Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help! Much appreciated!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help! Much appreciated!

Unread postby FlannelMenace » June 11th, 2008, 8:01 pm

Hello, I am here because I need help from those much wiser than myself. I have recently moved out to my father's, and he has an old laptop he doesn't use, which is now mine, and a new one. This old laptop that I'm posting from is flooded with malware, and it's impossible to open any web browser, or browse the contents of my drives, without being bombarded by popups, especially one that informs me that:

"Your system is infected with dangerous virus!
Note: Strongly recommend to install antispyware program to clean your system and avoid total crash of your computer!

Click OK to download the antispyware. (Recommended)"

Obviously this is not anything I want, as I'm sure you know. I copied that message into a browser and search, and got this website, where it appears you are very good at what you do. I have tried programs such as LavaSoft's AdAware and Spybot Search and Destroy, none of which have been very satisfactory, so I turn to you.

This may have been superfluous information for experts such as yourselves, so I will go ahead and post my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:20 PM, on 6/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\1132512819\ee\aolsoftware.exe
c:\program files\common files\aol\1132512819\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1132512819\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FGUKZEBI\HiJackThis[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clusty.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D60FB91-77F9-4128-A58F-4B189AA9E9FB} - (no file)
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\system32\urqpqrp.dll
O2 - BHO: (no name) - {4600D968-355A-4922-B450-A0229EF1B73b} - C:\WINDOWS\System32\tqrkeehs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE - {616D534C-3CA8-43AB-B439-618F850F1D2B} - C:\WINDOWS\iksagy.dll
O2 - BHO: (no name) - {62AD8450-69B9-4DB5-B41E-95575CBDD391} - C:\WINDOWS\System32\tqrkeehs.dll
O2 - BHO: (no name) - {6D1439CE-AF1E-4FDA-AA4E-096392252C83} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: (no name) - {86CDA022-ADC0-4854-8A27-5C09D80EE5BF} - (no file)
O2 - BHO: Video - {95E1D855-9232-48F7-80D9-1ADB65B7939C} - C:\WINDOWS\psokru.dll
O2 - BHO: (no name) - {B2BEFD43-07C8-412F-AD72-2F7289CB4111} - C:\WINDOWS\System32\ddaba.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C318CD44-E327-4377-A28E-6EC16A921AE8} - (no file)
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - (no file)
O2 - BHO: (no name) - {EC84A858-8398-48D6-8E6B-DB0C4CD7B731} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://D:\GAMES\msjavx86_3805.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5173701078
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://D:\games\WebDriverFullInstall.exe
O20 - AppInit_DLLs: c:\windows\system32\jkkjgfg.dll
O20 - Winlogon Notify: ddaba - C:\WINDOWS\System32\ddaba.dll (file missing)
O20 - Winlogon Notify: urqpqrp - C:\WINDOWS\SYSTEM32\urqpqrp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10476 bytes


I thank you for taking time out of your busy day to help me with this problem. I truly and sincerely appreciate it.
FlannelMenace
Active Member
 
Posts: 4
Joined: June 11th, 2008, 7:33 pm
Advertisement
Register to Remove

Re: Need help! Much appreciated!

Unread postby Ironbender » June 11th, 2008, 8:58 pm

Hi FlannelMenace, welcome to MWR

This is a badly infected system...

You are running HijackThis from a temporary internet folder. This will avoid us to retrieve backups if needed. Please install HJT to a dedicated folder on your system.

Before we can proceed, please Disable Spybot S&D TeaTimer and Resident SDHelper:
- Open Spybot and click on Mode and check Advanced Mode
- Check yes to next window.
- Click on Tools in bottom left hand corner.
- Click on System Startup icon.
- Uncheck Teatimer box.
- Uncheck Spybot Resident box as well.
- Click Allow Change box.

You may re-enable them as soon as your system is clean.

- Download and run CrapCleaner from http://www.ccleaner.com/
Note: in CCleaner: go to <options/advanced> Uncheck "Only delete files in Windows Temp folders older than 48 hours").

