Help Please, infected computer

[40luv]

Have a desk top PC with a warning that computer is infected. The desktop background color turned to black. There is a rectangular box in middle of screen that says "Dangerous Spyware" many viruses were found on your computer such as: Trojan Horse, PassCapture, etc.

Also i cannot get on the internet anymore. This hapenned as soon as Norton antivirus subscription expired and i did not renew, like an hour later. Thanks for any assistance you can give me.

 

[shelf life]

hi,

anyway you can transfer files to the infected computer via usb drive or even CD?

Also i cannot get on the internet anymore

try: start>run and type in iexplore.exe
see if IE launches. If so your first stop is for MBAM:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click **Remove Selected.**
*A restart may be required to finish the clean up process*
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply.
If you have transfer with a usb drive, post back first before doing it.

 

[40luv]

Thanks for responding. I ran mbam but in my excitement forgot to save the log. Is the log gone for good or can i retrieve from somewhere? Also after i rebooted to normal mode and updated mbam, i ran another full scan and this scan is taking forever. it's already over 2 hours and seems to be running slow. The initial scan in safe mode only took 49 minutes and it found over 200 malwares. Please advise, thanks again.

 

[shelf life]

hi,

you should find the MBAM logs here:

The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

The scan in normal mode could take some time. If it seems to stop then boot into safe mode to run it again.

make sure you do this part after a scan:

When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click **Remove Selected.**
If prompted to restart computer (to remove malware)please do so.
You have internet connectivity now?

 

[40luv]

Yes i can connect to internet now.

Here is the log after first scan in safe mode:

Malwarebytes' Anti-Malware 1.34
Database version: 1883
Windows 5.1.2600 Service Pack 3

3/21/2009 8:05:46 PM
mbam-log-2009-03-21 (20-05-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190106
Time elapsed: 49 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 18
Registry Values Infected: 37
Registry Data Items Infected: 12
Folders Infected: 2
Files Infected: 164

Memory Processes Infected:
C:\WINDOWS\Temp\F2AC.tmp (Backdoor.KeyStart) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Ron\Local Settings\Temp\ntdll64.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69198420-a2eb-4bf8-868c-3f9ec5ed168a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69198420-a2eb-4bf8-868c-3f9ec5ed168a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ocitoigs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ocitoigs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ocitoigs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{69198420-a2eb-4bf8-868c-3f9ec5ed168a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\14a506b1 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\14a506b1 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\14a506b1 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a0e410d3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosikoloko (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows resurections (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zyker6756max4hbi8c75m6dxe7pm5ym1xksvbo9b80xnt (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ihe7k7oawhumif4o8dcv2ongfs2mrrnnzgd4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ou8thr8z44cgh5hvl4al76kxyzdalw (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e4ikpy0l6w3bv0vm47lr9nkskhmvs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pidibzfhsgcan61qd3wsavopw1dm815exazyvp99fwlyh6z (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vmls4609thbysygmd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\r5dvwl3uj1k5hztqr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nmwlx62ovko350r3s3udlz31opq611ap25l0d58pdhsleu6ee (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ycyn9auzigwv5wyktor (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zlm9ray3un (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nz19y26oao3efc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\q0zvx7hwscaudda1p9uoisludg8qm9711e (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jznt6ql692kxfq621zf1803lk7rbh15wgeu5nm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ortu6drreblz9nu3burk8mz7q8k (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ra15d3sf4ow99lhdovwec1paqw (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\onzt7mjv29c7avgpkts676u2ddkqmg4orxn7nb5scoft10 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdh1cwihrhrfv5i3j0cubloizdtk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doo6b3bwxa (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sb9almf5ls64hvv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cymt4wo1ce6kwvm6si3mak (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qx0x3ynvkt1kak9zrr2bzef07fi5x3fg95py8gexwppb0 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vpykmp90ab2wt3 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjnoz0riwnb8dxcpr4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\o8374sy3v83rfacivlqs5s1gzs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxntdtebfpjx96rlpg408kguh5pdoxyrtozgjyoxjy52hvr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lz5x9yw4pa4cwlb7bsl23i54g (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mf1m7lo7t012p (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a7vbiwclk02clsnijjasuqpkljhg5nu032b8ps71th4b8ljie (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nc4ghimhp4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsuyobifama (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwotikiyi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AntiVirGear 3.8 (Rogue.AntiVirGear) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-1052116379-181863308-1851 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\kemuboti.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\itobumek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rugahojo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\witukezo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Ron\Local Settings\Temp\ntdll64.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\Temp\F2AC.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\j0kye.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\kocemzdsud.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\gyjpqubim.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\b1n73k6bl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\fqipgzj68w5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ywb7nlu8skcs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\uhuqz5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\pd1afa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\1024051776.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\cgflne.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\plpvd48.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\i6aznm5v6vm2a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\z0wrq80x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\itbsbtui9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ps1duoo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\o6jxtr1w.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\k1o3zldgscnpu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\o87co8pi.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\n6m3ba2qf1e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\wrpe0v8py.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\onwfg0zg0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\civg9ta8j.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\aemyn5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\wmvb1v5a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\on2wqh1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\bmiffhab.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\bdk2ew.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\y427bonsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\kocs28.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\oayogq0qwy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\xtb22f10zso85.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\iqsiz8y.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\vt5xib0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\wkav9bks.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\r07jkcsh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\nlx56vpeih8n.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\a9pd02c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\cmnd2qdi03azc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\zogtgbkyeryy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\hxvt4id8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\dievxjhut4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\esjtoj15uyc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\wo7d4oswdso.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\khlggeb6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\zk4hjl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\zuzkpieri4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\qvmu5l.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ft3bzbhkg5o84.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ua3st1frdn5h.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\rcw87m37rbt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\jdw939p1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\fymvpsmyz5bl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\n2yu9nv7gbzs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\mstwinbwfh4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\uwmc2ik5wns.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\b9adcd93cz.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\xqemdtbe1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\a09629svu5ami.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\zq48bs8ktbfh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\hug7cnhtah3o.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ljsppj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ohzsuyn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ifxdbt70.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\o5mr11klp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\g1tb06bv8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ztodx9rbs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\f1q084.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\c3jxmprsljgyg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\u491bbnxndfl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\szdykx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Wlutoyamuzag.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\frmwrk32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\ieghyv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\kfnuc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\mtaueu.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\sjsocfq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\sxprfkgw.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\tlgvlvdw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\tunvfcbl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\vbmbpkar.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\vvpjmgd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\wkaqjah.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\wwypotq.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\ntdll64.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\2EL33V5P\730f[1].exe (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M9YLIR0L\nyfa32[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\005.exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\1021708026.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\146.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\222169550.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\333218676.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\354624926.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\51700800.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\81.tmp (Trojan.Spambot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\D1F1.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ky59htvba.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\rip10.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\ccsuper0[1].htm (Trojan.Spambot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\ccsuper1[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\exylmmm[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\loaderadv563[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\wgpqnrfsc[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1XOFHTMU\ccsuper2[1].htm (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1XOFHTMU\mjgthh[1].htm (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1XOFHTMU\pzwwkk[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\60070WQ5\ccsuper0[1].htm (Trojan.Spambot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\60070WQ5\mjgthh[1].htm (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\60070WQ5\ports[1].exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\A4ICSY8T\ccsuper1[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\A4ICSY8T\ccsuper2[1].htm (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\A4ICSY8T\fmvff[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\A4ICSY8T\wtddrrsfg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\ONS9ADUG\730f[1].exe (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\ONS9ADUG\730f[2].exe (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\ONS9ADUG\fmvff[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\T31OUAEX\style[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\T31OUAEX\wtddrrsfg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\T31OUAEX\xdqrr[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\W3B5MMM2\ccsuper3[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\W3B5MMM2\exylmmm[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\Z171Q835\pzwwkk[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\Z171Q835\wgpqnrfsc[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\Z171Q835\xdqrr[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-1052116379-181863308-1851\vsexy1.exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-8518236536-7216142548-619037727-7372\service.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bdmaud.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dalefuve.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rilajezo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yoyorena.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zukepive.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\14a506b1.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1233011935exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1699953497exe. 1444 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\33B3.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\343A.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3995.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4800.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\742648650exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\8840.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\8976.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\9322.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ED97.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\F0E9.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\FF64.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Program Files\AntiVirGear 3.8\ignored.lst (Rogue.AntiVirGear) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-1052116379-181863308-1851\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\axacatev.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32:ydaa.dll (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\svchost.exe:ext.exe (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Ron\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.

 

[40luv]

Hello again,

Here is the log after second scan in normal mode...took over 4 hours!

Malwarebytes' Anti-Malware 1.34
Database version: 1883
Windows 5.1.2600 Service Pack 3

3/22/2009 12:35:45 AM
mbam-log-2009-03-22 (00-35-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182734
Time elapsed: 4 hour(s), 19 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.

 

[shelf life]

hi,

thats quite a load you had. How long has your machine been like this? You had some processes that may have allowed remote access to your machine.

We will get one more download to use. Its called combofix. There is a guide to read first. Read the guide, download combofix to your desktop, disable any AV as explained in the guide, double click the icon and follow the prompts.

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[40luv]

Hi.

Yes i thought that was a lot. Computer was only unusable (couldn't access internet) a couple days ago.

Remote access sound scary and bad.

I will try downloading combofix.

P.S
I know we prolly should tackle 1 issue at a time but i'd like to ask this question. When i double click on Mozilla Firefox from my desktop i get the following alert!

"Could not initialize the application security component. Most likely cause is problems with files in your application profile directoy. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full"

Then when i try to log on to anything that requires signing on i.e. Aol mail, online banking i get a Secure Connection Failed error message. see below

Secure Connection Failed

An error occurred during a connection to my.screenname.aol.com.

Can't connect securely because the SSL protocol has been disabled.

(Error code: ssl_error_ssl_disabled).

Any ideas? Thanks again.

 

[40luv]

Here is combofix log:

ComboFix 09-03-19.02 - Ron 2009-03-22 10:58:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.229 [GMT -4:00]
Running from: c:\documents and settings\Ron\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\nsv
c:\documents and settings\All Users\Application Data\nsv\cache\400.dfn
c:\documents and settings\All Users\Application Data\nsv\cache\404.dfn
c:\documents and settings\All Users\Application Data\nsv\keys.dat
c:\documents and settings\All Users\Application Data\nsv\wmv0104.dbd
c:\documents and settings\All Users\Application Data\nsv\wmv0106.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0204.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0412.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0504.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0904.ddx
c:\windows\system32\bsnzafqa.bin
c:\windows\system32\cfg.dat
c:\windows\system32\ofeyahij.ini
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\whcc-giant.exe

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_icf


((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-22 09:33 . 2009-03-22 09:33 <DIR> d-------- c:\program files\CCleaner
2009-03-22 02:28 . 2009-03-22 02:28 <DIR> d-------- c:\program files\Unlocker
2009-03-22 02:28 . 2009-03-22 02:28 <DIR> d-------- c:\documents and settings\Ron\Application Data\Desktopicon
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\documents and settings\Ron\Application Data\Malwarebytes
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-21 17:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-21 17:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-17 17:31 . 2009-03-17 17:31 95,232 --a------ C:\fntq.exe
2009-03-17 17:27 . 2009-03-17 17:27 10,240 --a------ c:\windows\instsp2.exe
2009-03-17 17:27 . 2009-03-17 17:30 2 --a------ C:\-1595666308

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 15:03 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2009-03-22 05:58 --------- d-----w c:\program files\PokerStars
2009-03-22 05:57 --------- d--h--r c:\documents and settings\Ron\Application Data\yahoo!
2009-03-22 05:57 --------- d-----w c:\program files\Yahoo!
2009-03-22 05:57 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-03-22 05:39 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-22 05:38 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-17 17:05 --------- d-----w c:\program files\UltimateBet
2006-04-17 23:14 5,959 ----a-w c:\documents and settings\Incomplete\downloads.dat
2008-09-09 00:11 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
2005-06-19 03:42 546,750 --sh--w c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak1
2005-06-20 17:20 545,827 --sh--w c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak2
2005-06-21 11:27 551,582 --sh--w c:\windows\SYSTEM32\DRIVERS\lmxlitu.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-29 180269]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-08-20 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\dalefuve.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\reader_sl.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-28 24652]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ocitoigs
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-UltimateBuddy - c:\program files\UltimateBuddy\UltimateBuddy.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk
FF - ProfilePath - c:\documents and settings\Ron\Application Data\Mozilla\Firefox\Profiles\jl0573rw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 11:02:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\lu.dat:faykat 16384 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-22 11:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 15:08:43

Pre-Run: 14,255,632,384 bytes free
Post-Run: 14,791,856,128 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

164 --- E O F --- 2009-03-15 07:03:48

 

[shelf life]

Computer was only unusable (couldn't access internet) a couple days ago.

the malware could have been using your internet access the whole time.

we will use combofix to remove some files: dont forget to disable AV first

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

File::
C:\fntq.exe
c:\windows\instsp2.exe
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak1
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak2
c:\windows\SYSTEM32\DRIVERS\lmxlitu.ini2

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

do a online scan here:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

For the SSL problem take a look here:
look under:
Check your SSL settings

http://support.mozilla.com/en-US/kb...securely+because+the+SSL+protocol+is+disabled

most likely you do not use a proxy so you can skip that part

 

[40luv]

I know what and where to get the combofix log. What is and where do i find the new hjt log. I just wanna make sure i follow ur directions fully. Thanks again.

 

[40luv]

Here is new Combofix log:

ComboFix 09-03-19.02 - Ron 2009-03-22 16:07:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.243 [GMT -4:00]
Running from: c:\documents and settings\Ron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ron\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\fntq.exe
c:\windows\instsp2.exe
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak1
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak2
c:\windows\SYSTEM32\DRIVERS\lmxlitu.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fntq.exe
c:\windows\instsp2.exe
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak1
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak2
c:\windows\SYSTEM32\DRIVERS\lmxlitu.ini2

.
((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-22 09:33 . 2009-03-22 09:33 <DIR> d-------- c:\program files\CCleaner
2009-03-22 02:28 . 2009-03-22 02:28 <DIR> d-------- c:\program files\Unlocker
2009-03-22 02:28 . 2009-03-22 02:28 <DIR> d-------- c:\documents and settings\Ron\Application Data\Desktopicon
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\documents and settings\Ron\Application Data\Malwarebytes
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-21 17:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-21 17:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-17 17:27 . 2009-03-17 17:30 2 --a------ C:\-1595666308

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 19:35 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2009-03-22 16:00 --------- d-----w c:\program files\UltimateBet
2009-03-22 05:58 --------- d-----w c:\program files\PokerStars
2009-03-22 05:57 --------- d--h--r c:\documents and settings\Ron\Application Data\yahoo!
2009-03-22 05:57 --------- d-----w c:\program files\Yahoo!
2009-03-22 05:57 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-03-22 05:39 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-22 05:38 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-17 21:29 14,336 ----a-w c:\windows\SYSTEM32\svchost.exe
2009-03-17 21:29 14,336 ----a-w c:\windows\SYSTEM32\DLLCACHE\svchost.exe
2009-03-17 21:27 101,376 --sha-w c:\windows\SYSTEM32\molezovu.dll
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-01-17 02:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2006-04-17 23:14 5,959 ----a-w c:\documents and settings\Incomplete\downloads.dat
2008-09-09 00:11 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-29 180269]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-08-20 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\reader_sl.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-28 24652]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ocitoigs
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk
FF - ProfilePath - c:\documents and settings\Ron\Application Data\Mozilla\Firefox\Profiles\jl0573rw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 16:11:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\lu.dat:faykat 16384 bytes executable


**************************************************************************
.
Completion time: 2009-03-22 16:15:51
ComboFix-quarantined-files.txt 2009-03-22 20:14:34
ComboFix2.txt 2009-03-22 15:09:38

Pre-Run: 14,967,021,568 bytes free
Post-Run: 14,953,697,280 bytes free

132 --- E O F --- 2009-03-15 07:03:48

I will wait for your reply to above post regards hjt file unless i can figure it out...lol.

 

[shelf life]

hi,

looks good. did you do the online scan? You can post a hjt log like this:

download HJTInstall.exe

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log

 

[40luv]

Hello again.

Sorry for late response, had to step away for a bit.

Here is Eset online scan log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3954 (20090323)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=c5c854b17ced07458dfe6bad4bb97301
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-23 02:27:18
# local_time=2009-03-23 10:27:18 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=395989
# found=21
# scan_time=3927
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip »ZIP »GetAccess.class Java/TrojanDownloader.OpenConnection.AJ trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip »ZIP »Installer.class Java/TrojanDownloader.OpenConnection trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip »ZIP »NewSecurityClassLoader.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip »ZIP »NewURLClassLoader.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Ron\Application Data\Sun\Java\Deployment\cache\6.0\53\6af78fb5-629081ca Java/TrojanDownloader.OpenStream.Y trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Ron\Application Data\Sun\Java\Deployment\cache\6.0\53\6af78fb5-7616ddb2 Java/TrojanDownloader.OpenStream.Y trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Ron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-40baf3a5-7fc991e0.class Java/TrojanDownloader.OpenStream.Y trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\8A94D427-D214-44DB-BE80-2B5FAF\090ACE6B-6603-4E96-8DC5-1DAFB8 Win32/TrojanDownloader.IstBar trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\9852C1E8-6DC0-412F-AB17-6D40C9\7BFEAC94-D6CF-43AC-A653-C2A8EA Win32/Adware.180Solutions application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\B08FCA77-015A-4071-AC2E-B9822D\EC3EFBE2-8E75-4914-989F-7D7CFC a variant of Win32/TrojanDownloader.IstBar trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\B6F13831-B33A-47E3-8D22-824F56\7D711E8B-497E-4395-940E-A57FB9 Win32/TrojanDownloader.IstBar.gen trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\DBBCF7A0-780C-4678-8DA8-F20264\D4EBDB80-FE45-4C61-8EDB-4209AC Win32/Adware.WinAd application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\fntq.exe.vir Win32/AutoRun.Agent.LT worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\instsp2.exe.vir a variant of Win32/TrojanDownloader.Agent.OWQ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\userinit.exe.vir Win32/FakeInit.I trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001430.exe Win32/FakeInit.I trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001431.exe Win32/FakeInit.I trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001558.exe Win32/AutoRun.Agent.LT worm (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001559.exe a variant of Win32/TrojanDownloader.Agent.OWQ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Downloaded Program Files\WinTaskAdX.dll a variant of Win32/Adware.WinAd application (unable to clean - deleted) 00000000000000000000000000000000


Will do the HJT log next.

 

[40luv]

Here is Hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:05 AM, on 3/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124415122515
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7632 bytes

 

[shelf life]

ok good. we will use hjt:

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O2 - BHO: (no name) - rsion - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

C:\Program Files\Ares: there is plenty of malware that is distibuted via p2p networks. If you have uninstalled Ares its possible this service got left behind. we can remove it.

post a service list like this:

Go to Start > Run and type:

cmd.exe

and click ok. Copy and paste the line below at the prompt > and click enter

sc query > c:\services.txt & start notepad c:\services.txt

notepad will open with a windows service list. please copy/paste the list in reply.

 

[40luv]

Here is service list log:


SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Apple Mobile Device
DISPLAY_NAME: Apple Mobile Device
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Browser
DISPLAY_NAME: Computer Browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ERSvc
DISPLAY_NAME: Error Reporting Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Eventlog
DISPLAY_NAME: Event Log
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: FastUserSwitchingCompatibility
DISPLAY_NAME: Fast User Switching Compatibility
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: helpsvc
DISPLAY_NAME: Help and Support
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: HidServ
DISPLAY_NAME: HID Input Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: iPod Service
DISPLAY_NAME: iPod Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: lanmanserver
DISPLAY_NAME: Server
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: lanmanworkstation
DISPLAY_NAME: Workstation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: LmHosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Netman
DISPLAY_NAME: Network Connections
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Nla
DISPLAY_NAME: Network Location Awareness (NLA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: NVSvc
DISPLAY_NAME: NVIDIA Driver Helper Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: PlugPlay
DISPLAY_NAME: Plug and Play
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Pml Driver HPZ12
DISPLAY_NAME: Pml Driver HPZ12
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: PolicyAgent
DISPLAY_NAME: IPSEC Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ProtectedStorage
DISPLAY_NAME: Protected Storage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: RasMan
DISPLAY_NAME: Remote Access Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: seclogon
DISPLAY_NAME: Secondary Logon
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SharedAccess
DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: srservice
DISPLAY_NAME: System Restore Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Discovery Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: stisvc
DISPLAY_NAME: Windows Image Acquisition (WIA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TapiSrv
DISPLAY_NAME: Telephony
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TermService
DISPLAY_NAME: Terminal Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TrkWks
DISPLAY_NAME: Distributed Link Tracking Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Viewpoint Manager Service
DISPLAY_NAME: Viewpoint Manager Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: w32time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: WebClient
DISPLAY_NAME: WebClient
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: winmgmt
DISPLAY_NAME: Windows Management Instrumentation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: wscsvc
DISPLAY_NAME: Security Center
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: WZCSVC
DISPLAY_NAME: Wireless Zero Configuration
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

Thanks

 

[shelf life]

ok thanks for the info
You can remove combofix like this:
start>run
type in:
combofix /u
click ok or enter
Note: a space after the x and before the /

Post another hjt log. Do you use Ares?

 

[40luv]

Do i have to remove the combofix, just trying to clarify? will wait for response

I did and have used Ares but i deleted it yesterday.

 

[40luv]

Hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:29 PM, on 3/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124415122515
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6903 bytes