Apple Computer
2009-03-02 23:11 . 2009-03-02 23:11 <DIR> d-------- c:\program files\Apple Software Update
2009-03-02 23:11 . 2009-03-02 23:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 02:07 --------- d-----w c:\documents and settings\Owner\Application Data\StarOffice8
2009-04-01 01:19 --------- d-----w c:\program files\Norton Security Scan
2009-04-01 01:14 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-28 18:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-28 16:02 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-03-27 19:02 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-18 00:01 --------- d-----w c:\documents and settings\Owner\Application Data\Gamelab
2009-03-13 02:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-13 02:09 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 18:28 --------- d-----w c:\program files\iWin.com
2009-03-02 00:40 --------- d-----w c:\program files\Lexmark 1200 Series
2009-02-19 23:13 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-02-18 02:27 --------- d-----w c:\program files\Shockwave.com
2008-10-25 17:40 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-08-22 16:46 0 ----a-w c:\program files\temp01
2003-06-04 23:19 279,133 ----a-w c:\program files\half-life_2_01_1024.jpg
2008-08-28 02:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 17:20 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PI Monitor.lnk - c:\program files\ArcSoft\PhotoImpression 5\PI Monitor.exe [2008-05-28 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\aol\\1198445152\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=

R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2008-12-17 78104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-06-04 24652]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-08-25 26488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00941bf3-6625-11dd-aaa7-00038a000015}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d14d642-d9a8-11dc-a955-00038a000015}]
\Shell\AutoRun\command - "Install FreeAgent Tools.exe" /run
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 14:42]

2009-03-31 c:\windows\Tasks\At1.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At10.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At100.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At101.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At102.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At103.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At104.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At105.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At106.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At107.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At108.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At109.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At11.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At110.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At111.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At112.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At113.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At114.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At115.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At116.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At117.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At118.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At119.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At12.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At120.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At13.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At14.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At15.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At16.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At17.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At18.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At19.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At2.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At20.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At21.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At22.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At23.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At24.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At25.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At26.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At27.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At28.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At29.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At3.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At30.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At31.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At32.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At33.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At34.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At35.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At36.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At37.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At38.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At39.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At4.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At40.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At41.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At42.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At43.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At44.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At45.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At46.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At47.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At48.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At49.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At5.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At50.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At51.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At52.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At53.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At54.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At55.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At56.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At57.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At58.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At59.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At6.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At60.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At61.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At62.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At63.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At64.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At65.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At66.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At67.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At68.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At69.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At7.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At70.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At71.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At72.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At73.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At74.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At75.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At76.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At77.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At78.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At79.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At8.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At80.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At81.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At82.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At83.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At84.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At85.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At86.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At87.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At88.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At89.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At9.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At90.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At91.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At92.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At93.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At94.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\At95.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At96.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At97.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At98.job
- c:\windows\system32\e2ttBL1K.exe []

2009-03-31 c:\windows\Tasks\At99.job
- c:\windows\system32\e2ttBL1K.exe []

2009-04-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 14:06]

2009-04-01 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]

2009-03-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 13:58]

2009-03-26 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []

2009-04-01 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]

2009-03-31 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-01-26 15:31]

2009-03-31 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{462246dd-27be-4ab4-8191-bec9ea7cbb07} - (no file)
BHO-{defbb6db-76e2-47b9-a157-13ed49f4bbb0} - c:\windows\system32\pebopimi.dll
HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
HKLM-Run-Gamevance - c:\program files\Gamevance\gamevance32.exe
HKLM-Run-zudirufawo - c:\windows\system32\hewumoso.dll
SafeBoot-tdidrv32.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
mSearch Bar = about:blank
mSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchURL = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 22:07:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Gamevance = c:\program files\Gamevance\gamevance32.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-436374069-854245398-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\2.5]
"FRT"="jVn5laZwOtggkjXk6HAvoBjWBIJVAtu6q+4BOxt7vuDPxkJNYiGzOw=="
"PLCK"="AINVoZPtVtMl1Q/PuYn53zluCfhA2Rvw"
"Percents"="0.0004 0.0616 0.2092 0.4623 0.6782 0.7899 0.7921 "
"Increment"=".002558"
"PHSH"=""
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\Install\windows-kb890830-v2.8.exe
c:\c8ded139ea81276719\mrtstub.exe
c:\windows\system32\MRT.exe
.
**************************************************************************
.
Completion time: 2009-03-31 22:15:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-01 02:15:04

Pre-Run: 48,101,765,120 bytes free
Post-Run: 48,167,579,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

457 --- E O F --- 2009-03-08 16:40:45

realady
2009-04-01, 05:31
I have done the HJT scan and here are these results
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:13 PM, on 3/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188062979771
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188063037414
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab75406.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin Games\iWinTrusted.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8930 bytes
Also windows is wanting to update now should I allow this update?

peku006
2009-04-01, 14:49
Hi realady

Also windows is wanting to update now should I allow this update?
yes you can update now.....

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



AtJob::

File::
c:\windows\system32\halukozo.exe
c:\program files\temp01
c:\windows\system32\e2ttBL1K.exe



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.

http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png

After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006

realady
2009-04-01, 17:07
I have read what you have asked me to do, but my secruity center states I have AVG 7.5 still running on this pc. I can not figure how to disable it. There is no icon on desktop, no program in files, and I have done a search and when it gets so far it closes windows explorer. It says I have to be logged in as administrator to make changes, could you tell me how to do both of these things? Thank you I feel like such a dumb bunny!!!

peku006
2009-04-01, 18:37
Hi realady

How to Temporarily Disable AVG
Please open the AVG7 Control Center. Double-click on the "AVG Resident Shield" component (looks like this:http://i100.photobucket.com/albums/m7/dasaki/Clipboard02-1.jpg ) (bottom right next to the clock)
and deselect the "Turn on AVG Resident Shield" checkmark and save the setting.

When you need to enable the AVG Resident Shield, reopen the AVG Control Center. Double-click on the "AVG Resident Shield" component, select the "Turn on AVG Resident Shield" checkmark and save the setting.

peku006
2009-04-18, 13:20
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.