- Download Malwarebytes Anti-Malware from http://www.majorgeeks.com/Malwarebyte's ... d5756.html to the desktop.

- Double-click on Download_mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both these checked:
- Update Malwarebytes Anti-Malware
- Launch Malwarebytes Anti-Malware
- Then click Finish.

- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
- On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
- The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.

- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Copy and paste the contents of that report in your next reply along with a fresh HijackThis log and exit MBAM.

NB - If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.

Once done, close all programs leaving only HijackThis running. Place a check against each of the following (note that some entries may no longer be there):

O2 - BHO: (no name) - {3D60FB91-77F9-4128-A58F-4B189AA9E9FB} - (no file)

O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\system32\urqpqrp.dll

O2 - BHO: (no name) - {4600D968-355A-4922-B450-A0229EF1B73b} - C:\WINDOWS\System32\tqrkeehs.dll

O2 - BHO: IE - {616D534C-3CA8-43AB-B439-618F850F1D2B} - C:\WINDOWS\iksagy.dll

O2 - BHO: (no name) - {62AD8450-69B9-4DB5-B41E-95575CBDD391} - C:\WINDOWS\System32\tqrkeehs.dll

O2 - BHO: (no name) - {6D1439CE-AF1E-4FDA-AA4E-096392252C83} - (no file)

O2 - BHO: (no name) - {86CDA022-ADC0-4854-8A27-5C09D80EE5BF} - (no file)

O2 - BHO: Video - {95E1D855-9232-48F7-80D9-1ADB65B7939C} - C:\WINDOWS\psokru.dll

O2 - BHO: (no name) - {B2BEFD43-07C8-412F-AD72-2F7289CB4111} - C:\WINDOWS\System32\ddaba.dll (file missing)

O2 - BHO: (no name) - {C318CD44-E327-4377-A28E-6EC16A921AE8} - (no file)

O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - (no file)

O2 - BHO: (no name) - {EC84A858-8398-48D6-8E6B-DB0C4CD7B731} - (no file)

O15 - Trusted Zone: http://*.turbotax.com

O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://D:\games\WebDriverFullInstall.exe

O20 - AppInit_DLLs: c:\windows\system32\jkkjgfg.dll

O20 - Winlogon Notify: ddaba - C:\WINDOWS\System32\ddaba.dll (file missing)

O20 - Winlogon Notify: urqpqrp - C:\WINDOWS\SYSTEM32\urqpqrp.dll


Click on Fix Checked when finished and exit HijackThis.

Post back the MBAM report along with a fresh HJT log.

Chris
User avatar
Ironbender
Regular Member
 
Posts: 55
Joined: March 3rd, 2007, 4:12 pm
Location: Jacarei, SP

Re: Need help! Much appreciated!

Unread postby FlannelMenace » June 12th, 2008, 12:41 am

Thank you for the prompt and helpful response. I have followed your instructions, and have not yet encountered the false alerts and popups that were overwhelming the system earlier. I did, upon the MBAM restart, encounter some alerts about certain programs not being valid Windows images, programs such as notepad and explorer. However, it did not otherwise affect my computer, and it may have been a singular occurance. Here are my new logs.


Malwarebytes' Anti-Malware 1.17
Database version: 849

12:00:28 AM 6/12/2008
mbam-log-6-12-2008 (00-00-28).txt

Scan type: Quick Scan
Objects scanned: 162945
Time elapsed: 49 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 10
Files Infected: 53

