Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

What else do I need to do?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

What else do I need to do?

Unread postby SmilingOne » September 17th, 2008, 6:18 pm

Good day,

I've got some kind of worm from a dummyhead move on LimeWire. I've tried a few different things and my pc is still running like crap. IE takes forever to load and same as my other internet programs like MSN...

So far I have:

Deleted LimeWire
Scanned with AVG, Spybot Search and Destroy and MalWareBytes AntiMalware (all in SafeMode)

The latest scan is my HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:07 PM, on 17/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: agadoo browser enhancer - {dcbf062a-f8f6-230a-b61b-1cd630bc38b6} - C:\WINDOWS\system32\onmfacakjxnzhfd.dll (file missing)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [BM37b05e23] Rundll32.exe "C:\WINDOWS\system32\skawnuvi.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: radssl.dll,avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5065 bytes

Please advise of my next move. Much appreciated!

SmilingOne :)
SmilingOne
Active Member
 
Posts: 8
Joined: September 17th, 2008, 6:08 pm
Advertisement
Register to Remove

Re: What else do I need to do?

Unread postby Shaba » September 19th, 2008, 4:11 am

Hi SmilingOne

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: What else do I need to do?

Unread postby SmilingOne » September 19th, 2008, 6:10 pm

Here she be, as requested:

µTorrent
Acrobat.com
Acrobat.com
Adaptec UDF Reader
Adobe Acrobat 5.0
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 9
Ancient Trijong
AVG Free 8.0
CleanUp!
Creative Jukebox Driver
Creative NOMAD II Driver
Digimax Master
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
K-Lite Codec Pack 2.62 Full
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
Nero 7 Essentials
neroxml
Philips Intelligent Agent
Photo Tool
Samsung USB Driver
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951748)
Shareaza
Sound Blaster Live!
SP2 Connection Patcher
Spybot - Search & Destroy
Spybot - Search & Destroy 1.3
Tiki Boom Boom
Uninstall Startup Inspector for Windows
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Winamp
Winamp Remote
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WTI Screen Saver 1.0
Yahoo! Messenger
Yahtzee

Edit: as a side note, I also wanted to add that since I have scanned and used SBS&D I have denied access to a file (perhaps by mistake?) and this is the message I get when I boot up:

Error Loading
C:\Windows\System32\skawnuvi.dll
The specified module could not be found.

Also, it seems that my automatic Windows updates has been diabled. I've turned it back on, but it keeps turning itself off. Related?

Thank for your help!

SmilingOne :)
SmilingOne
Active Member
 
Posts: 8
Joined: September 17th, 2008, 6:08 pm

Re: What else do I need to do?

Unread postby Shaba » September 20th, 2008, 5:13 am

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
Shareaza


I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Post a fresh uninstall list here along with a fresh HijackThis log, please..
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: What else do I need to do?

Unread postby SmilingOne » September 20th, 2008, 1:53 pm

Sorry, I read the policy prior to posting (which is why I uninstalled LimeWire. I know I got whatever is infecting my pc from there). I forgot about those programs as I don't use them anymore.

Acrobat.com
Acrobat.com
Adaptec UDF Reader
Adobe Acrobat 5.0
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 9
Ancient Trijong
AVG Free 8.0
CleanUp!
Creative Jukebox Driver
Creative NOMAD II Driver
Digimax Master
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
K-Lite Codec Pack 2.62 Full
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
Nero 7 Essentials
neroxml
Philips Intelligent Agent
Photo Tool
Samsung USB Driver
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951748)
Sound Blaster Live!
SP2 Connection Patcher
Spybot - Search & Destroy
Spybot - Search & Destroy 1.3
Tiki Boom Boom
Uninstall Startup Inspector for Windows
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Winamp
Winamp Remote
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WTI Screen Saver 1.0
Yahoo! Messenger
Yahtzee
SmilingOne
Active Member
 
Posts: 8
Joined: September 17th, 2008, 6:08 pm

Re: What else do I need to do?

Unread postby Shaba » September 20th, 2008, 2:15 pm

Thank you for that :)

We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: What else do I need to do?

