error in moving

Status
Not open for further replies.
H

Hatred

New member
This machine recently got a load of bad stuff on it but after a few scans from spybot and avast as well as some things i hunted down most of it was gone. However even after running spybot in safe mode a few times it always comes up with 'virtumonde 2 entries'. I don't know anything about computers but i am guessing that the two entries are wvUljJyY.dll and urqQiHyW.dll hiding in the system32 folder.
Thanks in advance for any help you can give me.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:56:51, on 07/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {20989C00-4042-491C-8E4D-79BF8AAE5FBD} - (no file)
O2 - BHO: (no name) - {4772C5D0-DB8E-40D8-B946-917E60CCDC93} - C:\WINDOWS\system32\wvUljJyY.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B09E0F0B-28FE-4A7E-90F6-6D09E4234852} - C:\WINDOWS\system32\urqQiHyW.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1221219879240
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1221220180553
O20 - Winlogon Notify: awtsTLBq - awtsTLBq.dll (file missing)
O20 - Winlogon Notify: urqQiHyW - C:\WINDOWS\SYSTEM32\urqQiHyW.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: UStorage Server Service - Unknown owner - C:\WINDOWS\system32\UStorSrv.exe (file missing)

--
End of file - 4152 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
 
I think that fixed the problem so thank you very much :)
p.s this is probably useless information but before following your instructions i updated avast and it was succesful in removing one of those dlls i mentioned in my first post.