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\iksagy.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\psokru.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\system32\urqpqrp.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jkkjgfg.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{616d534c-3ca8-43ab-b439-618f850f1d2b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{616d534c-3ca8-43ab-b439-618f850f1d2b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{616d534c-3ca8-43ab-b439-618f850f1d2b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{95e1d855-9232-48f7-80d9-1adb65b7939c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{95e1d855-9232-48f7-80d9-1adb65b7939c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95e1d855-9232-48f7-80d9-1adb65b7939c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf46bfb3-2acc-441b-b82b-36b9562c7ff1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e18c3daf-9841-4340-afe9-27ab400650ab} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e48c3daf-9841-4345-afe9-27ab400650ab} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cuskina.avideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d263b532-c528-49e5-8bb6-80fa67332c9a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7165223d-d2c9-422b-8126-411b11842b8b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e8ec2d9-806b-4c7f-ae7f-f44ad4abe8b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3e8ec2d9-806b-4c7f-ae7f-f44ad4abe8b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqpqrp (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{09dc28c6-bce2-42b1-b3ea-8ab82f0f3b0a} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\TrafficEngine (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\core (Rootkit.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3e8ec2d9-806b-4c7f-ae7f-f44ad4abe8b5} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\jkkjgfg.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\WinAntiVirus Pro 2007 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\WinAntiVirus Pro 2007\Logs (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ikmapmqv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vqmpamki.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lnenjhwl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lwhjnenl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odchhdry.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrdhhcdo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wqpyixyn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nyxiypqw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\iksagy.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\psokru.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\urqpqrp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\j5231030.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\WINDOWS\b129.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\WINDOWS\sysrlb32.exe (Trojan.Win32.VB) -> Quarantined and deleted successfully.
C:\WINDOWS\WebAssist.dll (Adware.WebAssist) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin\crap.1189359957.old (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin\matrix.dll (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\PGE.dat (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\WinAntiVirus Pro 2007\avtasks.dat (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\WinAntiVirus Pro 2007\CookieList.dat (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\WinAntiVirus Pro 2007\history.db (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\WinAntiVirus Pro 2007\PGE.dat (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\WinAntiVirus Pro 2007\Logs\update.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\WinAntiVirus Pro 2007\Logs\wa7Support.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\WinAntiVirus Pro 2007\Logs\winav.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mllmm.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkjgfg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\stfv.bin (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\secuity_center_logo.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\icon_warning.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\close_icon.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\alert_icon.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gtv_sd.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fuamfu32.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\retadpu1000106.exe.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\b136.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\detect.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\s_detect.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\drivers\core.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\Owner\Application Data\Install.dat (Trojan.Agent) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:12 AM, on 6/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clusty.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\System32\MRT.exe" /R
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://D:\GAMES\msjavx86_3805.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5173701078
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7802 bytes


Again, thank you very much. You have done me such a service, I can't believe you give up your time so freely. The difference is incredible. It has gone from wading through a swamp to sprinting on a track. You have my sincere gratitude. I will be happy to do anything else you would recommend.
FlannelMenace
Active Member
 
Posts: 4
Joined: June 11th, 2008, 7:33 pm

Re: Need help! Much appreciated!

Unread postby Ironbender » June 12th, 2008, 5:19 am

Your log is clean, but we'll run another fixtool just to be sure that there are no remnants...

You need to update Java. Go to http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 6' or higher and press the 'Download' button.
Reboot.
Uninstall any previous Java versions from Control Panel, add-remove programs afterward.

Download Combofix to your desktop by clicking here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click combofix.exe and follow the prompts. Type 1 (Enter) to start the fix.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Close all windows and any program on your system tray. Do not mouseclick or type anything while combofix is running. That may cause it to stall.

Post back the combofix report along with a fresh HJT log.

Chris
User avatar
Ironbender
Regular Member
 
Posts: 55
Joined: March 3rd, 2007, 4:12 pm
Location: Jacarei, SP

Re: Need help! Much appreciated!

Unread postby FlannelMenace » June 12th, 2008, 2:27 pm

ComboFix 08-06-10.5 - Owner 2008-06-12 13:59:30.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\smp.bat
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\tn3
C:\WINDOWS\icroso~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\180ax.exe
C:\WINDOWS\system32\biprep.exe
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\lclcfg32.ini
C:\WINDOWS\system32\lfd32.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\salm.exe
C:\WINDOWS\system32\satmat.exe
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\updatetc.exe
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\xhelper.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN


((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 12:23 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-12 12:18 . 2008-06-12 12:21 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-06-12 00:46 . 2008-06-12 00:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-06-12 00:13 . 2008-06-12 00:13 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 23:49 . 2008-06-11 23:49 <DIR> d-------- C:\Program Files\DSS
2008-06-11 23:09 . 2008-06-11 23:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 23:09 . 2008-06-11 23:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-11 23:09 . 2008-06-11 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 23:09 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-11 23:09 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-11 20:48 . 2008-06-11 20:48 <DIR> d-------- C:\Deckard
2008-06-11 12:29 . 2008-06-11 19:14 793 --a------ C:\WINDOWS\wininit.ini
2008-06-11 03:00 . 2008-06-11 03:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-07 01:57 . 2008-06-07 01:58 <DIR> d-------- C:\Program Files\GNU Solfege
2008-06-07 01:55 . 2008-06-07 01:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-06-07 01:55 . 2008-06-07 01:55 <DIR> d-------- C:\Documents and Settings\Owner\.thumbnails
2008-06-07 01:53 . 2008-06-07 01:59 <DIR> d-------- C:\Documents and Settings\Owner\.gimp-2.4
2008-06-07 01:51 . 2008-06-07 01:51 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-06-04 23:51 . 2008-06-04 23:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-05-31 20:30 . 2008-05-31 20:30 0 --a------ C:\WINDOWS\iPlayer.INI
2008-05-31 20:26 . 2008-05-31 20:29 <DIR> d-------- C:\Program Files\InterActual
2008-05-22 23:38 . 2008-05-22 23:38 <DIR> d-------- C:\WINDOWS\Favorites
2008-05-21 16:37 . 2007-03-07 19:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-05-21 15:49 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-05-21 00:30 . 2008-05-21 00:30 33,760 --a------ C:\e2z8nb.exe
2008-05-21 00:24 . 2008-05-21 00:24 <DIR> d-------- C:\d849c1e3033d766ce7
2008-05-20 19:41 . 2005-10-20 18:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-05-20 19:27 . 2008-05-20 19:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-20 19:27 . 2008-05-20 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 19:24 . 2008-05-20 19:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 19:22 . 2008-05-20 19:22 21,031,280 --a------ C:\aaw2007.exe
2008-05-20 19:13 . 2008-05-20 19:13 <DIR> d-------- C:\Program Files\CCleaner
2008-05-20 19:13 . 2008-05-20 19:13 2,897,456 --a------ C:\ccsetup207.exe
2008-05-20 19:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-20 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-20 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-20 19:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 17:36 --------- d-----w C:\Program Files\Java
2008-06-12 04:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-12 04:13 --------- d-----w C:\Program Files\AIM
2008-06-11 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 01:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-06-05 03:57 --------- d-----w C:\Program Files\Winamp
2008-05-31 02:25 --------- d-----w C:\Program Files\Common Files\zkmi
2008-05-26 01:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-23 04:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 18:04 --------- d-----w C:\Program Files\LimeWire
2008-05-21 16:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-05-21 00:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-21 00:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 00:45 --------- d-----w C:\Program Files\Whale Communications
2008-05-21 00:39 --------- d-----w C:\Program Files\Gateway
2008-05-21 00:37 --------- d-----w C:\Program Files\AOL Deskbar
2007-07-10 17:57 382 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2007-07-10 16:20 194 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
2007-07-10 16:20 18,432 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2001-09-28 22:00 164,864 ------w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 14:49 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe" [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 04:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 13:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 14:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 15:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 16:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 17:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 18:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 19:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 20:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 21:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 22:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 05:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 23:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 00:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 01:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 02:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 03:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 04:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 05:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 06:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 07:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 08:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 06:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 09:00:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 10:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 11:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 12:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 13:00:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 14:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 15:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 16:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 17:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 18:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 07:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 19:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 20:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 21:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 22:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-11 23:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 00:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 01:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 02:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 03:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\System32\3CqkNm2O.exe
"2008-06-12 04:22:00 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 08:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 05:00:00 C:\WINDOWS\Tasks\At50.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 06:00:00 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 07:00:00 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 08:00:00 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 09:00:00 C:\WINDOWS\Tasks\At54.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 10:00:00 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 11:00:00 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 12:00:00 C:\WINDOWS\Tasks\At57.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 13:00:00 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 14:00:00 C:\WINDOWS\Tasks\At59.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 09:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 15:00:00 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 16:00:00 C:\WINDOWS\Tasks\At61.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 17:00:00 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 18:00:02 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 19:00:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 20:00:00 C:\WINDOWS\Tasks\At65.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 21:00:00 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 22:00:00 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 23:00:00 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 00:00:00 C:\WINDOWS\Tasks\At69.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 10:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-12 01:00:00 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 02:00:00 C:\WINDOWS\Tasks\At71.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-12 03:00:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\System32\MJnrE4NC.exe
"2008-06-11 11:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-11 12:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\8uR6R0wl.exe
"2008-06-07 00:32:26 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-06-12 18:09:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 14:09:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-06-12 14:13:47 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-06-12 18:13:38

Pre-Run: 45,205,434,880 bytes free
Post-Run: 46,061,892,096 bytes free

315 --- E O F --- 2008-06-12 04:13:58






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:29 PM, on 6/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clusty.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://D:\GAMES\msjavx86_3805.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5173701078
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8368 bytes


Thank you once again for your helpfulness. I will not hesitate to let anyone with malware problems know that you are the experts, and to come to you. And a special thanks to you, Chris, for being so prompt, courteous, and helpful. You have made a positive impression on me I won't soon forget.
FlannelMenace
Active Member
 
Posts: 4
Joined: June 11th, 2008, 7:33 pm

Re: Need help! Much appreciated!

Unread postby Ironbender » June 12th, 2008, 7:31 pm

Hi FlannelMenace,

PLease copy the content of the code box below to your notepad and save it to your desktop as CFScript.txt

Code: Select all
File::
C:\WINDOWS\System32\8uR6R0wl.exe
C:\WINDOWS\System32\3CqkNm2O.exe
C:\WINDOWS\System32\MJnrE4NC.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


Now, drag CFScript to Combofix as shown below:

Image

Combofix will run and automatically restart your system to complete the fix. When finished, it will produce a log for you. Post that log in your next reply.
Note:
Close all windows and any program on your system tray. Do not mouseclick or type anything while combofix is running. That may cause it to stall.

Post back the new combofix report along with a fresh HJT log.

Chris
User avatar
Ironbender
Regular Member
 
Posts: 55
Joined: March 3rd, 2007, 4:12 pm
Location: Jacarei, SP

Re: Need help! Much appreciated!

Unread postby FlannelMenace » June 12th, 2008, 7:59 pm

ComboFix 08-06-10.5 - Owner 2008-06-12 19:52:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.272 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\3CqkNm2O.exe
C:\WINDOWS\System32\8uR6R0wl.exe
C:\WINDOWS\System32\MJnrE4NC.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 12:23 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-12 12:18 . 2008-06-12 12:21 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-06-12 00:46 . 2008-06-12 00:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-06-12 00:13 . 2008-06-12 00:13 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 23:49 . 2008-06-11 23:49 <DIR> d-------- C:\Program Files\DSS
2008-06-11 23:09 . 2008-06-11 23:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 23:09 . 2008-06-11 23:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-11 23:09 . 2008-06-11 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 23:09 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-11 23:09 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-11 20:48 . 2008-06-11 20:48 <DIR> d-------- C:\Deckard
2008-06-11 12:29 . 2008-06-11 19:14 793 --a------ C:\WINDOWS\wininit.ini
2008-06-11 03:00 . 2008-06-11 03:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-07 01:57 . 2008-06-07 01:58 <DIR> d-------- C:\Program Files\GNU Solfege
2008-06-07 01:55 . 2008-06-07 01:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-06-07 01:55 . 2008-06-07 01:55 <DIR> d-------- C:\Documents and Settings\Owner\.thumbnails
2008-06-07 01:53 . 2008-06-07 01:59 <DIR> d-------- C:\Documents and Settings\Owner\.gimp-2.4
2008-06-07 01:51 . 2008-06-07 01:51 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-06-04 23:51 . 2008-06-04 23:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-05-31 20:30 . 2008-05-31 20:30 0 --a------ C:\WINDOWS\iPlayer.INI
2008-05-31 20:26 . 2008-05-31 20:29 <DIR> d-------- C:\Program Files\InterActual
2008-05-22 23:38 . 2008-05-22 23:38 <DIR> d-------- C:\WINDOWS\Favorites
2008-05-21 16:37 . 2007-03-07 19:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-05-21 15:49 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-05-21 00:30 . 2008-05-21 00:30 33,760 --a------ C:\e2z8nb.exe
2008-05-21 00:24 . 2008-05-21 00:24 <DIR> d-------- C:\d849c1e3033d766ce7
2008-05-20 19:41 . 2005-10-20 18:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-05-20 19:27 . 2008-05-20 19:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-20 19:27 . 2008-05-20 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 19:24 . 2008-05-20 19:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 19:22 . 2008-05-20 19:22 21,031,280 --a------ C:\aaw2007.exe
2008-05-20 19:13 . 2008-05-20 19:13 <DIR> d-------- C:\Program Files\CCleaner
2008-05-20 19:13 . 2008-05-20 19:13 2,897,456 --a------ C:\ccsetup207.exe
2008-05-20 19:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-20 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-20 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-20 19:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 17:36 --------- d-----w C:\Program Files\Java
2008-06-12 04:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-12 04:13 --------- d-----w C:\Program Files\AIM
2008-06-11 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 01:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-06-05 03:57 --------- d-----w C:\Program Files\Winamp
2008-05-31 02:25 --------- d-----w C:\Program Files\Common Files\zkmi
2008-05-26 01:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-23 04:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 18:04 --------- d-----w C:\Program Files\LimeWire
2008-05-21 16:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-05-21 00:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-21 00:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 00:45 --------- d-----w C:\Program Files\Whale Communications
2008-05-21 00:39 --------- d-----w C:\Program Files\Gateway
2008-05-21 00:37 --------- d-----w C:\Program Files\AOL Deskbar
2007-07-10 17:57 382 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2007-07-10 16:20 194 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
2007-07-10 16:20 18,432 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2001-09-28 22:00 164,864 ------w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-06-12_14.13.16.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 22:27:40 39,350 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-12 18:11:10 39,350 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-20 22:27:40 310,408 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-12 18:11:10 310,408 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 14:49 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe" [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 00:32:26 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-06-12 23:54:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 19:55:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-06-12 19:57:18
ComboFix-quarantined-files.txt 2008-06-12 23:57:04
ComboFix2.txt 2008-06-12 18:13:48

Pre-Run: 46,132,747,264 bytes free
Post-Run: 46,120,990,720 bytes free

270 --- E O F --- 2008-06-12 04:13:58



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:34 PM, on 6/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clusty.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://D:\GAMES\msjavx86_3805.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5173701078
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8318 bytes
FlannelMenace
Active Member
 
Posts: 4
Joined: June 11th, 2008, 7:33 pm

Re: Need help! Much appreciated!

Unread postby Ironbender » June 12th, 2008, 10:21 pm

Well, looks clean to me now. :) How is your system running ?

I'd strongly suggest you to uninstall Viewpoint from your control panel, add-remove programs. It's not malware by itself but it's considered foistware.

If all seems to be running fine:

Uninstall Combofix, so, antivirus programs will not detect the quarantined files as active virus:
<Start/Run> type in Combofix /u (Enter)
Select "2" when the disclaimer shows.

Disable/re-enable system restore to avoid future reinfections: http://www.bleepingcomputer.com/tutoria ... ial56.html
Don't forget to create a fresh restore point afterward.

Chris
User avatar
Ironbender
Regular Member
 
Posts: 55
Joined: March 3rd, 2007, 4:12 pm
Location: Jacarei, SP

Re: Need help! Much appreciated!

Unread postby NonSuch » June 16th, 2008, 4:21 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 266 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware