Could someone please help me? Several trojans and malware :(

Status
Not open for further replies.
C

CamaroJeff

New member
First off Id like to say you guys are great. Spending the time and effort to help people out is an invaluable service.

Major :bigthumb: to you!

Now, down to the problem. Ive had this pc for quite a while now (5 years at least) and havent had any problems until now. I picked up some "not so nice" files that spybot cant get rid of. It seems that task manager shuts them down but Im afraid theres still something going on in the background. After reading the "BEFORE you POST" thread I went through a number of lengthy steps and followed them to the exact method mentioned in that thread.
To be completely honest with you I have no clue what the scan results mean, but Im more than capable of following directions on how to do something on a pc, and even more willing to try anything to remove these pesky files. I just cant see why someone would want to create a file that is specifically targeted towards ruining someone elses personal enjoyment, or business related usage.

Either way, this is where I stand after following the mentioned steps. I really appreciate any help I can get on this subject and if theres anything I can do please dont hesitate to let me know. Heres the info retrieved from the scans:

HJT report...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:44 PM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.98rock.com/cc-common/babes/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = You are using the internet, dummy.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe

61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKLM\..\Policies\Explorer\Run: [9] C:\WINDOWS\mobsync.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZR
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program

Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program

Files\ieSpell\iespell.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://66.154.44.68/cam/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -

http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -

http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) -

https://cs7b.instantservice.com/jars/customerxsigned42.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) -

http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} -

http://download.newaol.com/bkpromo/download/PerformerSetup.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -

http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol

Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7566 bytes
 
Kaspersky scan report...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 22, 2007 8:29:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/11/2007
Kaspersky Anti-Virus database records: 464309
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 67044
Number of viruses found: 31
Number of infected objects: 71
Number of suspicious objects: 0
Duration of the scan process: 01:35:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Spiderman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-61f7b565.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Spiderman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-61f7b565.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Spiderman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-61f7b565.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Spiderman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv788.jar-3e97e15d-6186f16f.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Spiderman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv788.jar-3e97e15d-6186f16f.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Spiderman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv788.jar-3e97e15d-6186f16f.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Spiderman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv788.jar-3e97e15d-6186f16f.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Spiderman\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Spiderman\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Spiderman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Spiderman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Spiderman\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Spiderman\Local Settings\History\History.IE5\MSHist012007112220071123\index.dat Object is locked skipped
C:\Documents and Settings\Spiderman\Local Settings\Temp\nst24B.tmp\touchpurl.exe Infected: Trojan-Downloader.Win32.Agent.etb skipped
C:\Documents and Settings\Spiderman\Local Settings\Temp\xpre.exe Infected: Trojan-Downloader.Win32.VB.axa skipped
C:\Documents and Settings\Spiderman\Local Settings\Temp\xrun.exe Infected: Trojan-Downloader.Win32.Agent.brq skipped
C:\Documents and Settings\Spiderman\Local Settings\Temp\~DF3F95.tmp Object is locked skipped
C:\Documents and Settings\Spiderman\Local Settings\Temp\~DF3FD0.tmp Object is locked skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\FOG13HTT\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\FOG13HTT\17PHolmes[2].cmt Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\KYLAZPAN\83122[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\KYLAZPAN\83122[1].exe/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\KYLAZPAN\83122[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\KYLAZPAN\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\KYLAZPAN\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\KYLAZPAN\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\KYLAZPAN\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\KYLAZPAN\TTC-4444[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\KYLAZPAN\TTC-4444[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\LCQM93YS\a8f5a020e4b833865a1034489887c8b9[1].zip/b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\LCQM93YS\a8f5a020e4b833865a1034489887c8b9[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\LCQM93YS\tk58[1].exe Infected: Trojan.Win32.BHO.ab skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\LCQM93YS\u900Y714[1].exe/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\LCQM93YS\u900Y714[1].exe/data0003 Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\LCQM93YS\u900Y714[1].exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\LCQM93YS\u900Y714[1].exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Spiderman\Local Settings\Temporary Internet Files\Content.IE5\LCQM93YS\u900Y714[1].exe NSIS: infected - 4 skipped
C:\Documents and Settings\Spiderman\My Documents\My Downloads\clickstart.exe/clickstart.exe Infected: not-virus:BadJoke.Win32.RJL.b skipped
C:\Documents and Settings\Spiderman\My Documents\My Downloads\clickstart.exe ZIP: infected - 1 skipped
C:\Documents and Settings\Spiderman\My Documents\My Downloads\moisdne-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped
C:\Documents and Settings\Spiderman\My Documents\sinstaller2.exe/data0002 Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
C:\Documents and Settings\Spiderman\My Documents\sinstaller2.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Spiderman\ntuser.dat Object is locked skipped
C:\Documents and Settings\Spiderman\ntuser.dat.LOG Object is locked skipped
C:\I386\f3pssavr.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-11-22.11-43-57.log Object is locked skipped
C:\Program Files\func.exe Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\microsoft frontpage\safel4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\microsoft frontpage\safel83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\MSN\woqufes.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\page.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\QuickTime\qttask.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1020\A0161191.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0162298.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0162301.exe Infected: Trojan-Downloader.Win32.Adload.ni skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0162302.exe Infected: Trojan.Win32.Agent.crf skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\change.log Object is locked skipped
C:\WINDOWS\17PHolmes1000106.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\WINDOWS\83122.exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\83122.exe/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\WINDOWS\83122.exe NSIS: infected - 2 skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\dob.cab/mdm.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.602 skipped
C:\WINDOWS\dob.cab/mobsync.exe Infected: Trojan.Win32.Agent.lf skipped
C:\WINDOWS\dob.cab CAB: infected - 2 skipped
C:\WINDOWS\Downloaded Program Files\gsda.dll Infected: not-a-virus:Downloader.Win32.SpyGame skipped
C:\WINDOWS\Downloaded Program Files\StripSaver_116.EXE/WISE0001.BIN Infected: not-a-virus:Porn-Downloader.Win32.StripSaver.a skipped
C:\WINDOWS\Downloaded Program Files\StripSaver_116.EXE WiseSFX: infected - 1 skipped
C:\WINDOWS\mdm.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.602 skipped
C:\WINDOWS\mobsync.exe Infected: Trojan.Win32.Agent.lf skipped
C:\WINDOWS\mrofinu572.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\b1\dnslook11.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\SYSTEM32\c17b6s.dll Infected: Trojan-Dropper.Win32.Small.op skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\g2\bemwdll3.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\WINDOWS\SYSTEM32\gebaxxv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\i2\mper83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\SYSTEM32\i2\mper83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\SYSTEM32\saie321.dll Infected: Trojan-Dropper.Win32.Small.nj skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\tk58.exe Infected: Trojan.Win32.BHO.ab skipped
C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINDOWS\U3BpZGVybWFu\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\U3BpZGVybWFu\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Sorry for the wait but you appear to have missed this information Pinned to the top of the forum.
The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37

If your issues are not resolved you are infected and you need to read the instructions again a little slower this time so you don't miss important instructions like this one:
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines.
Click to expand...
If you still need help, post a HJT log that is created with "Word Wrap" off, look at the logs others are posting, and I will take a look once you post.

Thanks
 
I do appreciate a response, although I figured the post being so close to Thanksgiving I would not press the time issue.

I am sorry I missed the UNcheck part of the "word wrap" option, I am re posting the information with that option changed. I feel I should note the fact that I have not changed any settings since this log. If a recent one is needed please do let me know. I cannot express how much your help is appreciated and if there is anything I can do please do not hesitate to mention it.

HJT Log with "Word Wrap" unchecked:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:44 PM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.98rock.com/cc-common/babes/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = You are using the internet, dummy.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKLM\..\Policies\Explorer\Run: [9] C:\WINDOWS\mobsync.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZR
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://66.154.44.68/cam/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs7b.instantservice.com/jars/customerxsigned42.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newaol.com/bkpromo/download/PerformerSetup.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7566 bytes
 
Thanks for returning that HJT log, you have a nasty infection we must take care of first, follow the directions carefully.

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

1. Please download FindAWF and save it to your Desktop
  • * Double-click FindAWF.exe to start the tool.
    * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
    * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**

Thanks
 
Here is the FindAWF report


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 11/29/2007
The current time is: 6:50:48.39


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/27/2007 08:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
28172 Oct 5 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"


end of report
 
Thanks for returning your information, follow these directions:

Double-click FindAWF.exe to start the tool.

* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\AIM\bak\aim.exe
C:\Program Files\QuickTime\bak\qttask.exe

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.

Thanks
 
Here are the results...


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Thu 11/29/2007
The current time is: 18:10:33.31


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/27/2007 08:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
28172 Oct 5 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"


end of report
 
Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\AIM\bak
C:\Program Files\QuickTime\bak

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt in your next reply

Thanks
 
I cannot express how much I appreciate your help on this.

Heres the report:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 11/29/2007
The current time is: 18:34:38.73


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
 
Thanks for returning your information. Another item has shown, so we need to back up a moment like this.

Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\PROGRA~1\MSNMES~1\BAK

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt in your next reply

Let's move to Option 4 now:

Double-click FindAWF.exe to start the tool.

  • Select option #4 - Reset domain zones by typing 4 and press 'Enter'
  • You will receive a warning to reset domain zones
  • Press 1 then press Enter.
  • If you have manually included sites in the trusted zones, these will need to be re-inserted.

When you get to this point, follow these directions:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Thanks
 
Here is the report from the first step:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 11/29/2007
The current time is: 19:26:30.18


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

The second step was accompanied with several errors, along with explorer.exe and combofix shutting down. I followed the prompts, did not click on the window, and was away for 10 minutes. When I returned the errors showed up. I was not able to catch all the information.
Should I run combofix option 4 again?
 
Combofix is a different tool, make sure you are finished completely with FindAWF, including option 4. Then restart your computer and try combofix again. Read the directions carefully. If you have any problem, stop and let me know and we will try another method to kill the junk.

New tool entirely:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
 
I am sorry, option 4 of FindAWF did run successfully. It was combofix that failed. This is all new to me and I will try to slow down and read more carefully. I would just like to get rid of these programs!

I will run combofix again after restarting, and not walk away from it this time. After that I will post the log, accompanied by a fresh HJT log.

Thanks so much for your patience and effort!
 
OK, combofix is fairly simple, just follow the prompts. Make sure not to touch it while it is running.

Thanks
 
ComboFix 07-11-19.4C - Spiderman 2007-11-29 22:10:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.148 [GMT -5:00]
Running from: C:\Documents and Settings\Spiderman\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191628715.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\83122.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\Downloaded Program Files.\nethv32.inf
C:\WINDOWS\hosts
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\b1\dnslook11.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\bemwdll3.exe
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\i2\mper83122.exe
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\n8\ensts2dll.exe
C:\WINDOWS\SYSTEM32\wvvwa.ini
C:\WINDOWS\SYSTEM32\wvvwa.ini2
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR




((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-25 11:15 464,928 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-11-25 11:15 1,604 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2007-11-25 11:06 <DIR> d-------- C:\Documents and Settings\Spiderman\Application Data\AVG7
2007-11-25 11:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-25 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-25 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-25 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-25 08:18 79,936 --a------ C:\WINDOWS\SYSTEM32\kodeckwv.dll
2007-11-22 20:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 12:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 23:32 35,840 --a------ C:\WINDOWS\17PHolmes1000106.exe
2007-11-21 23:31 <DIR> d-------- C:\temp\abW9
2007-11-21 23:31 36,864 --a------ C:\WINDOWS\SYSTEM32\gebaxxv.dll
2007-10-21 19:13 <DIR> d-------- C:\Program Files\PFConfig
2007-10-15 17:01 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-10-15 16:55 639,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
2007-10-09 15:35 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 00:26 --------- d-----w C:\Program Files\MSN Messenger
2007-11-29 23:34 --------- d-----w C:\Program Files\QuickTime
2007-11-29 23:34 --------- d-----w C:\Program Files\AIM
2007-11-28 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-28 02:15 --------- d-----w C:\Program Files\Rockstar Games
2007-11-25 16:26 --------- d-----w C:\Documents and Settings\Spiderman\Application Data\nView_Wallpaper
2007-11-25 15:54 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-25 14:28 --------- d-----w C:\Program Files\RealFlightG3
2007-11-24 17:59 81,472 ----a-w C:\WINDOWS\SYSTEM32\mjipaeri.dll
2007-11-23 20:30 83,520 ----a-w C:\WINDOWS\SYSTEM32\uuhyelcu.dll
2007-11-22 16:50 79,936 ----a-w C:\WINDOWS\SYSTEM32\nuwdkndm.dll
2007-11-22 04:32 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-20 00:04 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-20 00:04 --------- d-----w C:\Documents and Settings\Spiderman\Application Data\uTorrent
2007-11-13 02:26 --------- d-----w C:\Program Files\DivX
2007-10-18 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-13 22:41 --------- d-----w C:\Program Files\Google
2007-10-13 17:41 --------- d-----w C:\Program Files\EA Games
2007-10-01 01:27 --------- d-----w C:\Program Files\AC3Filter
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-09-28 16:07 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-09-28 16:07 129,784 ----a-w C:\WINDOWS\SYSTEM32\pxafs.dll
2007-09-28 16:07 120,056 ----a-w C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-09-28 16:07 118,520 ----a-w C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-09-06 21:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 21:14 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2007-03-29 13:13 87,608 ----a-w C:\Documents and Settings\Spiderman\Application Data\ezpinst.exe
2007-03-29 13:13 47,360 ----a-w C:\Documents and Settings\Spiderman\Application Data\pcouffin.sys
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2006-06-08 07:02 2,048 ----a-w C:\Program Files\func.exe
2005-08-21 16:42 905 -c--a-w C:\Program Files\uninstal.log
2004-07-09 23:24 784 ----a-w C:\Documents and Settings\Spiderman\Application Data\mpauth.dat
2006-01-11 06:41 56 --sh--r C:\WINDOWS\SYSTEM32\6BBF71BA10.sys
2006-09-24 00:47 10,856 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\U3BpZGVybWFu\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\U3BpZGVybWFu\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\U3BpZGVybWFu\oa1Dt3pVvqIR.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C79F3B8-45AC-4AF4-8D5E-D99F8D0B99E9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D42572D-F02C-4543-9448-F210B949BBA4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A54500A-65FE-4F4A-B860-20EAE2F577F9}]
2007-11-21 23:31 36864 --a------ C:\WINDOWS\system32\gebaxxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8d40812c-1993-4b5e-96db-b2d01b7b2381}]
2007-11-25 08:18 79936 --a------ C:\WINDOWS\system32\kodeckwv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6895296-6896-4A1A-A6A1-FAD2C95B0481}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFF50636-5E41-43B7-D9A8-23861A5A5812}]
2007-11-21 23:32 70144 --a------ C:\Program Files\MSN\woqufes.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-25 11:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 11:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\narrator.exe]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]
"{4A54500A-65FE-4F4A-B860-20EAE2F577F9}"= C:\WINDOWS\system32\gebaxxv.dll [2007-11-21 23:31 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaxxv]
gebaxxv.dll 2007-11-21 23:31 36864 C:\WINDOWS\SYSTEM32\gebaxxv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^clippy.exe]
path=C:\Documents and Settings\Spiderman\Start Menu\Programs\Startup\clippy.exe
backup=C:\WINDOWS\pss\clippy.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Magnifier.lnk]
path=C:\Documents and Settings\Spiderman\Start Menu\Programs\Startup\Magnifier.lnk
backup=C:\WINDOWS\pss\Magnifier.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 02:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 01:04 114741 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 10:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-02-10 11:51 118784 --a------ C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-02-10 11:55 155648 --a------ C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-03 20:12 221184 --a------ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
2004-10-07 21:44 40960 --a------ C:\WINDOWS\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2003-04-10 12:16 151552 --a------ C:\Program Files\Saitek\Software\Profiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
2003-04-10 12:23 86016 --a------ C:\Program Files\Saitek\Software\SaiSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Insider"=C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
"nwiz"=nwiz.exe /install

R3 SaiClass;SaiClass;C:\WINDOWS\system32\drivers\SaiNtBus.sys
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys
S3 DMSKSSRh;DMSKSSRh;\??\C:\DOCUME~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys
S3 SaiNtHid;%SAINTHID_NAME%;C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys
S3 SaiNtSub;SaiNtSub;C:\WINDOWS\system32\DRIVERS\SaiNtSub.sys
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23460158-7b6a-11dc-8539-000d56efba03}]
\Shell\AutoRun\command - F:\setup.exe
\Shell\install\command - F:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 15:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (BOB-Spiderman).job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 22:15:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 22:16:44
.
--- E O F ---


HJT report to follow in next post.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:19 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.98rock.com/cc-common/babes/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C79F3B8-45AC-4AF4-8D5E-D99F8D0B99E9} - (no file)
O2 - BHO: (no name) - {1D42572D-F02C-4543-9448-F210B949BBA4} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - C:\WINDOWS\system32\gebaxxv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {1832b7b1-0d2b-bd69-e5b4-3991c21804d8} - {8d40812c-1993-4b5e-96db-b2d01b7b2381} - C:\WINDOWS\system32\kodeckwv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6895296-6896-4A1A-A6A1-FAD2C95B0481} - (no file)
O2 - BHO: 0 - {FFF50636-5E41-43B7-D9A8-23861A5A5812} - C:\Program Files\MSN\woqufes.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZR
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://66.154.44.68/cam/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs7b.instantservice.com/jars/customerxsigned42.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newaol.com/bkpromo/download/PerformerSetup.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: gebaxxv - C:\WINDOWS\SYSTEM32\gebaxxv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8899 bytes
 
Good morning and great job so far:bigthumb: looks like a Vundo infection, combofix got some of it, follow these directions.

TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

The infection is there, here are a few files I see:
C:\WINDOWS\system32\gebaxxv.dll
C:\WINDOWS\system32\kodeckwv.dll
and there are usually more hidden. Allow Vundofix time to find them, you may have to run it a few times.

Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

Post the Vundofix.txt and a new HJT log, also feedback, how is the computer running?

Thanks..Phil
 
Ok, Teatimer has been disabled (PC restarted after disabling per the instructions), I have read the instructions on Vundofix and installed it, ran the program and was left with a message saying "there were no files found".

Should I run it again? Do you need an HJT log before and/or after a rerun of vundofix? Again, I cant tell you how much youre helping me on this. I wish there were some way to return the favor.

As far as how the computer is running its great. Im not getting any more pop up windows with the "searchfeed results" and explorer.exe isnt reaching 100K of mem usage, its staying around 20K. Seems to have made a big difference already!

Am I safe to do any banking or bill paying yet? Theres a few things Id like to take care of... things that I would not dare to do with all the bugs that have been crawling around lately.

Thanks so much :bigthumb:
 
I understand, I also do my bill paying online also, but hold off a bit longer. Run Vundofix once more and post this:
Post the Vundofix.txt and a new HJT log, also feedback, how is the computer running?
Click to expand...
As soon as I look at that information, if all is well I will give you instructions to run a Kaspersky scan to check for anything left.

I will keep an eye open for your post and turn it around as quickly as possible.

Thanks...Phil
 
Status
Not open for further replies.
Back
Top