ComboFix 08-10-08.02 - Student 2008-10-09 3:53:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.18 [GMT 1:00]
Running from: C:\Documents and Settings\Student\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BM5f3ee8a9.txt
C:\WINDOWS\BM5f3ee8a9.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\amqucfal.ini
C:\WINDOWS\system32\DLRsBJjl.ini
C:\WINDOWS\system32\DLRsBJjl.ini2
C:\WINDOWS\system32\erhnhjna.ini
C:\WINDOWS\system32\evsevswi.dll
C:\WINDOWS\system32\iwsvesve.ini
C:\WINDOWS\system32\jwcnlgdv.ini
C:\WINDOWS\system32\kehdwsys.ini
C:\WINDOWS\system32\lafcuqma.dll
C:\WINDOWS\system32\ljJBsRLD.dll
C:\WINDOWS\system32\lqvyxakx.ini
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\OrsrYJlm.ini
C:\WINDOWS\system32\OrsrYJlm.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\syswdhek.dll
C:\WINDOWS\system32\tncylwta.ini
C:\WINDOWS\system32\urqQiHyW.dll
C:\WINDOWS\system32\Vc5bgIb6.exe.a_a
C:\WINDOWS\system32\vdglncwj.dll
C:\WINDOWS\system32\vOSn2ebS.exe.a_a
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\ywamqlbl.ini
C:\WINDOWS\system32\YyJjlUvw.ini
C:\WINDOWS\system32\YyJjlUvw.ini2
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-06 15:49 . 2008-10-06 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-06 07:39 . 2008-10-06 07:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-10-04 21:23 . 2008-10-05 08:52 253 --a------ C:\WINDOWS\wininit.ini
2008-10-04 06:09 . 2008-10-04 06:09 <DIR> d-------- C:\Program Files\directx
2008-10-03 13:27 . 2008-10-03 13:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-01 22:43 . 2008-10-01 22:43 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-10-01 19:53 . 2008-10-03 07:15 2,508 --a------ C:\Gens.cfg
2008-10-01 19:52 . 2008-10-01 19:52 40 --a------ C:\language.dat
2008-10-01 19:51 . 2008-10-01 19:51 882,400 --a------ C:\Streets of Rage 2 (U) [!].7z
2008-10-01 19:48 . 2006-05-21 03:25 1,875,968 --a------ C:\gens.exe
2008-10-01 19:48 . 2005-01-30 22:04 83,132 --a------ C:\GENS.hlp
2008-10-01 19:48 . 2005-01-29 01:21 32,256 --a------ C:\kailleraclient.dll
2008-10-01 19:39 . 2008-10-01 19:44 426,330 --a------ C:\gens-win32-bin-2[1].14.7z
2008-09-27 02:42 . 2008-09-27 02:42 <DIR> d-------- C:\Program Files\Total War
2008-09-15 19:02 . 2008-09-15 19:40 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-09-15 12:50 . 2008-05-01 15:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-15 12:49 . 2008-04-11 20:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-15 12:47 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-15 12:46 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-14 16:08 . 2008-09-14 16:08 <DIR> dr-h----- C:\AHCache
2008-09-13 08:12 . 2008-09-13 08:12 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-13 08:12 . 2008-09-13 08:12 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-13 08:12 . 2008-09-13 08:12 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-13 07:11 . 2008-04-14 01:12 1,001,472 -----c--- C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
2008-09-13 07:11 . 2008-04-14 01:12 809,984 -----c--- C:\WINDOWS\system32\dllcache\wmvdmod.dll
2008-09-13 07:11 . 2008-04-14 01:12 258,048 -----c--- C:\WINDOWS\system32\dllcache\wmvds32.ax
2008-09-13 07:09 . 2008-04-14 01:12 774,144 -----c--- C:\WINDOWS\system32\dllcache\setup_wm.exe
2008-09-13 07:08 . 2008-04-14 01:12 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll
2008-09-13 07:07 . 2008-04-14 01:12 786,432 -----c--- C:\WINDOWS\system32\dllcache\migrate.exe
2008-09-13 07:06 . 2008-04-14 01:10 102,912 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-09-13 07:06 . 2008-04-14 01:09 24,064 -----c--- C:\WINDOWS\system32\dllcache\pidgen.dll
2008-09-13 07:06 . 2008-04-14 01:09 6,144 --a------ C:\WINDOWS\system32\kbdnepr.dll
2008-09-13 07:06 . 2008-04-14 01:09 6,144 --a------ C:\WINDOWS\system32\kbdiultn.dll
2008-09-13 07:06 . 2008-04-14 01:09 6,144 --a------ C:\WINDOWS\system32\kbdbhc.dll
2008-09-13 07:06 . 2007-06-21 06:52 974 --a------ C:\WINDOWS\system32\pid.inf
2008-09-13 07:04 . 2008-04-14 01:11 286,720 -----c--- C:\WINDOWS\system32\dllcache\blackbox.dll
2008-09-13 07:04 . 2008-04-14 01:11 233,472 --a------ C:\WINDOWS\system32\azroles.dll
2008-09-13 07:04 . 2008-04-14 01:11 136,192 --a------ C:\WINDOWS\system32\aaclient.dll
2008-09-13 07:04 . 2008-04-13 18:23 8,192 -----c--- C:\WINDOWS\system32\dllcache\asferror.dll
2008-09-13 07:04 . 2008-04-14 01:11 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-09-13 07:04 . 2001-08-23 13:00 999 -----c--- C:\WINDOWS\system32\dllcache\bktrh.gif
2008-09-12 17:15 . 2008-09-12 17:15 <DIR> d-------- C:\WINDOWS\provisioning
2008-09-12 16:05 . 2008-04-14 05:42 11,264 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-09-12 16:05 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-09-12 16:05 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-09-12 13:14 . 2008-09-15 13:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-12 13:14 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-09-12 13:03 . 2008-09-13 08:12 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-12 12:57 . 2008-04-13 18:39 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-09-12 12:57 . 2008-04-14 01:12 354,304 --a------ C:\WINDOWS\system32\winhttp.dll
2008-09-12 12:57 . 2008-04-14 01:12 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-09-12 12:57 . 2008-04-14 01:11 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-09-12 12:57 . 2008-04-14 01:11 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-09-12 12:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-12 12:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-12 12:46 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-09-12 12:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-09-12 12:46 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-09-12 12:45 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-09-12 12:45 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-09-12 12:45 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-09-12 12:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-09-12 12:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-12 12:45 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-09-12 12:36 . 2008-09-12 12:35 98,968 --a------ C:\Overview of Windows XP Service Pack 3.docx
2008-09-12 11:59 . 2003-01-07 17:37 1,338,880 --a------ C:\WINDOWS\system32\IEBAK000.TMP
2008-09-12 11:59 . 2002-08-29 11:41 401,920 --a------ C:\WINDOWS\system32\IEBAK001.TMP
2008-09-12 11:59 . 2008-09-12 11:59 98,304 --a------ C:\WINDOWS\system32\IEBAK002.TMP
2008-09-10 20:39 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-09-10 12:14 . 2008-09-10 12:14 <DIR> d-------- C:\Program Files\Alwil Software
2008-09-10 12:12 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-09-10 12:11 . 2008-09-10 12:11 423,736 --a------ C:\antirootkit.exe
2008-09-10 11:57 . 2008-10-03 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-10 10:34 . 2008-09-10 10:34 <DIR> d-------- C:\Documents and Settings\Student\Application Data\Leadertech
2008-09-10 10:13 . 2008-09-10 10:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-10 02:24 . 2008-09-10 02:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\IBPlugin
2008-09-10 00:52 . 2004-07-26 10:34 139,264 --a------ C:\WINDOWS\system32\OPDSL.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 01:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-03 18:05 2,864 ----a-w C:\WINDOWS\system32\winsock.dll
2008-10-02 06:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-05 12:31 --------- d-----w C:\Documents and Settings\Student\Application Data\IBPlugin
2008-07-31 09:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 09:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 09:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-12 07:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 07:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 07:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2003-09-08 15:15 6,391 ----a-w C:\WINDOWS\inf\INF2.tmp
1998-12-09 01:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 01:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 01:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 01:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 01:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 01:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk.disabled [2003-02-17 1725]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-10-07 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-08 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-08 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-07 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-07 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-09 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-09 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-08 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-08 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-08 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-07 C:\WINDOWS\Tasks\At73.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-08 C:\WINDOWS\Tasks\At74.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-09 C:\WINDOWS\Tasks\At75.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-09 C:\WINDOWS\Tasks\At76.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-08 C:\WINDOWS\Tasks\At77.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-08 C:\WINDOWS\Tasks\At78.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-08 C:\WINDOWS\Tasks\At79.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-08 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-08 C:\WINDOWS\Tasks\At80.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At81.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At82.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At83.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At84.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At85.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At86.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At87.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At88.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At89.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\System32\vOSn2ebS.exe []