Unread postby SmilingOne » September 21st, 2008, 3:27 pm

Okie dokie, here is the logs as requested:

First, the ComboFix:

ComboFix 08-09-20.05 - karen 2008-09-21 12:53:31.1 - NTFSx86
Running from: C:\Documents and Settings\karen\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\karen\LOCALS~1\Temp\tmp2.tmp
C:\Program Files\winupdates
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))
.

2008-09-21 03:09 . 2008-09-21 03:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-17 17:00 . 2008-09-17 17:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-17 16:57 . 2008-09-17 16:59 <DIR> d-------- C:\bfu
2008-09-15 22:35 . 2008-09-16 14:00 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-15 19:30 . 2008-09-15 19:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-15 19:30 . 2008-09-15 19:30 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-15 19:30 . 2008-09-15 19:30 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-15 19:30 . 2008-09-15 19:30 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-15 19:29 . 2008-09-15 19:29 <DIR> d-------- C:\Program Files\AVG
2008-09-15 19:29 . 2008-09-15 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-15 15:10 . 2008-09-15 15:12 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\LimeWire
2008-09-14 14:29 . 2008-09-14 14:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-14 02:56 . 2008-09-14 02:56 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-14 02:51 . 2008-09-14 02:51 95,744 --a------ C:\WINDOWS\system32\skawnuvi.dll_old
2008-09-13 14:21 . 2008-09-13 14:21 <DIR> d-------- C:\Documents and Settings\karen\Application Data\Malwarebytes
2008-09-13 14:20 . 2008-09-13 14:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-13 14:20 . 2008-09-13 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-13 14:20 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-13 14:20 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-13 14:01 . 2008-09-13 14:01 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-09-13 13:59 . 2008-09-14 02:41 <DIR> d--hs---- C:\WINDOWS\S0FSRU4
2008-09-13 13:58 . 2008-09-16 01:25 <DIR> d-------- C:\WINDOWS\system32\utc
2008-09-13 13:58 . 2008-09-16 01:19 <DIR> d-------- C:\WINDOWS\system32\mC02
2008-09-13 13:58 . 2008-09-14 01:39 <DIR> d-------- C:\WINDOWS\system32\ir
2008-09-13 13:58 . 2008-09-14 01:39 <DIR> d-------- C:\WINDOWS\system32\gd2
2008-09-12 19:19 . 2008-09-12 19:19 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-12 18:55 . 2008-09-12 20:38 <DIR> d-------- C:\Program Files\NOS
2008-09-12 18:55 . 2008-09-12 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-09-11 08:31 . 2008-09-11 08:31 167,936 --a------ C:\WINDOWS\system32\onmfacakjxnzhfd.dll_old
2008-09-09 17:48 . 2008-07-11 17:48 32 -ra------ C:\Documents and Settings\All Users\hash.dat
2008-09-09 17:27 . 2008-09-15 19:13 <DIR> d-------- C:\Program Files\Three Rings Design
2008-08-23 15:24 . 2008-08-23 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-08-23 15:23 . 2008-08-23 15:24 <DIR> d-------- C:\Program Files\Winamp Remote
2008-08-23 15:19 . 2007-03-07 18:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-08-23 15:01 . 2008-08-23 15:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-23 14:55 . 2008-08-23 14:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-23 14:55 . 2008-08-23 14:58 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-23 14:06 . 2008-09-15 18:53 <DIR> d-------- C:\Documents and Settings\karen\Application Data\LimeWire
2008-08-23 14:05 . 2008-09-15 19:11 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 07:03 --------- d-----w C:\Documents and Settings\karen\Application Data\wsInspector
2008-09-16 00:11 --------- d-----w C:\Program Files\Cosmi
2008-09-14 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-14 08:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-13 19:04 --------- d-----w C:\Program Files\CleanUp!
2008-09-13 00:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-09 22:26 --------- d-----w C:\Program Files\Java
2008-08-23 23:28 --------- d-----w C:\Program Files\Winamp
2008-08-03 09:01 --------- d-----w C:\Documents and Settings\karen\Application Data\Azureus
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 23:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-05-04 22:42 7,980,040 ----a-w C:\Program Files\Azureus_3.0.5.0_windows.exe
2006-06-25 04:12 3,967,401 -c--a-w C:\Program Files\wxp_2.exe
2006-06-25 04:11 3,250 -c--a-w C:\Program Files\te.nfo
2006-06-23 04:03 26,785 -c--a-w C:\Program Files\SWiSHmax.Build.2006-02-01.by.NabCDTeam.exe
2006-05-31 03:52 9,798,877 -c--a-w C:\Program Files\SetupSwishmax.exe
2006-04-01 07:36 14,022 -c----w C:\Program Files\Config.cfg
2006-04-01 07:23 7,433 -c----w C:\Program Files\Readme.txt
2006-04-01 07:06 6,322 -c----w C:\Program Files\LICENSE.TXT
2005-10-09 03:38 3,369,872 -c--a-w C:\Program Files\PokerStarsInstallPM.exe
2005-10-08 23:11 2,660,275 -c--a-w C:\Program Files\Shareaza_2.2.0.0_source.zip
2005-10-08 23:09 3,288,858 -c--a-w C:\Program Files\Shareaza_2.2.0.0.exe
2001-05-04 19:05 431,376 -c----w C:\Program Files\RICHED20.DLL
2001-05-04 19:05 290,869 -c----w C:\Program Files\MSVCRT.DLL
2000-06-09 00:00 995,383 -c----w C:\Program Files\Mfc42.dll
1999-12-07 19:00 3,856 -c----w C:\Program Files\RICHED32.DLL
1999-12-07 19:00 253,952 -c----w C:\Program Files\MSVCRT20.DLL
2005-07-29 21:24 472 --sha-r C:\WINDOWS\S0FSRU4\mXImlob.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=radssl.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm
"aux1"= ctwdm32.dll
"VIDC.3iv2"= C:\PROGRA~1\K-LITE~1\codecs\3IVXVF~1.DLL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"kavsvc"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Philips Intelligent Agent\\Philips Intelligent Agent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=


*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

BHO-{dcbf062a-f8f6-230a-b61b-1cd630bc38b6} - C:\WINDOWS\system32\onmfacakjxnzhfd.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\karen\Application Data\Mozilla\Firefox\Profiles\b5qdyc6v.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 13:01:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-21 13:13:57
ComboFix-quarantined-files.txt 2008-09-21 18:12:49

Pre-Run: 18,583,064,576 bytes free
Post-Run: 18,649,391,104 bytes free

160 --- E O F --- 2008-09-21 08:28:23


And now a new HiJackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:01 PM, on 21/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: radssl.dll,avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4703 bytes


Just a side note...I noticed that ComboFix "orphaned" onmfacakjxnzhfd.dll. I know this file was part of the problem, so I'm somewhat relieved. Please let me know if there is anything left to do. Your help is much appreciated. Have a good day!

SmilingOne :)
SmilingOne
Active Member
 
Posts: 8
Joined: September 17th, 2008, 6:08 pm

Re: What else do I need to do?

Unread postby Shaba » September 22nd, 2008, 4:00 am

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\skawnuvi.dll_old
C:\WINDOWS\system32\onmfacakjxnzhfd.dll_old
C:\Program Files\Azureus_3.0.5.0_windows.exe
C:\Program Files\Shareaza_2.2.0.0_source.zip
C:\Program Files\Shareaza_2.2.0.0.exe

Folder::
C:\WINDOWS\S0FSRU4
C:\WINDOWS\system32\utc
C:\WINDOWS\system32\mC02
C:\WINDOWS\system32\ir
C:\WINDOWS\system32\gd2
C:\Documents and Settings\karen\Application Data\LimeWire
C:\Program Files\LimeWire

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: What else do I need to do?

Unread postby SmilingOne » September 23rd, 2008, 7:56 pm

Here she be:

ComboFix 08-09-22.06 - karen 2008-09-23 18:11:52.2 - NTFSx86
Running from: C:\Documents and Settings\karen\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-21 03:09 . 2008-09-21 03:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-17 17:00 . 2008-09-17 17:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-17 16:57 . 2008-09-17 16:59 <DIR> d-------- C:\bfu
2008-09-15 22:35 . 2008-09-16 14:00 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-15 19:30 . 2008-09-15 19:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-15 19:30 . 2008-09-15 19:30 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-15 19:30 . 2008-09-15 19:30 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-15 19:30 . 2008-09-15 19:30 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-15 19:29 . 2008-09-15 19:29 <DIR> d-------- C:\Program Files\AVG
2008-09-15 19:29 . 2008-09-15 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-15 15:10 . 2008-09-15 15:12 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\LimeWire
2008-09-14 14:29 . 2008-09-14 14:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-14 02:56 . 2008-09-14 02:56 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-14 02:51 . 2008-09-14 02:51 95,744 --a------ C:\WINDOWS\system32\skawnuvi.dll_old
2008-09-13 14:21 . 2008-09-13 14:21 <DIR> d-------- C:\Documents and Settings\karen\Application Data\Malwarebytes
2008-09-13 14:20 . 2008-09-13 14:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-13 14:20 . 2008-09-13 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-13 14:20 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-13 14:20 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-13 14:01 . 2008-09-13 14:01 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-09-13 13:59 . 2008-09-14 02:41 <DIR> d--hs---- C:\WINDOWS\S0FSRU4
2008-09-13 13:58 . 2008-09-16 01:25 <DIR> d-------- C:\WINDOWS\system32\utc
2008-09-13 13:58 . 2008-09-16 01:19 <DIR> d-------- C:\WINDOWS\system32\mC02
2008-09-13 13:58 . 2008-09-14 01:39 <DIR> d-------- C:\WINDOWS\system32\ir
2008-09-13 13:58 . 2008-09-14 01:39 <DIR> d-------- C:\WINDOWS\system32\gd2
2008-09-12 19:19 . 2008-09-12 19:19 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-12 18:55 . 2008-09-12 20:38 <DIR> d-------- C:\Program Files\NOS
2008-09-12 18:55 . 2008-09-12 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-09-11 08:31 . 2008-09-11 08:31 167,936 --a------ C:\WINDOWS\system32\onmfacakjxnzhfd.dll_old
2008-09-09 17:48 . 2008-07-11 17:48 32 -ra------ C:\Documents and Settings\All Users\hash.dat
2008-09-09 17:27 . 2008-09-15 19:13 <DIR> d-------- C:\Program Files\Three Rings Design
2008-08-23 15:24 . 2008-08-23 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-08-23 15:23 . 2008-08-23 15:24 <DIR> d-------- C:\Program Files\Winamp Remote
2008-08-23 15:19 . 2007-03-07 18:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-08-23 15:01 . 2008-08-23 15:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-23 14:55 . 2008-08-23 14:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-23 14:55 . 2008-08-23 14:58 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-23 14:06 . 2008-09-15 18:53 <DIR> d-------- C:\Documents and Settings\karen\Application Data\LimeWire
2008-08-23 14:05 . 2008-09-15 19:11 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 07:03 --------- d-----w C:\Documents and Settings\karen\Application Data\wsInspector
2008-09-16 00:11 --------- d-----w C:\Program Files\Cosmi
2008-09-14 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-14 08:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-13 19:04 --------- d-----w C:\Program Files\CleanUp!
2008-09-13 00:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-09 22:26 --------- d-----w C:\Program Files\Java
2008-08-23 23:28 --------- d-----w C:\Program Files\Winamp
2008-08-03 09:01 --------- d-----w C:\Documents and Settings\karen\Application Data\Azureus
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 23:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-05-04 22:42 7,980,040 ----a-w C:\Program Files\Azureus_3.0.5.0_windows.exe
2006-06-25 04:12 3,967,401 -c--a-w C:\Program Files\wxp_2.exe
2006-06-25 04:11 3,250 -c--a-w C:\Program Files\te.nfo
2006-06-23 04:03 26,785 -c--a-w C:\Program Files\SWiSHmax.Build.2006-02-01.by.NabCDTeam.exe
2006-05-31 03:52 9,798,877 -c--a-w C:\Program Files\SetupSwishmax.exe
2006-04-01 07:36 14,022 -c----w C:\Program Files\Config.cfg
2006-04-01 07:23 7,433 -c----w C:\Program Files\Readme.txt
2006-04-01 07:06 6,322 -c----w C:\Program Files\LICENSE.TXT
2005-10-09 03:38 3,369,872 -c--a-w C:\Program Files\PokerStarsInstallPM.exe
2005-10-08 23:11 2,660,275 -c--a-w C:\Program Files\Shareaza_2.2.0.0_source.zip
2005-10-08 23:09 3,288,858 -c--a-w C:\Program Files\Shareaza_2.2.0.0.exe
2001-05-04 19:05 431,376 -c----w C:\Program Files\RICHED20.DLL
2001-05-04 19:05 290,869 -c----w C:\Program Files\MSVCRT.DLL
2000-06-09 00:00 995,383 -c----w C:\Program Files\Mfc42.dll
1999-12-07 19:00 3,856 -c----w C:\Program Files\RICHED32.DLL
1999-12-07 19:00 253,952 -c----w C:\Program Files\MSVCRT20.DLL
2005-07-29 21:24 472 --sha-r C:\WINDOWS\S0FSRU4\mXImlob.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=radssl.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm
"aux1"= ctwdm32.dll
"VIDC.3iv2"= C:\PROGRA~1\K-LITE~1\codecs\3IVXVF~1.DLL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"kavsvc"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Philips Intelligent Agent\\Philips Intelligent Agent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\karen\Application Data\Mozilla\Firefox\Profiles\b5qdyc6v.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 18:21:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-23 18:34:58
ComboFix-quarantined-files.txt 2008-09-23 23:33:44
ComboFix2.txt 2008-09-21 18:14:03

Pre-Run: 18,933,833,728 bytes free
Post-Run: 18,963,742,720 bytes free

147 --- E O F --- 2008-09-21 08:28:23


SmilingOne :)
SmilingOne
Active Member
 
Posts: 8
Joined: September 17th, 2008, 6:08 pm

Re: What else do I need to do?

Unread postby Shaba » September 24th, 2008, 4:13 am

That didn't work.

Did you create CFScript file and dragged & dropped it into ComboFix icon?

Please try again and follow my previous instructions word by word :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: What else do I need to do?

Unread postby SmilingOne » September 27th, 2008, 2:27 pm

Hi again!

Here are my logs once more:


ComboFix 08-09-22.06 - karen 2008-09-27 12:44:23.3 - NTFSx86
Running from: C:\Documents and Settings\karen\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.

2008-09-21 03:09 . 2008-09-21 03:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-17 17:00 . 2008-09-17 17:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-17 16:57 . 2008-09-17 16:59 <DIR> d-------- C:\bfu
2008-09-15 22:35 . 2008-09-16 14:00 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-15 19:30 . 2008-09-15 19:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-15 19:30 . 2008-09-15 19:30 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-15 19:30 . 2008-09-15 19:30 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-15 19:30 . 2008-09-15 19:30 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-15 19:29 . 2008-09-15 19:29 <DIR> d-------- C:\Program Files\AVG
2008-09-15 19:29 . 2008-09-15 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-15 15:10 . 2008-09-15 15:12 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\LimeWire
2008-09-14 14:29 . 2008-09-14 14:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-14 02:56 . 2008-09-14 02:56 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-14 02:51 . 2008-09-14 02:51 95,744 --a------ C:\WINDOWS\system32\skawnuvi.dll_old
2008-09-13 14:21 . 2008-09-13 14:21 <DIR> d-------- C:\Documents and Settings\karen\Application Data\Malwarebytes
2008-09-13 14:20 . 2008-09-13 14:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-13 14:20 . 2008-09-13 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-13 14:20 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-13 14:20 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-13 14:01 . 2008-09-13 14:01 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-09-13 13:59 . 2008-09-14 02:41 <DIR> d--hs---- C:\WINDOWS\S0FSRU4
2008-09-13 13:58 . 2008-09-16 01:25 <DIR> d-------- C:\WINDOWS\system32\utc
2008-09-13 13:58 . 2008-09-16 01:19 <DIR> d-------- C:\WINDOWS\system32\mC02
2008-09-13 13:58 . 2008-09-14 01:39 <DIR> d-------- C:\WINDOWS\system32\ir
2008-09-13 13:58 . 2008-09-14 01:39 <DIR> d-------- C:\WINDOWS\system32\gd2
2008-09-12 19:19 . 2008-09-12 19:19 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-12 18:55 . 2008-09-12 20:38 <DIR> d-------- C:\Program Files\NOS
2008-09-12 18:55 . 2008-09-12 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-09-11 08:31 . 2008-09-11 08:31 167,936 --a------ C:\WINDOWS\system32\onmfacakjxnzhfd.dll_old
2008-09-09 17:48 . 2008-07-11 17:48 32 -ra------ C:\Documents and Settings\All Users\hash.dat
2008-09-09 17:27 . 2008-09-15 19:13 <DIR> d-------- C:\Program Files\Three Rings Design

