Thanks for the submit. Shall wait for your reply
Thanks for the submit. Shall wait for your reply
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
okay, i downloaded atf cleaner and successfully cleaned up the mentioned files. i get to the kaspersky online scan and i get this message:
Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.
not sure where to go from there. a java icon did pop up in the tray on the right hand side, giving me options to change settings but im not about to play around with something im unfamiliar with :(
Please try this alternative scanner instead:
Download the latest version of Kaspersky Virus Removal Tool Kaspersky Virus Removal Tool
* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
wow that scan took all night. heres the report, dosent look good...
Scan
----
Scanned: 490273
Detected: 22
Untreated: 22
Start time: 10/7/2009 5:54:13 PM
Duration: 13:17:29
Finish time: 10/8/2009 7:11:42 AM
Detected
--------
Status Object
------ ------
detected: Trojan program Trojan-Downloader.Win32.Mufanom.ddy File: C:\qoobox\Quarantine\[4]-Submit_2009-10-04_12.31.24.zip/carcpc.dll
detected: Trojan program Backdoor.Win32.Bredolab.bp File: C:\qoobox\Quarantine\C\Documents and Settings\Spiderman\Start Menu\Programs\Startup\ikowin32.exe.vir
detected: Trojan program Trojan.Win32.ExeDot.mq File: C:\qoobox\Quarantine\C\Program Files\Common\helper.dll.vir
detected: Trojan program Trojan.Win32.ExeDot.mq File: C:\qoobox\Quarantine\C\Program Files\Common\_helper.dll.vir
detected: virus Worm.Win32.Pinit.aj File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\aston.mt.vir
detected: Trojan program Backdoor.Win32.NewRest.hx File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\3e3b0e9.sys.vir
detected: virus Virus.Win32.Protector.b File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\ndis.sys.vir
detected: Trojan program Backdoor.Win32.NewRest.hx File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_3e3b0e9_.sys.zip/3e3b0e9.sys
detected: Trojan program Backdoor.Win32.NewRest.hx File: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_3e3b0e9_.sys.zip/3e3b0e9.sys.1
detected: Trojan program Trojan-Downloader.Win32.Mufanom.ddy File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP536\A0085554.dll
detected: Trojan program Trojan-Downloader.Win32.Mufanom.dfd File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP537\A0085560.dll
detected: virus Virus.Win32.Protector.b File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088370.sys
detected: virus Virus.Win32.Protector.b File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088371.sys
detected: Trojan program Backdoor.Win32.Bredolab.bp File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088372.exe
detected: Trojan program Trojan.Win32.ExeDot.mq File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088373.dll
detected: Trojan program Trojan.Win32.ExeDot.mq File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088374.dll
detected: Trojan program Backdoor.Win32.NewRest.hx File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0088592.sys
detected: pornware not-a-virus:Porn-Downloader.Win32.StripSaver.a File: C:\WINDOWS\Downloaded Program Files\StripSaver_116.EXE//WISE0001.BIN
detected: Trojan program Trojan.Win32.Patched.dr File: C:\WINDOWS\SYSTEM32\dhero
detected: Trojan program Trojan-Spy.Win32.Agent.azgv File: C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe//#
detected: Trojan program Trojan-Downloader.Win32.FraudLoad.feh File: C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe
detected: Trojan program Trojan-Spy.Win32.Zbot.gen File: C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe
Hi,
Open notepad and copy/paste the text in the quotebox below into it:
Code:File:: C:\WINDOWS\Downloaded Program Files\StripSaver_116.EXE C:\WINDOWS\SYSTEM32\dhero C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds.txt log. How's the system running?
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
when i pasted the text file on combofix the first thing that happened was an update for combofix. it restarted after updating but i think it got the files, as theyre mentioned in the log. dds.txt log will follow shortly.
machine is running pretty good, a lot faster than it was before this mess. thanks again for your help.
ComboFix 09-10-07.05 - Spiderman 10/08/2009 17:21.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.242 [GMT -4:00]
Running from: c:\documents and settings\Spiderman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Spiderman\Desktop\CFScript.txt
FILE ::
"c:\windows\Downloaded Program Files\StripSaver_116.EXE"
"c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe"
"c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe"
"c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe"
"c:\windows\SYSTEM32\dhero"
file zipped: c:\windows\Downloaded Program Files\StripSaver_116.EXE
file zipped: c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe
file zipped: c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe
file zipped: c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\StripSaver_116.EXE
c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\podli[1].exe
c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\b[1].exe
c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\Z[1].exe
c:\windows\SYSTEM32\dhero
.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.
2009-10-07 21:53 . 2009-10-08 11:15 790560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-05 22:15 . 2009-10-05 22:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-04 17:37 . 2009-10-04 17:39 -------- d-----w- c:\windows\system32\Adobe
2009-10-04 17:18 . 2009-10-04 17:18 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-04 17:16 . 2009-10-05 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-04 17:09 . 2009-10-04 17:09 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-09-12 19:11 . 2009-09-12 19:11 -------- d-----w- c:\windows\system32\wbem\Repository
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 11:15 . 2009-10-07 21:53 10340 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-07 21:53 . 2007-11-22 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-05 22:15 . 2004-05-19 15:18 -------- d-----w- c:\program files\Java
2009-10-05 21:51 . 2007-09-16 20:15 -------- d-----w- c:\program files\PeerGuardian2
2009-10-04 17:21 . 2004-07-20 03:08 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-04 17:08 . 2005-09-25 02:53 -------- d-----w- c:\program files\AIM
2009-10-04 17:08 . 2005-09-25 02:53 -------- d-----w- c:\documents and settings\Spiderman\Application Data\Aim
2009-10-04 13:21 . 2002-08-29 10:00 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-30 00:02 . 2005-12-30 00:37 -------- d-----w- c:\program files\Common Files\KnifeEdge
2009-09-14 21:38 . 2005-07-13 03:08 -------- d-----w- c:\program files\Program Files
2009-09-12 19:10 . 2009-03-15 00:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-03 03:58 . 2004-07-09 22:13 118440 ----a-w- c:\documents and settings\Spiderman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 21:35 . 2009-08-25 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\10983904
2009-08-06 23:24 . 2004-08-12 15:45 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-12 15:45 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-12 15:45 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2002-08-29 10:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-08-29 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-12 15:45 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-11-02 22:34 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2006-11-02 22:34 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2002-08-29 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl(3)(3).dll
2009-07-14 03:43 . 2004-08-11 05:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2005-08-21 16:42 . 2005-06-27 23:17 905 -c--a-w- c:\program files\uninstal.log
2006-01-11 06:41 . 2004-08-29 00:07 56 --sh--r- c:\windows\SYSTEM32\6BBF71BA10.sys
2006-09-24 00:47 . 2004-08-29 00:07 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-04_14.11.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-05 20:55 . 2009-08-06 23:24 44768 c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-10-05 20:55 . 2009-08-06 23:24 35552 c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2009-10-04 17:43 . 2009-10-04 17:43 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-12 15:45 . 2009-08-06 23:24 35552 c:\windows\SYSTEM32\DLLCACHE\wups.dll
+ 2002-08-29 10:00 . 2009-08-06 23:24 53472 c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
+ 2002-08-29 10:00 . 2009-08-06 23:24 96480 c:\windows\SYSTEM32\DLLCACHE\cdm.dll
+ 2009-10-04 17:38 . 2009-10-04 17:38 87618 c:\windows\SYSTEM32\Adobe\Shockwave 11\uninstaller.exe
+ 2009-07-31 13:26 . 2009-07-31 13:26 94208 c:\windows\SYSTEM32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 79488 c:\windows\SYSTEM32\Adobe\Shockwave 11\gtapi.dll
+ 2009-07-31 13:42 . 2009-07-31 13:42 67000 c:\windows\SYSTEM32\Adobe\Director\SWDNLD.EXE
+ 2009-10-04 17:18 . 2009-10-04 17:18 21504 c:\windows\Installer\6c7a1.msi
+ 2009-10-04 17:18 . 2009-10-04 17:18 27648 c:\windows\Installer\6c79c.msi
+ 2009-07-31 13:28 . 2009-07-31 13:28 9216 c:\windows\SYSTEM32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-10-04 17:09 . 2009-10-04 17:09 2560 c:\windows\_MSRSTRT.EXE
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10c.exe
+ 2009-10-05 22:15 . 2009-10-05 22:15 149280 c:\windows\SYSTEM32\javaws.exe
+ 2009-10-05 22:15 . 2009-10-05 22:15 145184 c:\windows\SYSTEM32\javaw.exe
+ 2009-10-05 22:15 . 2009-10-05 22:15 145184 c:\windows\SYSTEM32\java.exe
+ 2004-08-12 15:45 . 2009-08-06 23:24 209632 c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
+ 2004-08-12 15:45 . 2009-08-06 23:24 327896 c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
+ 2004-08-12 15:45 . 2009-08-06 23:23 575704 c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 132472 c:\windows\SYSTEM32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-07-31 13:26 . 2009-07-31 13:26 114688 c:\windows\SYSTEM32\Adobe\Shockwave 11\SwInit.exe
+ 2009-07-31 13:40 . 2009-07-31 13:40 468408 c:\windows\SYSTEM32\Adobe\Shockwave 11\SwHelper_1151601.exe
+ 2009-07-31 13:28 . 2009-07-31 13:28 446464 c:\windows\SYSTEM32\Adobe\Shockwave 11\Proj.dll
+ 2009-07-31 13:26 . 2009-07-31 13:26 372736 c:\windows\SYSTEM32\Adobe\Shockwave 11\Plugin.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 714752 c:\windows\SYSTEM32\Adobe\Shockwave 11\gi.dll
+ 2009-07-31 13:25 . 2009-07-31 13:25 614400 c:\windows\SYSTEM32\Adobe\Shockwave 11\Control.dll
+ 2009-07-31 13:41 . 2009-07-31 13:41 206264 c:\windows\SYSTEM32\Adobe\Director\SwDir.dll
+ 2009-07-31 13:27 . 2009-07-31 13:27 131072 c:\windows\SYSTEM32\Adobe\Director\np32dsw.dll
+ 2009-01-18 20:05 . 2009-01-18 20:05 675840 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\JP2KLib.dll
+ 2002-08-29 10:00 . 2009-08-06 23:23 1929952 c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
+ 2009-07-31 13:00 . 2009-07-31 13:00 1011712 c:\windows\SYSTEM32\Adobe\Shockwave 11\iml32.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 1886320 c:\windows\SYSTEM32\Adobe\Shockwave 11\gt.exe
+ 2009-07-31 13:04 . 2009-07-31 13:04 1798144 c:\windows\SYSTEM32\Adobe\Shockwave 11\dirapi.dll
+ 2009-10-04 17:21 . 2009-10-04 17:21 3938816 c:\windows\Installer\6c7a6.msi
+ 2009-10-04 17:36 . 2009-10-04 17:36 1697792 c:\windows\Installer\143596.msp
+ 2009-10-04 17:34 . 2009-10-04 17:34 6653952 c:\windows\Installer\143588.msp
+ 2009-10-04 17:32 . 2009-10-04 17:32 2150400 c:\windows\Installer\143564.msp
+ 2009-10-05 22:15 . 2009-10-05 22:15 1757696 c:\windows\Installer\102ee5.msi
+ 2008-12-18 20:48 . 2008-12-18 20:48 3645440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\authplay.dll
+ 2009-02-27 20:37 . 2009-02-27 20:37 20403568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-12 6729728]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\SYSTEM32\nvmctray.dll [2005-05-12 86016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^clippy.exe]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\clippy.exe
backup=c:\windows\pss\clippy.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Magnifier.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Magnifier.lnk
backup=c:\windows\pss\Magnifier.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Insider"=c:\program files\Insider\Insider.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" -atboottime
"nwiz"=nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\FRegister.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGUpdate.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Summitsoft Products.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGFonts.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash_LDS.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash Series 1_Oct132008.exe"=
S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [8/13/2006 9:48 AM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [8/13/2006 9:48 AM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [8/13/2006 9:48 AM 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [8/13/2006 9:48 AM 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\SYSTEM32\DRIVERS\SaiNtSub.sys [2/4/2005 10:28 PM 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 17:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1665667976-894762885-3311537992-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-10-08 17:37
ComboFix-quarantined-files.txt 2009-10-08 21:36
ComboFix2.txt 2009-10-04 16:54
ComboFix3.txt 2009-10-04 14:17
ComboFix4.txt 2007-11-30 03:16
Pre-Run: 4,294,623,232 bytes free
Post-Run: 4,333,191,168 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
227 --- E O F --- 2009-08-27 21:59
Upload was successful
heres the dds.txt
DDS (Ver_09-09-29.01) - NTFSx86
Run by Spiderman at 17:44:49.95 on Thu 10/08/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.214 [GMT -4:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Spiderman\Desktop\dds.pif
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {205FF73B-CA67-11D5-99DD-444553540000} - hxxp://66.154.44.68/cam/Install.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxps://cs7b.instantservice.com/jars/customerxsigned42.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
============= SERVICES / DRIVERS ===============
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-8-13 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2006-8-13 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2006-8-13 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-8-13 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\spider~1\locals~1\temp\dmskssrh.sys --> c:\docume~1\spider~1\locals~1\temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\system32\drivers\SaiNtSub.sys [2005-2-4 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
=============== Created Last 30 ================
2009-10-07 17:53 790,560 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-10-07 17:53 10,340 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-10-07 13:01 9,769 a------- C:\01.gif
2009-10-05 18:15 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-05 18:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-04 13:37 <DIR> --d----- c:\windows\system32\Adobe
2009-10-04 13:09 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-10-04 09:23 <DIR> a-dshr-- C:\cmdcons
2009-10-04 09:20 229,888 a------- c:\windows\PEV.exe
2009-10-04 09:20 161,792 a------- c:\windows\SWREG.exe
2009-10-04 09:20 98,816 a------- c:\windows\sed.exe
2009-09-12 15:11 <DIR> --d----- c:\windows\system32\wbem\Repository
==================== Find3M ====================
2009-10-04 09:21 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-10-04 09:21 182,656 -------- c:\windows\system32\drivers\ndis.sys
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl(3)(3).dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2007-03-29 09:13 87,608 a------- c:\docume~1\spider~1\applic~1\ezpinst.exe
2007-03-29 09:13 47,360 a------- c:\docume~1\spider~1\applic~1\pcouffin.sys
2005-08-21 12:42 905 ac------ c:\program files\uninstal.log
2004-07-09 19:24 784 a------- c:\docume~1\spider~1\applic~1\mpauth.dat
2006-01-11 02:41 56 ---shr-- c:\windows\system32\6BBF71BA10.sys
2006-09-23 20:47 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-09 23:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020920090210\index.dat
============= FINISH: 17:45:42.92 ===============
and attach.txt, if needed.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/9/2004 6:12:37 PM
System Uptime: 10/8/2009 7:15:54 AM (10 hours ago)
Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel(R) Celeron(R) CPU 2.50GHz | Microprocessor | 2491/400mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 71 GiB total, 4.061 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 537EP V9x DFV PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Manufacturer: Intel Corporation
Name: Intel(R) 537EP V9x DFV PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Service: Modem
Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Service: flpydisk
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Tuner (Microsoft)
Device ID: ROOT\LEGACY_ATITUNEP\0000
Manufacturer:
Name: ATI WDM TV Tuner (Microsoft)
PNP Device ID: ROOT\LEGACY_ATITUNEP\0000
Service: ATITUNEP
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Audio Crossbar (Microsoft)
Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Manufacturer:
Name: ATI WDM TV Audio Crossbar (Microsoft)
PNP Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Service: ATIXSAudio
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized MVD Codec (Microsoft)
Device ID: ROOT\LEGACY_MVDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized MVD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_MVDCODEC\0000
Service: MVDCODEC
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized PCD Codec (Microsoft)
Device ID: ROOT\LEGACY_PCDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized PCD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_PCDCODEC\0000
Service: PCDCODEC
==== System Restore Points ===================
RP536: 9/11/2009 6:08:04 PM - Restore Operation
RP537: 9/12/2009 3:07:10 PM - Restore Operation
RP538: 9/13/2009 3:49:33 PM - System Checkpoint
RP539: 9/14/2009 4:58:05 PM - System Checkpoint
RP540: 9/15/2009 5:29:48 PM - System Checkpoint
RP541: 9/16/2009 6:30:49 PM - System Checkpoint
RP542: 9/17/2009 7:03:11 PM - System Checkpoint
RP543: 9/18/2009 7:29:50 PM - System Checkpoint
RP544: 9/19/2009 8:57:54 PM - System Checkpoint
RP545: 9/20/2009 9:29:33 PM - System Checkpoint
RP546: 9/21/2009 9:36:49 PM - System Checkpoint
RP547: 9/22/2009 11:56:59 PM - System Checkpoint
RP548: 9/24/2009 12:34:10 AM - System Checkpoint
RP549: 9/25/2009 1:02:38 AM - System Checkpoint
RP550: 9/26/2009 2:02:31 AM - System Checkpoint
RP551: 9/27/2009 3:02:46 AM - System Checkpoint
RP552: 9/28/2009 4:02:32 AM - System Checkpoint
RP553: 9/29/2009 7:45:36 AM - System Checkpoint
RP554: 9/30/2009 8:44:28 AM - System Checkpoint
RP555: 10/1/2009 9:44:27 AM - System Checkpoint
RP556: 10/2/2009 10:44:17 AM - System Checkpoint
RP557: 10/3/2009 11:21:28 AM - System Checkpoint
RP558: 10/4/2009 11:59:28 AM - System Checkpoint
RP559: 10/4/2009 1:07:37 PM - Removed Adobe Reader 7.0
RP560: 10/4/2009 1:20:16 PM - Installed Adobe Reader 9.1.
RP561: 10/5/2009 5:47:49 PM - Removed Java 2 Runtime Environment, SE v1.4.2
RP562: 10/5/2009 5:54:09 PM - Removed Macromedia Flash Player
RP563: 10/5/2009 5:55:23 PM - Removed ABBYY FineReader 6.0 Sprint
RP564: 10/5/2009 6:15:12 PM - Installed Java(TM) 6 Update 16
RP565: 10/6/2009 6:18:42 PM - System Checkpoint
RP566: 10/7/2009 11:38:28 PM - System Checkpoint
==== Installed Programs ======================
AC3Filter (remove only)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.3
Adobe Shockwave Player 11.5
AutoUpdate
Banctec Service Agreement
Battlefield 2(TM)
Bejeweled 2 Deluxe 1.0
Big Fish Games Client
Bookworm Deluxe 1.03
Broadcom Management Programs
Business Card Generator Fonts
Business Card Shop
Chutes and Ladders
Critical Update for Windows Media Player 11 (KB959772)
dBpoweramp DSP Effects
Deer Avenger
Dell Driver Reset Tool
Dell Networking Guide
Dell Solution Center
DivX Codec
DVDSentry
Dyno2000 Version 3.10
ffdshow [rev 1324] [2007-07-01]
Google Video Player
GTAIII
HarryThompson.com - Webjal Patcher
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hot Rod Garage to Glory
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
ieSpell
Intel(R) 537EP V9x DFV PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
IrfanView (remove only)
Java(TM) 6 Update 16
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Lexmark 1200 Series
Lexmark 640 Series
Lexmark Fax Solutions
MathPlayer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires Gold
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
Modem Event Monitor
MS Access 97 SP2
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MyJAL MediaPAL
Mystery Case Files: Madame Fate ™
Need For Speed Hot Pursuit 2
Network Play System (Patching)
NVIDIA Drivers
PowerDVD
QuickTime
R/C Pilot Simulator
RealFlight G3 R/C Simulator
RealFlight Simulator
RealPlayer
Saitek Configuration Software
Saitek NT Controller Drivers
Samsung CamCorder Driver
Samsung Video Codec 1.1 Uninstall
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster v3.5.1
TVersity Codec Pack 1.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB968389)
Viewpoint Media Player
Visual FoxPro ODBC Driver
WavePad Uninstall
WebFldrs XP
Webjal install by HarryThompson.com
Windows Desktop Search
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
==== Event Viewer Messages From Past Week ========
10/8/2009 5:19:50 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 6:13:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/4/2009 9:54:57 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
10/4/2009 9:54:57 AM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
10/4/2009 9:52:47 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/4/2009 9:45:25 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/4/2009 8:20:08 AM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/4/2009 10:24:45 AM, error: Service Control Manager [7034] - The TVersityMediaServer service terminated unexpectedly. It has done this 1 time(s).
==== End Of File ===========================
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
- Click START then RUN
- Now copy-paste Combofix /u in the runbox and click OK
Please download OTC and save it to desktop.
- Double-click OTC.exe.
- Click the CleanUp! button.
- Select Yes when the
Begin cleanup Process?
prompt appears.- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
- hosts file:
- Every version of windows has a hosts file as part of them.
- In a very basic sense, they are used to locate webpages.
- We can customize a hosts file so that it blocks certain webpages.
- However, it can slow down certain computers.
- This is why using a hosts file is optional!!
Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
- Click the start button (at the lower left hand corner of your screen)
- Click run
- In the dialog box, type services.msc
- hit enter, then locate dns client
- Highlight it, then double-click it.
- On the dropdown box, change the setting from automatic to manual.
- Click ok
- Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir
Avast!
Good commercial ones are from:
Kaspersky and
ESET- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
Last edited by tashi; 2009-10-19 at 21:21. Reason: Thank you Blade81
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.