PDA

View Full Version : malware infection



sdxn2400134
2009-04-03, 00:04
For a couple of weeks, I have had a bad computer problem. I used Spybot for a week. It would detect and remove various Virtumonde strains, but Virtumonde would always come back. Most often I see virtumonde.prx.

I also paid about $40 for Ad-Aware Pro. It does not detect virtumonde...however, it did detect and clean TR/crypt.xpack.gen and TR/dropper.gen which it listed as trojans.

I have made numerous changes to startup using spybot and msconfig. For the last week, I have had problems lauching programs, especially spybot and ad-aware. They will usually appear, then I get a system message which states that a problem has been encountered and the program must close. I can launch these programs in safe mode. Please help me! Thanks. Steve

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:03 PM, on 4/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {75a7e2c9-dbbd-4d37-8c0c-86052d585529} - (disabled by BHODemon)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {97f40295-734e-479f-9efb-6a7e8d9e93b7} - C:\WINDOWS\system32\masutora.dll (disabled by BHODemon)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [CPMaf5133a0] Rundll32.exe "c:\windows\system32\zezojare.dll",a
O4 - HKLM\..\RunOnce: [C:\Program Files\Common Files\AOL\1118558958\ee\services\safetyCore\ver210_5_4_1\SSCEvtHdlrPS.dll] regsvr32.exe /s "C:\Program Files\Common Files\AOL\1118558958\ee\services\safetyCore\ver210_5_4_1\SSCEvtHdlrPS.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121835894750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208355050890
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wonufeji.dll c:\windows\system32\negoyuhe.dll c:\windows\system32\wupobolo.dll khfduy.dll c:\windows\system32\zezojare.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zezojare.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zezojare.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Update Service (gupdate1c99af84045d9ba) (gupdate1c99af84045d9ba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 10251 bytes

Shaba
2009-04-03, 17:39
Hi sdxn2400134

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

We need first to disable TeaTimer that it doesn''t interfere with fixes. You can re-enable it when you''re clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

sdxn2400134
2009-04-04, 10:19
I had two problems when I ran combofix: Since I cannot launch McAfee Security Center in normal mode, I launched it in safe mode and disabled all the components I could find. However, when I ran combofix, it complained twice that "virusscan" was running. Each time, I opened taskmanager and shut down every service that began with "mc". Combofix stated that virusscan was still running, but that is would continue anyway.

The other problem was when combofix tried to connect with the Internet. The "ping" program (I think) encountered a problem and had to close. As a result, I didnt get the windows recovery console.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:43 PM, on 4/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121835894750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208355050890
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Update Service (gupdate1c99af84045d9ba) (gupdate1c99af84045d9ba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 8172 bytes

sdxn2400134
2009-04-04, 10:23
Here is the combofix log. Would you like me to run combofix again? Steve

ComboFix 09-04-01.01 - Steve 2009-04-03 13:28:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.583 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090222175236703.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090223144719640.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090223161435484.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090223195039531.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090224160626250.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090224201311781.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090225152655796.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090225202748140.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090226165159875.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090226193642546.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090227161134781.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090227180605031.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090227193952109.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090228151845250.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090228194957171.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090303150337828.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090304141335953.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090304202403187.log
c:\windows\ekekotad.dll
c:\windows\system32\bszip.dll
c:\windows\system32\Cache
c:\windows\system32\dumphive.exe
c:\windows\system32\mufovedi.dll
c:\windows\system32\pattwk.dll
c:\windows\system32\selulisa.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP


((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))
.

2009-04-02 13:39 . 2009-04-02 13:39 <DIR> d-------- c:\program files\Trend Micro
2009-04-02 13:29 . 2009-04-02 13:29 <DIR> d-------- c:\program files\ERUNT
2009-03-30 23:45 . 2009-03-30 23:45 <DIR> d--hs---- c:\documents and settings\Administrator\PrivacIE
2009-03-30 23:42 . 2009-03-30 23:42 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache
2009-03-30 02:46 . 2009-03-30 02:46 <DIR> d-------- c:\documents and settings\jasmine\Application Data\Symantec
2009-03-30 02:46 . 2009-03-30 02:46 <DIR> d-------- c:\documents and settings\jasmine\Application Data\Logitech
2009-03-30 02:46 . 2009-03-30 02:46 <DIR> d-------- c:\documents and settings\jasmine\Application Data\Jasc Software Inc
2009-03-30 00:38 . 2009-03-30 00:38 <DIR> d--h----- c:\documents and settings\jasmine\Application Data\GTek
2009-03-30 00:38 . 2009-03-30 00:38 <DIR> d-------- c:\documents and settings\jasmine\Application Data\5400 Series
2009-03-30 00:34 . 2009-03-30 00:34 <DIR> d--hs---- c:\documents and settings\jasmine\IETldCache
2009-03-30 00:31 . 2005-06-06 07:04 <DIR> d-------- c:\documents and settings\jasmine\Application Data\Creative
2009-03-30 00:31 . 2009-03-30 23:03 <DIR> d-------- c:\documents and settings\jasmine
2009-03-29 21:13 . 2009-03-29 21:13 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-03-29 17:52 . 2009-03-29 17:52 <DIR> d--hs---- c:\documents and settings\Patty\PrivacIE
2009-03-29 17:52 . 2009-03-29 17:52 <DIR> d--hs---- c:\documents and settings\Patty\IECompatCache
2009-03-29 12:32 . 2009-03-29 12:32 <DIR> d--hs---- c:\documents and settings\Patty\IETldCache
2009-03-29 11:38 . 2009-03-28 23:58 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-29 02:16 . 2009-03-29 02:16 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-03-28 23:52 . 2009-03-28 23:52 <DIR> d--hs---- c:\documents and settings\Steve\IECompatCache
2009-03-28 23:49 . 2009-03-30 02:46 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-28 22:31 . 2009-03-28 22:31 <DIR> d--hs---- c:\documents and settings\Steve\PrivacIE
2009-03-28 21:25 . 2009-03-28 21:25 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-03-28 17:18 . 2009-03-28 17:18 <DIR> d--hs---- c:\documents and settings\Steve\IETldCache
2009-03-28 16:36 . 2009-03-30 01:44 <DIR> d--h-c--- c:\windows\ie8
2009-03-26 14:39 . 2009-03-26 14:39 40,448 --a------ C:\dmsiacq.exe
2009-03-26 14:39 . 2009-03-26 14:39 31,744 --a------ C:\rojpcck.exe
2009-03-25 13:20 . 2009-03-25 13:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-25 13:09 . 2009-03-25 13:09 <DIR> d-------- c:\documents and settings\Steve\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-24 01:28 . 2009-03-29 23:59 <DIR> d-------- c:\program files\Lavasoft
2009-03-24 01:28 . 2009-03-29 23:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-22 03:29 . 2009-03-24 01:28 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-22 03:29 . 2009-03-24 01:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-21 15:02 . 2009-03-24 01:25 <DIR> d-------- c:\documents and settings\Patty\Application Data\Winamp
2009-03-21 13:31 . 2009-03-24 01:29 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\~0
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --------- c:\windows\system32\iedkcs32.dll.mui
2009-03-08 04:33 . 2009-03-08 04:33 18,944 --------- c:\windows\system32\dllcache\corpol.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 00:47 --------- d-----w c:\program files\Lx_cats
2009-03-24 04:22 --------- d-----w c:\documents and settings\Mikey\Application Data\LimeWire
2009-03-02 05:36 --------- d-----w c:\program files\Google
2009-02-23 01:59 --------- d-----w c:\documents and settings\Patty\Application Data\AOL
2009-02-14 05:30 --------- d-----w c:\documents and settings\Patty\Application Data\Viewpoint
2009-02-11 21:01 --------- d--h--w c:\documents and settings\Patty\Application Data\GTek
2009-02-11 20:58 --------- d-----w c:\documents and settings\Patty\Application Data\Logitech
2009-02-11 20:58 --------- d-----w c:\documents and settings\Patty\Application Data\5400 Series
2009-02-10 23:16 --------- d-----w c:\documents and settings\Mikey\Application Data\5400 Series
2008-09-13 13:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1118558958\ee\AOLSoftware.exe" [2008-06-24 41824]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-04-28 53248]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-28 515416]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]

c:\documents and settings\Mikey\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2008-11-29 1587]

c:\documents and settings\Patty\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2009-02-23 1587]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-04-16 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.lsvx"= c:\windows\system32\lsvxdec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^BOINC Manager.lnk]
path=c:\documents and settings\Steve\Start Menu\Programs\Startup\BOINC Manager.lnk
backup=c:\windows\pss\BOINC Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 05:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-05-31 05:33 122941 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-03-19 05:58 82864 c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 14:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-12 22:22 57344 c:\program files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-12 07:25 11776 c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-01-10 20:58 7286784 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-01-10 20:58 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-10 23:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-10 20:58 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2004-06-10 14:51 60928 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"lxct_device"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"DSBrokerService"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"CTSysVol"=c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"WinampAgent"="c:\program files\Winamp\winampa.exe"
"Lexmark 5400 Series Fax Server"="c:\program files\Lexmark 5400 Series\fm3032.exe" /s
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe"
"LXCTCATS"=rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"Wladasudevibebax"=rundll32.exe "c:\windows\ekekotad.dll",e
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe"
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe"
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1118558958\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1118558958\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\CTSysVol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 gupdate1c99af84045d9ba;Google Update Service (gupdate1c99af84045d9ba);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S2 PDRJNDL;PDRJNDL;\??\g:\data\WORK\VitaGen\Vgen Docs\Dek\PDL\PDRJNDL.SYS --> g:\data\WORK\VitaGen\Vgen Docs\Dek\PDL\PDRJNDL.SYS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - sfc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\start.exe welcome.dbd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-28 23:56]

2009-04-03 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 22:31]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-04-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-04-03 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{75a7e2c9-dbbd-4d37-8c0c-86052d585529} - __BHODemonDisabled
BHO-{97f40295-734e-479f-9efb-6a7e8d9e93b7} - c:\windows\system32\masutora.dll__BHODemonDisabled
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-BearShare - c:\program files\BearShare\BearShare.exe
MSConfigStartUp-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe
MSConfigStartUp-Cfawakenupiyep - c:\windows\Xwedupujaxakuqe.dll
MSConfigStartUp-CPMaf5133a0 - c:\windows\system32\zezojare.dll
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-Diagnostic Manager - c:\docume~1\Steve\LOCALS~1\Temp\1067090350.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-LWBMOUSE - c:\program files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-WhenUSave - c:\program files\Save\Save.exe
MSConfigStartUp-Windows Resurections - c:\windows\TEMP\fvia1.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\wkhqaxag.default\
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 13:55:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\imapi.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
c:\windows\system32\locator.exe
c:\windows\system32\snmp.exe
c:\windows\system32\tlntsvr.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-04-03 14:02:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-03 21:02:08

Pre-Run: 36,419,039,232 bytes free
Post-Run: 37,943,160,832 bytes free

372 --- E O F --- 2009-04-03 03:32:19

Shaba
2009-04-04, 12:40
Before that we continue with this:

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

sdxn2400134
2009-04-05, 10:24
Since the one time I ran combofix, I am no longer having problems with opening programs :bigthumb: and I no longer see system messages saying that some program has encountered a problem and has to close. :bigthumb:

Here is the list you asked for:

ABBYY FineReader 5.0 Sprint
ABBYY FineReader 6.0 Sprint
Acrobat.com
Ad-Aware
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
AVG Anti-Rootkit Free
Broadband Internet Router
BroadJump Client Foundation
CA Pest Patrol Realtime Protection
CDDRV_Installer
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
DellSupport
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Download Updater (AOL LLC)
DTCLookup
ERUNT 1.1j
eViewStream
FaxTools
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Image Analyzer
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod Updater 2004-08-06
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Jasc Paint Shop Pro Studio, Dell Editon
Jasc Paint Shop Pro Studio.01 , Dell Edition 1.0.1.1 Patch
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_03
Java Web Start
KhalInstallWrapper
Learn2 Player (Uninstall Only)
Lexmark 5400 Series
Lexmark Toolbar
LimeWire 4.18.8
Logitech SetPoint
Macromedia Flash Player
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.8)
MP3 CD Converter 4.02
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
NVIDIA Drivers
oggcodecs 0.69.8924
PearsonVUE Tutorial and Practice Exam
PowerDVD 5.6
QuickBooks Simple Start Special Edition
QuickTime
RCA Memory Manager™ 2.1.0.210
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster Live! 24-bit
Spybot - Search & Destroy
System Requirements Lab
TeamSpeak 2 RC2
Time Zone Data Update Tool for Microsoft Office Outlook
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Ventrilo Client
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Winamp
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
Xvid Codec 1.1.3

Shaba
2009-04-05, 11:58
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

LimeWire 4.18.8

I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new uninstall list scan when finished and post the log back here.

sdxn2400134
2009-04-05, 13:15
ABBYY FineReader 5.0 Sprint
ABBYY FineReader 6.0 Sprint
Acrobat.com
Ad-Aware
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
AVG Anti-Rootkit Free
Broadband Internet Router
BroadJump Client Foundation
CA Pest Patrol Realtime Protection
CDDRV_Installer
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
DellSupport
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Download Updater (AOL LLC)
DTCLookup
ERUNT 1.1j
eViewStream
FaxTools
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Image Analyzer
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod Updater 2004-08-06
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Jasc Paint Shop Pro Studio, Dell Editon
Jasc Paint Shop Pro Studio.01 , Dell Edition 1.0.1.1 Patch
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_03
Java Web Start
KhalInstallWrapper
Learn2 Player (Uninstall Only)
Lexmark 5400 Series
Lexmark Toolbar
Logitech SetPoint
Macromedia Flash Player
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.8)
MP3 CD Converter 4.02
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
NVIDIA Drivers
oggcodecs 0.69.8924
PearsonVUE Tutorial and Practice Exam
PowerDVD 5.6
QuickBooks Simple Start Special Edition
QuickTime
RCA Memory Manager™ 2.1.0.210
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster Live! 24-bit
Spybot - Search & Destroy
System Requirements Lab
TeamSpeak 2 RC2
Time Zone Data Update Tool for Microsoft Office Outlook
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Ventrilo Client
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Winamp
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
Xvid Codec 1.1.3

Shaba
2009-04-05, 15:22
Open notepad and copy/paste the text in the codebox below into it:


File::
C:\dmsiacq.exe
C:\rojpcck.exe
c:\StubInstaller.exe

Folder::
c:\documents and settings\Mikey\Application Data\LimeWire
c:\Program Files\LimeWire
c:\Program Files\eMule

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Wladasudevibebax"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\eMule\\emule.exe"=-
"c:\\StubInstaller.exe"=-



Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

sdxn2400134
2009-04-05, 23:43
Greetings! ComboFix updated to a newer version, then restarted.

The Windows Recovery Console was also downloaded and installed.

Here is the new ComboFix file:


ComboFix 09-04-04.01 - Steve 2009-04-05 13:18:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.600 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

FILE ::
C:\dmsiacq.exe
C:\rojpcck.exe
c:\StubInstaller.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mikey\Application Data\LimeWire
c:\documents and settings\Mikey\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Mikey\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Mikey\Application Data\LimeWire\downloads.dat
c:\documents and settings\Mikey\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Mikey\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Mikey\Application Data\LimeWire\filters.props
c:\documents and settings\Mikey\Application Data\LimeWire\gnutella.net
c:\documents and settings\Mikey\Application Data\LimeWire\installation.props
c:\documents and settings\Mikey\Application Data\LimeWire\library.dat
c:\documents and settings\Mikey\Application Data\LimeWire\limewire.props
c:\documents and settings\Mikey\Application Data\LimeWire\mojito.props
c:\documents and settings\Mikey\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Mikey\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Mikey\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Mikey\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Mikey\Application Data\LimeWire\questions.props
c:\documents and settings\Mikey\Application Data\LimeWire\responses.cache
c:\documents and settings\Mikey\Application Data\LimeWire\simpp.xml
c:\documents and settings\Mikey\Application Data\LimeWire\spam.dat
c:\documents and settings\Mikey\Application Data\LimeWire\tables.props
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Mikey\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Mikey\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Mikey\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Mikey\Application Data\LimeWire\version.xml
c:\documents and settings\Mikey\Application Data\LimeWire\versions.props
c:\documents and settings\Mikey\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Mikey\Application Data\LimeWire\xml\data\video.sxml2
c:\program files\eMule
c:\program files\eMule\config\cancelled.met
c:\program files\eMule\config\clients.met
c:\program files\eMule\config\emfriends.met
c:\program files\eMule\config\known.met
c:\program files\eMule\config\known2.met
c:\program files\eMule\config\known2_64.met
c:\program files\eMule\config\preferences.ini
c:\program files\eMule\config\server_met.old
c:\program files\eMule\config\statistics.ini
c:\program files\eMule\EMULE.EXE
c:\program files\eMule\eMule.tmpl
c:\program files\eMule\eMule_Chicane.tmpl
c:\program files\eMule\Incoming\The Beatles - Let It Be.mp3
c:\program files\eMule\Temp\001.part
c:\program files\eMule\Temp\001.part.met
c:\program files\eMule\Temp\001.part.met.bak
c:\program files\eMule\Temp\002.part
c:\program files\eMule\Temp\002.part.met
c:\program files\eMule\Temp\002.part.met.bak
c:\program files\eMule\Temp\003.part
c:\program files\eMule\Temp\003.part.met
c:\program files\eMule\Temp\003.part.met.bak
c:\program files\eMule\Temp\004.part.met
c:\program files\eMule\Temp\004.part.met.bak
c:\program files\eMule\Temp\005.part
c:\program files\eMule\Temp\005.part.met
c:\program files\eMule\Temp\005.part.met.bak
c:\program files\eMule\Temp\006.part.met
c:\program files\eMule\Temp\006.part.met.bak
c:\program files\eMule\Temp\007.part
c:\program files\eMule\Temp\007.part.met
c:\program files\eMule\Temp\007.part.met.bak
c:\program files\eMule\Temp\008.part
c:\program files\eMule\Temp\008.part.met
c:\program files\eMule\Temp\008.part.met.bak
c:\program files\eMule\Temp\009.part
c:\program files\eMule\Temp\009.part.met
c:\program files\eMule\Temp\009.part.met.bak
c:\program files\eMule\Temp\010.part
c:\program files\eMule\Temp\010.part.met
c:\program files\eMule\Temp\010.part.met.bak
c:\program files\eMule\Temp\011.part.met
c:\program files\eMule\Temp\011.part.met.bak
c:\program files\eMule\Temp\012.part.met
c:\program files\eMule\Temp\012.part.met.bak
c:\program files\eMule\Temp\013.part
c:\program files\eMule\Temp\013.part.met
c:\program files\eMule\Temp\013.part.met.bak
c:\program files\eMule\Temp\014.part
c:\program files\eMule\Temp\014.part.met
c:\program files\eMule\Temp\014.part.met.bak
c:\program files\eMule\Temp\015.part.met
c:\program files\eMule\Temp\015.part.met.bak
c:\program files\eMule\Temp\016.part
c:\program files\eMule\Temp\016.part.met
c:\program files\eMule\Temp\016.part.met.bak
c:\program files\eMule\Temp\018.part.met
c:\program files\eMule\Temp\018.part.met.bak
c:\program files\eMule\Temp\019.part
c:\program files\eMule\Temp\019.part.met
c:\program files\eMule\Temp\019.part.met.bak
c:\program files\eMule\Temp\020.part
c:\program files\eMule\Temp\020.part.met
c:\program files\eMule\Temp\020.part.met.bak
c:\program files\eMule\Temp\021.part
c:\program files\eMule\Temp\021.part.met
c:\program files\eMule\Temp\021.part.met.bak
c:\program files\eMule\Temp\022.part.met
c:\program files\eMule\Temp\022.part.met.bak
c:\program files\eMule\Temp\023.part
c:\program files\eMule\Temp\023.part.met
c:\program files\eMule\Temp\023.part.met.bak
c:\program files\eMule\Temp\024.part.met
c:\program files\eMule\Temp\024.part.met.bak
c:\program files\eMule\Temp\025.part
c:\program files\eMule\Temp\025.part.met
c:\program files\eMule\Temp\025.part.met.bak
c:\program files\eMule\Temp\026.part.met
c:\program files\eMule\Temp\026.part.met.bak
c:\program files\eMule\Temp\027.part.met
c:\program files\eMule\Temp\027.part.met.bak
c:\program files\eMule\Temp\028.part.met
c:\program files\eMule\Temp\028.part.met.bak
c:\program files\eMule\Temp\029.part
c:\program files\eMule\Temp\029.part.met
c:\program files\eMule\Temp\029.part.met.bak
c:\program files\eMule\Temp\030.part.met
c:\program files\eMule\Temp\030.part.met.bak
c:\program files\eMule\Temp\031.part
c:\program files\eMule\Temp\031.part.met
c:\program files\eMule\Temp\031.part.met.bak
c:\program files\eMule\Temp\032.part
c:\program files\eMule\Temp\032.part.met
c:\program files\eMule\Temp\032.part.met.bak
c:\program files\eMule\Temp\033.part
c:\program files\eMule\Temp\033.part.met
c:\program files\eMule\Temp\033.part.met.bak
c:\program files\eMule\Temp\034.part
c:\program files\eMule\Temp\034.part.met
c:\program files\eMule\Temp\034.part.met.bak
c:\program files\eMule\Temp\035.part
c:\program files\eMule\Temp\035.part.met
c:\program files\eMule\Temp\035.part.met.bak
c:\program files\eMule\Temp\036.part
c:\program files\eMule\Temp\036.part.met
c:\program files\eMule\Temp\036.part.met.bak
c:\program files\eMule\Temp\037.part
c:\program files\eMule\Temp\037.part.met
c:\program files\eMule\Temp\037.part.met.bak
c:\program files\eMule\Temp\038.part
c:\program files\eMule\Temp\038.part.met
c:\program files\eMule\Temp\038.part.met.bak
c:\program files\eMule\Temp\039.part.met
c:\program files\eMule\Temp\039.part.met.bak
c:\program files\eMule\Temp\040.part
c:\program files\eMule\Temp\040.part.met
c:\program files\eMule\Temp\040.part.met.bak
c:\program files\eMule\Temp\041.part
c:\program files\eMule\Temp\041.part.met
c:\program files\eMule\Temp\041.part.met.bak
c:\program files\eMule\Temp\042.part
c:\program files\eMule\Temp\042.part.met
c:\program files\eMule\Temp\042.part.met.bak
c:\program files\eMule\Temp\043.part
c:\program files\eMule\Temp\043.part.met
c:\program files\eMule\Temp\043.part.met.bak
c:\program files\eMule\Temp\044.part.met
c:\program files\eMule\Temp\044.part.met.bak
c:\program files\eMule\Temp\045.part.met
c:\program files\eMule\Temp\045.part.met.bak
c:\program files\eMule\Temp\046.part.met
c:\program files\eMule\Temp\046.part.met.bak
c:\program files\eMule\Temp\047.part
c:\program files\eMule\Temp\047.part.met
c:\program files\eMule\Temp\047.part.met.bak
c:\program files\eMule\Temp\048.part.met
c:\program files\eMule\Temp\048.part.met.bak
c:\program files\eMule\Temp\049.part
c:\program files\eMule\Temp\049.part.met
c:\program files\eMule\Temp\049.part.met.bak
c:\program files\eMule\Temp\050.part
c:\program files\eMule\Temp\050.part.met
c:\program files\eMule\Temp\050.part.met.bak
c:\program files\eMule\Temp\051.part.met
c:\program files\eMule\Temp\051.part.met.bak
c:\program files\eMule\Temp\052.part
c:\program files\eMule\Temp\052.part.met
c:\program files\eMule\Temp\052.part.met.bak
c:\program files\eMule\Temp\053.part.met
c:\program files\eMule\Temp\053.part.met.bak
c:\program files\eMule\Temp\054.part
c:\program files\eMule\Temp\054.part.met
c:\program files\eMule\Temp\054.part.met.bak
c:\program files\eMule\Temp\055.part
c:\program files\eMule\Temp\055.part.met
c:\program files\eMule\Temp\055.part.met.bak
c:\program files\eMule\Temp\056.part
c:\program files\eMule\Temp\056.part.met
c:\program files\eMule\Temp\056.part.met.bak
c:\program files\eMule\Temp\057.part
c:\program files\eMule\Temp\057.part.met
c:\program files\eMule\Temp\057.part.met.bak
c:\program files\eMule\Temp\058.part
c:\program files\eMule\Temp\058.part.met
c:\program files\eMule\Temp\058.part.met.bak
c:\program files\eMule\Temp\059.part.met
c:\program files\eMule\Temp\059.part.met.bak
c:\program files\eMule\Temp\060.part.met
c:\program files\eMule\Temp\060.part.met.bak
c:\program files\eMule\Temp\061.part
c:\program files\eMule\Temp\061.part.met
c:\program files\eMule\Temp\061.part.met.bak
c:\program files\eMule\Temp\063.part.met
c:\program files\eMule\Temp\063.part.met.bak
c:\program files\eMule\Temp\066.part.met
c:\program files\eMule\Temp\066.part.met.bak
c:\program files\eMule\Temp\067.part
c:\program files\eMule\Temp\067.part.met
c:\program files\eMule\Temp\067.part.met.bak
c:\program files\eMule\Temp\068.part.met
c:\program files\eMule\Temp\068.part.met.bak
c:\program files\eMule\Temp\070.part.met
c:\program files\eMule\Temp\070.part.met.bak
c:\program files\eMule\Temp\071.part
c:\program files\eMule\Temp\071.part.met
c:\program files\eMule\Temp\071.part.met.bak
c:\program files\eMule\Temp\074.part.met
c:\program files\eMule\Temp\074.part.met.bak
c:\program files\eMule\Temp\078.part
c:\program files\eMule\Temp\078.part.met
c:\program files\eMule\Temp\078.part.met.bak
c:\program files\eMule\Temp\080.part
c:\program files\eMule\Temp\080.part.met
c:\program files\eMule\Temp\080.part.met.bak
c:\program files\eMule\Temp\081.part.met
c:\program files\eMule\Temp\081.part.met.bak
c:\program files\eMule\Temp\082.part
c:\program files\eMule\Temp\082.part.met
c:\program files\eMule\Temp\082.part.met.bak
c:\program files\eMule\Temp\083.part.met
c:\program files\eMule\Temp\083.part.met.bak
c:\program files\eMule\Temp\084.part.met
c:\program files\eMule\Temp\084.part.met.bak
C:\rojpcck.exe
c:\StubInstaller.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-04 14:57 . 2009-04-04 14:57 <DIR> d--hs---- c:\documents and settings\Mikey\IETldCache
2009-04-02 13:39 . 2009-04-02 13:39 <DIR> d-------- c:\program files\Trend Micro
2009-04-02 13:29 . 2009-04-02 13:29 <DIR> d-------- c:\program files\ERUNT
2009-03-30 23:45 . 2009-03-30 23:45 <DIR> d--hs---- c:\documents and settings\Administrator\PrivacIE
2009-03-30 23:42 . 2009-03-30 23:42 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache
2009-03-30 02:46 . 2009-03-30 02:46 <DIR> d-------- c:\documents and settings\jasmine\Application Data\Symantec
2009-03-30 02:46 . 2009-03-30 02:46 <DIR> d-------- c:\documents and settings\jasmine\Application Data\Logitech
2009-03-30 02:46 . 2009-03-30 02:46 <DIR> d-------- c:\documents and settings\jasmine\Application Data\Jasc Software Inc
2009-03-30 00:38 . 2009-03-30 00:38 <DIR> d--h----- c:\documents and settings\jasmine\Application Data\GTek
2009-03-30 00:38 . 2009-03-30 00:38 <DIR> d-------- c:\documents and settings\jasmine\Application Data\5400 Series
2009-03-30 00:34 . 2009-03-30 00:34 <DIR> d--hs---- c:\documents and settings\jasmine\IETldCache
2009-03-30 00:31 . 2005-06-06 07:04 <DIR> d-------- c:\documents and settings\jasmine\Application Data\Creative
2009-03-30 00:31 . 2009-03-30 23:03 <DIR> d-------- c:\documents and settings\jasmine
2009-03-29 21:13 . 2009-03-29 21:13 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-03-29 17:52 . 2009-03-29 17:52 <DIR> d--hs---- c:\documents and settings\Patty\PrivacIE
2009-03-29 17:52 . 2009-03-29 17:52 <DIR> d--hs---- c:\documents and settings\Patty\IECompatCache
2009-03-29 12:32 . 2009-03-29 12:32 <DIR> d--hs---- c:\documents and settings\Patty\IETldCache
2009-03-29 11:38 . 2009-03-28 23:58 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-29 02:16 . 2009-03-29 02:16 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-03-28 23:52 . 2009-03-28 23:52 <DIR> d--hs---- c:\documents and settings\Steve\IECompatCache
2009-03-28 23:49 . 2009-03-30 02:46 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-28 22:31 . 2009-03-28 22:31 <DIR> d--hs---- c:\documents and settings\Steve\PrivacIE
2009-03-28 21:25 . 2009-03-28 21:25 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-03-28 17:18 . 2009-03-28 17:18 <DIR> d--hs---- c:\documents and settings\Steve\IETldCache
2009-03-28 16:36 . 2009-03-30 01:44 <DIR> d--h-c--- c:\windows\ie8
2009-03-25 13:20 . 2009-03-25 13:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-25 13:09 . 2009-03-25 13:09 <DIR> d-------- c:\documents and settings\Steve\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-24 01:28 . 2009-03-29 23:59 <DIR> d-------- c:\program files\Lavasoft
2009-03-24 01:28 . 2009-03-29 23:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-22 03:29 . 2009-03-24 01:28 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-22 03:29 . 2009-03-24 01:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-21 15:02 . 2009-03-24 01:25 <DIR> d-------- c:\documents and settings\Patty\Application Data\Winamp
2009-03-21 13:31 . 2009-03-24 01:29 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\~0
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --------- c:\windows\system32\iedkcs32.dll.mui
2009-03-08 04:33 . 2009-03-08 04:33 18,944 --------- c:\windows\system32\dllcache\corpol.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 00:47 --------- d-----w c:\program files\Lx_cats
2009-03-08 21:09 638,816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 21:09 391,536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 11:41 5,937,152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 11:39 11,063,808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 11:34 914,944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 914,944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 11:34 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:34 43,008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 11:34 236,544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 11:34 193,536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 11:34 109,568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 11:34 105,984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 11:34 1,206,784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 11:33 759,296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 11:33 726,528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 11:33 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:33 420,352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 11:33 25,600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 11:33 229,376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 11:33 18,944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 125,952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 11:32 94,720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 11:32 72,704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 11:32 72,704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 71,680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 11:32 611,840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 11:32 594,432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 11:32 55,808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 11:32 173,056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 11:32 163,840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 11:32 128,512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 11:32 1,985,024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 11:24 68,608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 11:22 156,160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 11:22 156,160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 11:11 445,952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-02 05:36 --------- d-----w c:\program files\Google
2009-02-23 01:59 --------- d-----w c:\documents and settings\Patty\Application Data\AOL
2009-02-14 05:30 --------- d-----w c:\documents and settings\Patty\Application Data\Viewpoint
2009-02-11 21:01 --------- d--h--w c:\documents and settings\Patty\Application Data\GTek
2009-02-11 20:58 --------- d-----w c:\documents and settings\Patty\Application Data\Logitech
2009-02-11 20:58 --------- d-----w c:\documents and settings\Patty\Application Data\5400 Series
2009-02-10 23:16 --------- d-----w c:\documents and settings\Mikey\Application Data\5400 Series
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-08 01:21 26,144 ----a-w c:\windows\system32\spupdsvc.exe
2009-01-08 01:20 474,112 ------w c:\windows\system32\dllcache\shlwapi.dll
2009-01-08 01:20 265,720 ----a-w c:\windows\system32\msdbg2.dll
2009-01-08 01:20 26,112 ----a-w c:\windows\system32\idndl.dll
2009-01-08 01:20 24,576 ----a-w c:\windows\system32\nlsdl.dll
2009-01-08 01:20 23,552 ----a-w c:\windows\system32\normaliz.dll
2009-01-08 01:20 23,552 ----a-w c:\windows\system32\normaliz(2)(2).dll
2009-01-08 01:20 134,144 ------w c:\windows\system32\dllcache\sqmapi.dll
2009-01-08 01:20 1,497,088 ------w c:\windows\system32\dllcache\shdocvw.dll
2009-01-08 01:20 1,022,976 ------w c:\windows\system32\dllcache\browseui.dll
2008-09-13 13:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-03_13.59.20.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\4-4-2009\ERDNT.EXE
+ 2009-04-05 06:58:16 9,306,112 ----a-w c:\windows\ERDNT\AutoBackup\4-4-2009\Users\00000001\ntuser.dat
+ 2009-04-05 06:58:18 3,338,240 ----a-w c:\windows\ERDNT\AutoBackup\4-4-2009\Users\00000002\UsrClass.dat
- 2009-04-03 20:01:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-05 18:36:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-03 20:01:15 245,760 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-04-05 18:36:55 245,760 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-04-03 20:01:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-05 18:36:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-03 20:01:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-05 18:36:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-03 20:45:13 215,468 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-04-04 06:39:13 215,464 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-04-05 08:06:14 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-04-04 06:36:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_938.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1118558958\ee\AOLSoftware.exe" [2008-06-24 41824]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-04-28 53248]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-28 515416]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]

c:\documents and settings\Mikey\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2008-11-29 1587]

c:\documents and settings\Patty\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2009-02-23 1587]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-04-16 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.lsvx"= c:\windows\system32\lsvxdec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^BOINC Manager.lnk]
path=c:\documents and settings\Steve\Start Menu\Programs\Startup\BOINC Manager.lnk
backup=c:\windows\pss\BOINC Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 05:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-05-31 05:33 122941 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-03-19 05:58 82864 c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 14:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-12 22:22 57344 c:\program files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-12 07:25 11776 c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-01-10 20:58 7286784 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-01-10 20:58 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-10 23:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-10 20:58 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2004-06-10 14:51 60928 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"lxct_device"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"DSBrokerService"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"CTSysVol"=c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"WinampAgent"="c:\program files\Winamp\winampa.exe"
"Lexmark 5400 Series Fax Server"="c:\program files\Lexmark 5400 Series\fm3032.exe" /s
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe"
"LXCTCATS"=rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe"
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe"
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1118558958\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1118558958\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\CTSysVol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 gupdate1c99af84045d9ba;Google Update Service (gupdate1c99af84045d9ba);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S2 PDRJNDL;PDRJNDL;\??\g:\data\WORK\VitaGen\Vgen Docs\Dek\PDL\PDRJNDL.SYS --> g:\data\WORK\VitaGen\Vgen Docs\Dek\PDL\PDRJNDL.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\start.exe welcome.dbd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-28 23:56]

2009-04-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 22:31]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-04-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-04-03 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\wkhqaxag.default\
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 13:22:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'winlogon.exe'(280)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-04-05 13:27:04
ComboFix-quarantined-files.txt 2009-04-05 20:25:51
ComboFix2.txt 2009-04-03 21:02:43

Pre-Run: 37,769,293,824 bytes free
Post-Run: 37,743,800,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

638 --- E O F --- 2009-04-03 03:32:19

sdxn2400134
2009-04-05, 23:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:18 PM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121835894750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208355050890
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Update Service (gupdate1c99af84045d9ba) (gupdate1c99af84045d9ba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7814 bytes

sdxn2400134
2009-04-06, 00:17
The problem is back where I can't launched programs. I get a system message saying the program has encountered a problem and must close. :sad:

This just started after following your last instructions.

sdxn2400134
2009-04-06, 03:24
It says I need the following required software: Microsoft .net framework 2.0 (something like that)

Shaba
2009-04-06, 07:10
Well it might not be malware related issue.

Which programs you are unable to launch?

sdxn2400134
2009-04-06, 10:16
That has been a source of confusion: not knowing if the virus/malware is shutting programs down, or if there is something wrong with windows.

To answer your question, most all programs that I try to start will launch, then immediately close. One exception is Foxfire. However, many programs that wont launch in normal mode, will launch in safe mode.

However...:alien: I downloaded and installed that program windows said I needed.... .net framework 2.0 and also its latest patch #3. And now everything seems to be working okay again!

So hopefully, this was the problem.

Shaba
2009-04-06, 10:21
Great :)

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

sdxn2400134
2009-04-06, 10:23
Several posts back, you asked me to paste the code box text into ComboFix.

I did this and posted the new Combofix and HJT logs.

sdxn2400134
2009-04-06, 11:25
Great :)


It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.[/list]

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

I wasnt prompted to run/install a program.

Under settings, I see:
Detect malicious programs of the following categories:
Viruses, Worms, Trojan Horses, Rootkits
Spyware, Adware, Dialers, and other potentially dangerous programs
Scan compound files (doesn't apply to the File scan area):
Archives
Mail databases

All are ticked, except the first line (Viruses, ...) is gray ticked.

Should I scan "critical areas" or just "My Computer"?

Shaba
2009-04-06, 12:49
My Computer would be the one :)

sdxn2400134
2009-04-06, 12:59
Ok, I have "my computer" scanning. Its at 8% after an hour and 20 min. Going to take a while.

Another problem: when i type, letters start reversing order. what is this?

Shaba
2009-04-06, 14:17
That might be due to keyboard. I don't think it is caused by any malware.

sdxn2400134
2009-04-06, 21:22
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:07 AM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxduserv.exe
C:\WINDOWS\system32\lxducoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Steve\Local Settings\temp\jkos-Steve\binaries\ScanningProcess.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Common Files\AOL\1118558958\EE\anotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [lxduamon] "C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe"
O4 - HKLM\..\Run: [Lexmark 5600-6600 Series Fax Server] "C:\Program Files\Lexmark 5600-6600 Series\fm3032.exe" /s
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121835894750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208355050890
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Update Service (gupdate1c99af84045d9ba) (gupdate1c99af84045d9ba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\WINDOWS\system32\lxducoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 9026 bytes

sdxn2400134
2009-04-06, 21:30
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, April 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, April 06, 2009 07:37:15
Records in database: 2017019
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 125729
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 07:23:40


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\rojpcck.exe.vir Infected: Trojan.Win32.Agent2.gwm 1
G:\Steve's Backup 03-30-09\Documents and Settings\Mikey\Local Settings\Temporary Internet Files\Content.IE5\M08O8NLX\ase[1].htm Infected: Trojan-Downloader.JS.LuckySploit.e 1

The selected area was scanned.

Shaba
2009-04-06, 21:39
Empty this folder:

C:\Qoobox\Quarantine

Empty Recycle bin.

Still problems?

sdxn2400134
2009-04-07, 00:00
I dragged the contents of Qoobox to the recycle bin and emptied it.

What about the other infected file?

Shaba
2009-04-07, 07:17
It is in backup folder.

Feel free to empty this:

G:\Steve's Backup 03-30-09\Documents and Settings\Mikey\Local Settings\Temporary Internet Files\Content.IE5\M08O8NLX

Some other issues left?

sdxn2400134
2009-04-07, 10:37
Everything is running fine.

Thank you very much for all your help! :2thumb:

Steve

Shaba
2009-04-07, 12:05
Great :)

Then let's clean some leftovers before final instructions.

Open HijackThis, click do a system scan only and checkmark these:


O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

Close all windows including browser and press fix checked.

Reboot.

Post back a fresh Hijackthis log.

sdxn2400134
2009-04-08, 21:23
Followed your instructions and rebooted.

After rebooting, it took a very long time for me to log in (load settings, etc.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:23 AM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxduserv.exe
C:\WINDOWS\system32\lxducoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1118558958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [lxduamon] "C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe"
O4 - HKLM\..\Run: [Lexmark 5600-6600 Series Fax Server] "C:\Program Files\Lexmark 5600-6600 Series\fm3032.exe" /s
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121835894750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208355050890
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Update Service (gupdate1c99af84045d9ba) (gupdate1c99af84045d9ba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\WINDOWS\system32\lxducoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 8738 bytes

Shaba
2009-04-08, 21:31
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp)

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft''s Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes'' Anti-Malware - Malwarebytes'' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

sdxn2400134
2009-04-08, 21:38
I am having problem again launching programs. For example, Spybot wont launch. It says Spybot encountered a problem and needs to close.

Shaba
2009-04-08, 21:54
Then that might indicate hardware issues.

Is it OK to redirect you some windows forum for that?

sdxn2400134
2009-04-08, 22:10
Then download and install Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp)

I am having problems getting the file to run.

sdxn2400134
2009-04-08, 22:16
Then that might indicate hardware issues.

Is it OK to redirect you some windows forum for that?

Sure, that is fine!

sdxn2400134
2009-04-09, 08:13
I only followed your instructions up to
"install Java Runtime Environment (JRE) 6 Update 13".

I cant install this Java program because I can't launch the set up file that I downloaded from the Sun site.

sdxn2400134
2009-04-09, 11:40
In my first post, I stated, "I have made numerous changes to startup using spybot and msconfig." The reason I did this is that I was afraid that some of these startup programs were malware. Therefore I liberally unchecked the startup programs.

I just opened msconfig and went to the startup tab. There I rechecked most everything except programs that I know for sure I dont need.

I rebooted, and programs are now launching okay now.

Hopefully, none of the startup programs that I checked in msconfig are malware.

I just installed the updated version of Java and will continue with your instructions as time permits.

Shaba
2009-04-09, 12:11
OK, let me know if you have problems with them :)

sdxn2400134
2009-04-10, 23:26
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/10/2009 1:11:12 PM
mbam-log-2009-04-10 (13-10-48).txt

Scan type: Quick Scan
Objects scanned: 99806
Time elapsed: 17 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Shaba
2009-04-11, 11:48
Those are not necessarily infected.

Have you set that windows doesn't supervise antivirus and updates status?

sdxn2400134
2009-04-11, 12:10
I dont know. Should I set windows to not supervise updates?

If so, how do I do that?

Shaba
2009-04-11, 12:56
It is your option :)

That can be done via security center.

Does mbam find those upon rescan?

sdxn2400134
2009-04-11, 14:19
I am currently doing a full scan using Anti-Malware.

Spybot and Ad-Aware did not find anything in safe mode (except some cookies).

Upon reboot, Windows Defender popped up and said it found two viruses which I deleted:

vundo.gen!G
Hilotigen!A

I am having the program launch problem again.

Shaba
2009-04-11, 14:32
OK, keep me informed :)

sdxn2400134
2009-04-11, 23:24
The scan is done. It found the same two items as before.

What should i do?

sdxn2400134
2009-04-12, 00:05
this seems to be the main problem now. combofix appeared to fix this before. May I run combofix again?

Shaba
2009-04-12, 10:35
MBAM findings are not necessarily bad, they are just not default values.

Did you let MBAM to remove them last time?

sdxn2400134
2009-04-12, 11:04
I didnt do anything with them, and the program is no longer open.

sdxn2400134
2009-04-12, 11:16
I have been looking at the event viewer. I see the following problems:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/3/2009
Time: 1:43:33 PM
User: N/A
Computer: DELL-DIXON
Description:
The PDRJNDL service failed to start due to the following error:
The system cannot find the path specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

...and...

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 4/10/2009
Time: 11:29:04 PM
User: N/A
Computer: DELL-DIXON
Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
mfehidk
MPFP
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
Tcpip6

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Shaba
2009-04-12, 14:07
Then please rescan with mbam and let it remove them.

Yes it looks like that for some reason not all drivers are unable to start.

Please go to start - run - services.msc and tell me if they are now running.

sdxn2400134
2009-04-13, 10:23
I did a full scan of my c drive with mbam this morning. It picked up the same two items. I pressed delete, but mbam appears to freeze...so I am not sure if they got deleted. I will have to scan with mbam again to find out!

I ran NTREGOPT a few times to clean up the register. It has an error with the first hive, but gets through the rest okay.

I ran services.msc. I dont see any of those drivers listed above, with the exception of IPSec and TCP/IP.

When I logged on tonight, I got several logon error messages...but the launch problem is gone (I dont know for how long though). I then made sure that spybot and ad-aware is up to date.

Shaba
2009-04-13, 10:33
That might indicate problems with windows installation (error in registry, launching issues and logon errors).

If that launching problem persists, I would suggest repair installation of windows.

sdxn2400134
2009-04-14, 09:52
I didnt receive any windows disks when I bought this Dell computer. It is running Windows XP Pro.

A while ago, a friend gave me an installation disk for this OS. A few weeks ago (before I came to these forums), I tried to do a repair installation (you tell it to upgrade, even though its the same OS). When the screen comes up and I click "Install Windows", nothing happens. I tried it in normal and safe modes.

sdxn2400134
2009-04-14, 09:53
I scanned in safe mode and removed the 2 items. I then scanned again, and it came up clean.

Shaba
2009-04-14, 11:43
If it is Dell, there should be a recovery partition included in hard drive which you can use if needed.

sdxn2400134
2009-04-15, 09:54
I vaguely remember reformatting and reinstalling windows of this hard drive. So I don't think there is a recovery partition now. I don't see it in "My Computer".

Would it show up in one of the diagnostic programs that we ran?

Shaba
2009-04-15, 11:25
Usually it would show as D: drive.

If there is none, then you should ask for disks from Dell.

Shaba
2009-04-19, 11:35
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

tashi
2009-04-20, 19:06
Thank you Shaba. :)