2008-10-06 C:\WINDOWS\Tasks\At90.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At91.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At92.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-06 C:\WINDOWS\Tasks\At93.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-08 C:\WINDOWS\Tasks\At94.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-07 C:\WINDOWS\Tasks\At95.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []

2008-10-07 C:\WINDOWS\Tasks\At96.job
- C:\WINDOWS\System32\Y0JdM5Kt.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{12CEC643-277F-4D9C-8E33-B7C9FEEB18FE} - C:\WINDOWS\system32\wvUljJyY.dll
BHO-{20989C00-4042-491C-8E4D-79BF8AAE5FBD} - (no file)
BHO-{961C377D-99DC-46B4-8737-8B41EB9BB6D8} - C:\WINDOWS\system32\ljJBsRLD.dll
BHO-{B09E0F0B-28FE-4A7E-90F6-6D09E4234852} - C:\WINDOWS\system32\urqQiHyW.dll
ShellExecuteHooks-{58A900D9-77AA-435B-9E3A-EA6EE6A549C9} - (no file)
ShellExecuteHooks-{B09E0F0B-28FE-4A7E-90F6-6D09E4234852} - C:\WINDOWS\system32\urqQiHyW.dll
Notify-awtsTLBq - awtsTLBq.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949}
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - -
O15 -: Trusted Zone: *.gomyhit.com
O15 -: Trusted Zone: *.imageservr.com
O15 -: Trusted Zone: *.imagesrvr.com
O15 -: Trusted Zone: *.storageguardsoft.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 04:11:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-10-09 4:21:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 03:21:35

Pre-Run: 2,655,051,776 bytes free
Post-Run: 2,816,319,488 bytes free

303 --- E O F --- 2008-09-12 12:38:08




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:27:38, on 09/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1221219879240
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1221220180553
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: UStorage Server Service - Unknown owner - C:\WINDOWS\system32\UStorSrv.exe (file missing)

--
End of file - 3552 bytes
 
Thanks for returning your information and the feedback. I am glad the computer is running better, but we still have aways to go. Please read and follow the directions carefully and in the numbered order.

Eusing Free Registry Cleaner <<< please read this information:
http://forums.spybot.info/showthread.php?t=30113


1) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At73.job
C:\WINDOWS\Tasks\At74.job
C:\WINDOWS\Tasks\At75.job
C:\WINDOWS\Tasks\At76.job
C:\WINDOWS\Tasks\At77.job
C:\WINDOWS\Tasks\At78.job
C:\WINDOWS\Tasks\At79.job
C:\WINDOWS\Tasks\At80.job
C:\WINDOWS\Tasks\At81.job
C:\WINDOWS\Tasks\At82.job
C:\WINDOWS\Tasks\At83.job
C:\WINDOWS\Tasks\At84.job
C:\WINDOWS\Tasks\At85.job
C:\WINDOWS\Tasks\At86.job
C:\WINDOWS\Tasks\At87.job
C:\WINDOWS\Tasks\At88.job
C:\WINDOWS\Tasks\At89.job
C:\WINDOWS\Tasks\At90.job
C:\WINDOWS\Tasks\At91.job
C:\WINDOWS\Tasks\At92.job
C:\WINDOWS\Tasks\At93.job
C:\WINDOWS\Tasks\At94.job
C:\WINDOWS\Tasks\At95.job
C:\WINDOWS\Tasks\At96.job
C:\WINDOWS\System32\Y0JdM5Kt.exe 
C:\WINDOWS\System32\vOSn2ebS.exe

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(you may leave this first item if you set it that way)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running now?

Thanks...Phil
 
Ok i have done all of that and removed the registry cleaner. I have read that thread on registry cleaners before but was undecided on wether i should remove it so thanks for the nudge in the right direction :)
This laptop is running much better now, thank you very much for helping.
p.s Do you recommend running Malwarebytes' anti-malware along with my other weekly checks?


ComboFix 08-10-08.02 - Student 2008-10-10 2:00:47.2 - NTFSx86
Running from: C:\Documents and Settings\Student\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Student\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\vOSn2ebS.exe
C:\WINDOWS\System32\Y0JdM5Kt.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At73.job
C:\WINDOWS\Tasks\At74.job
C:\WINDOWS\Tasks\At75.job
C:\WINDOWS\Tasks\At76.job
C:\WINDOWS\Tasks\At77.job
C:\WINDOWS\Tasks\At78.job
C:\WINDOWS\Tasks\At79.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At80.job
C:\WINDOWS\Tasks\At81.job
C:\WINDOWS\Tasks\At82.job
C:\WINDOWS\Tasks\At83.job
C:\WINDOWS\Tasks\At84.job
C:\WINDOWS\Tasks\At85.job
C:\WINDOWS\Tasks\At86.job
C:\WINDOWS\Tasks\At87.job
C:\WINDOWS\Tasks\At88.job
C:\WINDOWS\Tasks\At89.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At90.job
C:\WINDOWS\Tasks\At91.job
C:\WINDOWS\Tasks\At92.job
C:\WINDOWS\Tasks\At93.job
C:\WINDOWS\Tasks\At94.job
C:\WINDOWS\Tasks\At95.job
C:\WINDOWS\Tasks\At96.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At73.job
C:\WINDOWS\Tasks\At74.job
C:\WINDOWS\Tasks\At75.job
C:\WINDOWS\Tasks\At76.job
C:\WINDOWS\Tasks\At77.job
C:\WINDOWS\Tasks\At78.job
C:\WINDOWS\Tasks\At79.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At80.job
C:\WINDOWS\Tasks\At81.job
C:\WINDOWS\Tasks\At82.job
C:\WINDOWS\Tasks\At83.job
C:\WINDOWS\Tasks\At84.job
C:\WINDOWS\Tasks\At85.job
C:\WINDOWS\Tasks\At86.job
C:\WINDOWS\Tasks\At87.job
C:\WINDOWS\Tasks\At88.job
C:\WINDOWS\Tasks\At89.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At90.job
C:\WINDOWS\Tasks\At91.job
C:\WINDOWS\Tasks\At92.job
C:\WINDOWS\Tasks\At93.job
C:\WINDOWS\Tasks\At94.job
C:\WINDOWS\Tasks\At95.job
C:\WINDOWS\Tasks\At96.job

.
((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2008-10-09 20:51 . 2008-10-09 20:51 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-09 20:51 . 2008-10-09 20:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-06 15:49 . 2008-10-06 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-06 07:39 . 2008-10-06 07:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-10-04 21:23 . 2008-10-05 08:52 253 --a------ C:\WINDOWS\wininit.ini
2008-10-04 06:09 . 2008-10-04 06:09 <DIR> d-------- C:\Program Files\directx
2008-10-03 13:27 . 2008-10-03 13:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-01 22:43 . 2008-10-01 22:43 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-10-01 19:53 . 2008-10-03 07:15 2,508 --a------ C:\Gens.cfg
2008-10-01 19:52 . 2008-10-01 19:52 40 --a------ C:\language.dat
2008-10-01 19:51 . 2008-10-01 19:51 882,400 --a------ C:\Streets of Rage 2 (U) [!].7z
2008-10-01 19:48 . 2006-05-21 03:25 1,875,968 --a------ C:\gens.exe
2008-10-01 19:48 . 2005-01-30 22:04 83,132 --a------ C:\GENS.hlp
2008-10-01 19:48 . 2005-01-29 01:21 32,256 --a------ C:\kailleraclient.dll
2008-10-01 19:39 . 2008-10-01 19:44 426,330 --a------ C:\gens-win32-bin-2[1].14.7z
2008-09-27 02:42 . 2008-09-27 02:42 <DIR> d-------- C:\Program Files\Total War
2008-09-15 19:02 . 2008-10-10 01:25 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-09-15 12:50 . 2008-05-01 15:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-15 12:49 . 2008-04-11 20:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-15 12:47 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-15 12:46 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-14 16:08 . 2008-09-14 16:08 <DIR> dr-h----- C:\AHCache
2008-09-13 08:12 . 2008-09-13 08:12 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-13 08:12 . 2008-09-13 08:12 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-13 08:12 . 2008-09-13 08:12 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-13 07:11 . 2008-04-14 01:12 1,001,472 -----c--- C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
2008-09-13 07:11 . 2008-04-14 01:12 809,984 -----c--- C:\WINDOWS\system32\dllcache\wmvdmod.dll
2008-09-13 07:11 . 2008-04-14 01:12 258,048 -----c--- C:\WINDOWS\system32\dllcache\wmvds32.ax
2008-09-13 07:09 . 2008-04-14 01:12 774,144 -----c--- C:\WINDOWS\system32\dllcache\setup_wm.exe
2008-09-13 07:08 . 2008-04-14 01:12 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll
2008-09-13 07:07 . 2008-04-14 01:12 786,432 -----c--- C:\WINDOWS\system32\dllcache\migrate.exe
2008-09-13 07:06 . 2008-04-14 01:10 102,912 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-09-13 07:06 . 2008-04-14 01:09 24,064 -----c--- C:\WINDOWS\system32\dllcache\pidgen.dll
2008-09-13 07:06 . 2008-04-14 01:09 6,144 --a------ C:\WINDOWS\system32\kbdnepr.dll
2008-09-13 07:06 . 2008-04-14 01:09 6,144 --a------ C:\WINDOWS\system32\kbdiultn.dll
2008-09-13 07:06 . 2008-04-14 01:09 6,144 --a------ C:\WINDOWS\system32\kbdbhc.dll
2008-09-13 07:06 . 2007-06-21 06:52 974 --a------ C:\WINDOWS\system32\pid.inf
2008-09-13 07:04 . 2008-04-14 01:11 286,720 -----c--- C:\WINDOWS\system32\dllcache\blackbox.dll
2008-09-13 07:04 . 2008-04-14 01:11 233,472 --a------ C:\WINDOWS\system32\azroles.dll
2008-09-13 07:04 . 2008-04-14 01:11 136,192 --a------ C:\WINDOWS\system32\aaclient.dll
2008-09-13 07:04 . 2008-04-13 18:23 8,192 -----c--- C:\WINDOWS\system32\dllcache\asferror.dll
2008-09-13 07:04 . 2008-04-14 01:11 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-09-13 07:04 . 2001-08-23 13:00 999 -----c--- C:\WINDOWS\system32\dllcache\bktrh.gif
2008-09-12 17:15 . 2008-09-12 17:15 <DIR> d-------- C:\WINDOWS\provisioning
2008-09-12 16:05 . 2008-04-14 05:42 11,264 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-09-12 16:05 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-09-12 16:05 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-09-12 13:14 . 2008-09-15 13:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-12 13:14 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-09-12 13:03 . 2008-09-13 08:12 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-12 12:57 . 2008-04-13 18:39 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-09-12 12:57 . 2008-04-14 01:12 354,304 --a------ C:\WINDOWS\system32\winhttp.dll
2008-09-12 12:57 . 2008-04-14 01:12 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-09-12 12:57 . 2008-04-14 01:11 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-09-12 12:57 . 2008-04-14 01:11 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-09-12 12:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-12 12:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-12 12:46 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-09-12 12:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-09-12 12:46 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-09-12 12:45 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-09-12 12:45 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-09-12 12:45 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-09-12 12:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-09-12 12:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-12 12:45 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-09-12 12:36 . 2008-09-12 12:35 98,968 --a------ C:\Overview of Windows XP Service Pack 3.docx
2008-09-12 11:59 . 2003-01-07 17:37 1,338,880 --a------ C:\WINDOWS\system32\IEBAK000.TMP
2008-09-12 11:59 . 2002-08-29 11:41 401,920 --a------ C:\WINDOWS\system32\IEBAK001.TMP
2008-09-12 11:59 . 2008-09-12 11:59 98,304 --a------ C:\WINDOWS\system32\IEBAK002.TMP
2008-09-10 20:39 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-09-10 12:14 . 2008-09-10 12:14 <DIR> d-------- C:\Program Files\Alwil Software
2008-09-10 12:12 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-09-10 12:11 . 2008-09-10 12:11 423,736 --a------ C:\antirootkit.exe
2008-09-10 11:57 . 2008-10-03 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-10 10:34 . 2008-09-10 10:34 <DIR> d-------- C:\Documents and Settings\Student\Application Data\Leadertech
2008-09-10 10:13 . 2008-09-10 10:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-10 02:24 . 2008-09-10 02:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\IBPlugin
2008-09-10 00:52 . 2004-07-26 10:34 139,264 --a------ C:\WINDOWS\system32\OPDSL.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 01:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-03 18:05 2,864 ----a-w C:\WINDOWS\system32\winsock.dll
2008-10-02 06:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-05 12:31 --------- d-----w C:\Documents and Settings\Student\Application Data\IBPlugin
2008-07-31 09:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 09:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 09:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-12 07:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 07:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 07:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2003-09-08 15:15 6,391 ----a-w C:\WINDOWS\inf\INF2.tmp
1998-12-09 01:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 01:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 01:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 01:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 01:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 01:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-10-09_ 4.19.41.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-09 03:44:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_44c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk.disabled [2003-02-17 1725]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsTLBq]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;C:\WINDOWS\system32\DRIVERS\cben5.sys [2002-02-26 50498]
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198xdl.sys [2002-06-20 414400]
.
Contents of the 'Scheduled Tasks' folder

2008-10-07 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\System32\vOSn2ebS.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-REGEDIT4 - (no file)
BHO-[HKEY_CURRENT_USER\software\microsoft\internet explorer\urlsearchhooks] - (no file)
BHO-{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=" - (no file)
Notify-urqQiHyW - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 02:06:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-10 2:12:42
ComboFix-quarantined-files.txt 2008-10-10 01:12:36
ComboFix2.txt 2008-10-09 03:22:03

Pre-Run: 2,789,986,304 bytes free
Post-Run: 2,784,694,272 bytes free

261 --- E O F --- 2008-09-12 12:38:08



Malwarebytes' Anti-Malware 1.28
Database version: 1248
Windows 5.1.2600 Service Pack 3

10/10/2008 03:54:10
mbam-log-2008-10-10 (03-54-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 83510
Time elapsed: 41 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ipb.band (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ipb.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dkwqgnbe.bvas (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dkwqgnbe.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\wTR19 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\evsevswi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lafcuqma.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBsRLD.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\syswdhek.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\urqQiHyW.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vdglncwj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2A1BC780-7E63-401C-97DD-05800C2AB9EA}\RP2\A0000009.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2A1BC780-7E63-401C-97DD-05800C2AB9EA}\RP2\A0000013.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2A1BC780-7E63-401C-97DD-05800C2AB9EA}\RP2\A0000014.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2A1BC780-7E63-401C-97DD-05800C2AB9EA}\RP2\A0000017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2A1BC780-7E63-401C-97DD-05800C2AB9EA}\RP2\A0000020.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2A1BC780-7E63-401C-97DD-05800C2AB9EA}\RP2\A0000019.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:56:37, on 10/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {12CEC643-277F-4D9C-8E33-B7C9FEEB18FE} - (no file)
O2 - BHO: (no name) - {20989C00-4042-491C-8E4D-79BF8AAE5FBD} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B09E0F0B-28FE-4A7E-90F6-6D09E4234852} - (no file)
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1221219879240
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1221220180553
O20 - Winlogon Notify: awtsTLBq - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: UStorage Server Service - Unknown owner - C:\WINDOWS\system32\UStorSrv.exe (file missing)

--
End of file - 3632 bytes
 
Thanks for the feedback, we have some trash to clean that TeaTimer is keeping in the registry. TeaTimer is turned on when I asked that it be disabled until we finished?
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.

Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {12CEC643-277F-4D9C-8E33-B7C9FEEB18FE} - (no file)
O2 - BHO: (no name) - {20989C00-4042-491C-8E4D-79BF8AAE5FBD} - (no file)
O2 - BHO: (no name) - {B09E0F0B-28FE-4A7E-90F6-6D09E4234852} - (no file)
O20 - Winlogon Notify: awtsTLBq - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

If you followed those directions, then this is the next important step:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

RC1-4.gif


Since we do not need to scan with combofix, click NO

RC_whatnext.gif


RC_AllDone.gif


Thanks
 
I turned off teatimer the first time but it is just restarting itself. I noticed this is added to the list when i attempt to disable it:
10/10/2008 16:53:25 Denied (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!

It says 'based on user decision' but i was not able to make any decision. I checked the black list for registry changes and its empty so it can't be that which is preventing the change.


As for the recovery console it just doesn't seem to work. I made sure i downloaded the right one but i will try deleting it and downloading again.
 
TeaTimer: If you have to, uninstall Spybot S&D completely in Add Remove Programs. Make sure you restart the computer, then follow the instructions to remove the junk with HJT. You can reinstall Spybot S&D later, make sure to download it from here:
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html

Recovery Console:
Microsoft Windows XP Professional SP3 <<< you have
For Recovery Console you have to use the one for SP2, this one:
http://www.microsoft.com/downloads/...8D-5E10-49B5-B80C-0A0205368124&displaylang=en
when you click the Download button, choose "Save this file now" and save it to the Desktop.
Follow the instructions in the screenshot to drag it to combofix and drop it. Follow the rest of the instructions.

Thanks
 
I followed your instructions and temporarily uninstalled spybot while making those changes using hijack this.
It has not caused any problems but the following message now appears after starting up:
Windows cannot open this file:
File: Microsoft office . Ink. disabled
To open the file, Windows needs to know what program create it. Windows can go online to look it up automatically, or you can manually select from a list of programmes on your computer.
What do you want to do?
Use web service to find the appropriate program.
Select from a list.


I downloaded the recovery console file again and although not on the first attempt, installation was sucessful.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
 
Thanks for returning your information, and the feedback. Recovery Console is installed correctly, a little information for you.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

I would just ignore that message, the item is disabled anyway. When I get a message like that and want to open the file, I use notepad, that will usually open a file.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update Avast4 and scan the system, to be sure it is running right and scanning clean. If all is running well at that point, let me know and I will close the topic.

Reinstall Spybot S&D from the link I provided.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
I have uninstalled combofix, updated and run the scans, nothing was infected. Currently going through all the links in your last post so don't worry it was not a wasted effort :)

Thank you very much for all your help.
 
Status
Not open for further replies.
Back
Top