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 07:03 --------- d-----w C:\Documents and Settings\karen\Application Data\wsInspector
2008-09-16 00:11 --------- d-----w C:\Program Files\LimeWire
2008-09-16 00:11 --------- d-----w C:\Program Files\Cosmi
2008-09-15 23:53 --------- d-----w C:\Documents and Settings\karen\Application Data\LimeWire
2008-09-14 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-14 08:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-13 19:04 --------- d-----w C:\Program Files\CleanUp!
2008-09-13 00:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-09 22:26 --------- d-----w C:\Program Files\Java
2008-08-23 23:28 --------- d-----w C:\Program Files\Winamp
2008-08-23 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-08-23 20:24 --------- d-----w C:\Program Files\Winamp Remote
2008-08-23 20:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-08-03 09:01 --------- d-----w C:\Documents and Settings\karen\Application Data\Azureus
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-05-04 22:42 7,980,040 ----a-w C:\Program Files\Azureus_3.0.5.0_windows.exe
2006-06-25 04:12 3,967,401 -c--a-w C:\Program Files\wxp_2.exe
2006-06-25 04:11 3,250 -c--a-w C:\Program Files\te.nfo
2006-06-23 04:03 26,785 -c--a-w C:\Program Files\SWiSHmax.Build.2006-02-01.by.NabCDTeam.exe
2006-05-31 03:52 9,798,877 -c--a-w C:\Program Files\SetupSwishmax.exe
2006-04-01 07:36 14,022 -c----w C:\Program Files\Config.cfg
2006-04-01 07:23 7,433 -c----w C:\Program Files\Readme.txt
2006-04-01 07:06 6,322 -c----w C:\Program Files\LICENSE.TXT
2005-10-09 03:38 3,369,872 -c--a-w C:\Program Files\PokerStarsInstallPM.exe
2005-10-08 23:11 2,660,275 -c--a-w C:\Program Files\Shareaza_2.2.0.0_source.zip
2005-10-08 23:09 3,288,858 -c--a-w C:\Program Files\Shareaza_2.2.0.0.exe
2001-05-04 19:05 431,376 -c----w C:\Program Files\RICHED20.DLL
2001-05-04 19:05 290,869 -c----w C:\Program Files\MSVCRT.DLL
2000-06-09 00:00 995,383 -c----w C:\Program Files\Mfc42.dll
1999-12-07 19:00 3,856 -c----w C:\Program Files\RICHED32.DLL
1999-12-07 19:00 253,952 -c----w C:\Program Files\MSVCRT20.DLL
2005-07-29 21:24 472 --sha-r C:\WINDOWS\S0FSRU4\mXImlob.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=radssl.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm
"aux1"= ctwdm32.dll
"VIDC.3iv2"= C:\PROGRA~1\K-LITE~1\codecs\3IVXVF~1.DLL

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"kavsvc"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Philips Intelligent Agent\\Philips Intelligent Agent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\karen\Application Data\Mozilla\Firefox\Profiles\b5qdyc6v.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 12:53:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-27 13:12:43
ComboFix-quarantined-files.txt 2008-09-27 18:12:27
ComboFix2.txt 2008-09-23 23:35:06
ComboFix3.txt 2008-09-21 18:14:03

Pre-Run: 18,815,754,240 bytes free
Post-Run: 18,935,406,592 bytes free

161 --- E O F --- 2008-09-21 08:28:23


And HiJackThis!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:25 PM, on 27/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: radssl.dll,avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4562 bytes


You asked that anyone mention if ComboFix takes more than 10 mins. While waiting for the Log Report to be prepared (almost 10 mins), this is what came up on the screen:
SED: -e expression #1, char 18: bad escape sequence
temp06 The system cannot find the file specified


I haven't made any changes to my pc, un/installs and I followed your directions as requested.
Talk to you soon!

SmilingOne :)
SmilingOne
Active Member
 
Posts: 8
Joined: September 17th, 2008, 6:08 pm

Re: What else do I need to do?

Unread postby Shaba » September 27th, 2008, 2:38 pm

As it seems that it doesn't work, we use other methods:

Please download SafeBootKeyRepair.exe by sUBs to repair Safe Mode.

http://download.bleepingcomputer.com/sU ... Repair.exe


To run SafeBootKeyRepair.exe:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click the SafeBootKeyRepair.exe file.
When finished, it shall produce a log for you.
3. Post the entire contents of C:\SafeBoot_Repair.txt in your next reply.


Go to Start > Run
Type regedit and click OK.

  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
    • Leave the "Save As Type" as "Registration Files".
    • Under "Filename" put backup
  • Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
  • Click Save and then go to File > Exit.

Open Notepad and copy the contents of the following box to a new file.

Code: Select all
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll" 


Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this -> Image

Go to Desktop, double-click fix.reg and merge the infomation with the registry.

Reboot.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\system32\skawnuvi.dll_old
    C:\WINDOWS\system32\onmfacakjxnzhfd.dll_old
    C:\Program Files\Azureus_3.0.5.0_windows.exe
    C:\Program Files\Shareaza_2.2.0.0_source.zip
    C:\Program Files\Shareaza_2.2.0.0.exe
    C:\WINDOWS\S0FSRU4
    C:\WINDOWS\system32\utc
    C:\WINDOWS\system32\mC02
    C:\WINDOWS\system32\ir
    C:\WINDOWS\system32\gd2
    C:\Documents and Settings\karen\Application Data\LimeWire
    C:\Program Files\LimeWire
    

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Post:

- otmoveit2 log
- a fresh hijackthis log
- C:\SafeBoot_Repair.txt
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: What else do I need to do?

Unread postby SmilingOne » September 27th, 2008, 4:12 pm

Alright, let's rock. hehe

here is the OTMoveIT log:
C:\WINDOWS\system32\skawnuvi.dll_old moved successfully.
C:\WINDOWS\system32\onmfacakjxnzhfd.dll_old moved successfully.
C:\Program Files\Azureus_3.0.5.0_windows.exe moved successfully.
C:\Program Files\Shareaza_2.2.0.0_source.zip moved successfully.
C:\Program Files\Shareaza_2.2.0.0.exe moved successfully.
C:\WINDOWS\S0FSRU4 moved successfully.
C:\WINDOWS\system32\utc moved successfully.
C:\WINDOWS\system32\mC02 moved successfully.
C:\WINDOWS\system32\ir moved successfully.
C:\WINDOWS\system32\gd2 moved successfully.
C:\Documents and Settings\karen\Application Data\LimeWire\xml\data moved successfully.
C:\Documents and Settings\karen\Application Data\LimeWire\xml moved successfully.
C:\Documents and Settings\karen\Application Data\LimeWire\themes\windows_theme moved successfully.
C:\Documents and Settings\karen\Application Data\LimeWire\themes moved successfully.
C:\Documents and Settings\karen\Application Data\LimeWire\promotion moved successfully.
C:\Documents and Settings\karen\Application Data\LimeWire\certificate moved successfully.
C:\Documents and Settings\karen\Application Data\LimeWire\.AppSpecialShare moved successfully.
C:\Documents and Settings\karen\Application Data\LimeWire moved successfully.
C:\Program Files\LimeWire\Incomplete moved successfully.
C:\Program Files\LimeWire moved successfully.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09272008_150532

HiJackThis!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:45 PM, on 27/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4525 bytes


SafeBootRepair:

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sharedaccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\UploadMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC


I really appreciate your patience. I'm confident with your help, this will get fixed.

SmilingOne :)
SmilingOne
Active Member
 
Posts: 8
Joined: September 17th, 2008, 6:08 pm

Re: What else do I need to do?

Unread postby Shaba » September 28th, 2008, 4:42 am

This is the next step :)

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: What else do I need to do?

Unread postby SmilingOne » October 1st, 2008, 6:17 pm

Hi again! Miss me? hahaha

As requested:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, September 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, September 28, 2008 15:14:58
Records in database: 1268089
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 48230
Threat name: 3
Infected objects: 101
Suspicious objects: 0
Duration of the scan: 05:31:37


File name / Threat name / Threats count
C:\Documents and Settings\karen\.housecall\Quarantine\AdsCleaner 1.07.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Air Offensive The Art of Flying.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\AlbumPro v8.1.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\AllToTray v4.6.2.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\AllTracksGone Privacy Cop v2.2.8.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\AnotherDesk 2.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\AuctionVision for eBay 3.34.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Auto Backup v2.3.0.195.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\BladeFTP 1.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\BrowserBob 2.1 Developer.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Callisto v3.03.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Dc11.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\DeepBurner 1.1.0.73.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Drive Size v1.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Earth 2150 The Moon Project.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Easy Audio Grabber 2.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\EF Commander Free 3.60.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Elcomsoft Password Recovery Studio 2006 Retail.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\eMule 0.30d.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Firegraphic XP 6.0.614.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\FontExpert 2003 v5.0.1118.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Fresh Download 6.40.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Hero Video Convert v2.0.6.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Hyper Publish Pro v3.14.143.263.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Image To PDF 2.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Jaws PDF Creator v3.3.1711.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Job Search Software Engine 5.2.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\K-Lite Codec Pack v2.20 Full.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\KillPro v1.3.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\LinkStash v1.6.4.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Magic DVD Ripper 1.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Maximum Sports.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Mech Commander 2.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\MyIE2 0.9.10.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Nexagon Deathmatch.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\PagePopupMaker 2.0.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\PhotoController 1.0.1202.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\PhotoCool 1.50.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Power Searcher Pro v3.2.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Rails Across America.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Replacer v1.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\RockNAudio Editor 2.6.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\STI SnipIE v1.02.47.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\svchost.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Sygate Personal Firewall 5.5.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\System Mechanic Professional.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\The Grinch.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Tiny Spy Agent 2.1.118.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall\Quarantine\Wolfenstein Enemy Territory.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\AdsCleaner 1.07.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Air Offensive The Art of Flying.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\AlbumPro v8.1.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\AllToTray v4.6.2.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\AllTracksGone Privacy Cop v2.2.8.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\AnotherDesk 2.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\AuctionVision for eBay 3.34.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Auto Backup v2.3.0.195.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\backup-20060628-204753-697-svchost.exe.bac_a00952 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\BladeFTP 1.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\BrowserBob 2.1 Developer.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Callisto v3.03.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Dc11.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\DeepBurner 1.1.0.73.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Drive Size v1.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Earth 2150 The Moon Project.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Easy Audio Grabber 2.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\EF Commander Free 3.60.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Elcomsoft Password Recovery Studio 2006 Retail.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\eMule 0.30d.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Firegraphic XP 6.0.614.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\FontExpert 2003 v5.0.1118.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Fresh Download 6.40.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Hero Video Convert v2.0.6.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Hyper Publish Pro v3.14.143.263.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Image To PDF 2.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Jaws PDF Creator v3.3.1711.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Job Search Software Engine 5.2.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\K-Lite Codec Pack v2.20 Full.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\KillPro v1.3.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\LinkStash v1.6.4.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Magic DVD Ripper 1.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Maximum Sports.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Mech Commander 2.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\MyIE2 0.9.10.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Nexagon Deathmatch.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\PagePopupMaker 2.0.0.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\PhotoController 1.0.1202.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\PhotoCool 1.50.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Power Searcher Pro v3.2.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Rails Across America.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Replacer v1.1.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\RockNAudio Editor 2.6.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\STI SnipIE v1.02.47.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\svchost.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Sygate Personal Firewall 5.5.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\System Mechanic Professional.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\The Grinch.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Tiny Spy Agent 2.1.118.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\Wolfenstein Enemy Territory.exe.bac_a01860 Infected: Trojan-Dropper.Win32.VB.lu 1
C:\Documents and Settings\karen\.housecall6.6\Quarantine\zipped stuff.zip.bac_a00952 Infected: not-a-virus:AdWare.Win32.AdvertMen.a 1
C:\WINDOWS\system32\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.


HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:54 PM, on 01/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4630 bytes
SmilingOne
Active Member
 
Posts: 8
Joined: September 17th, 2008, 6:08 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware