Free Malware Removal Forum

by **DrPostman** » January 3rd, 2009, 8:54 pm

I requested help with the problem listed below and was told to rename the Hi Jack This file to something else then try to install it and post the report if it worked. This did work. The report follows my problem explanation.

Problem:
I really need some help and am hoping you can help me. My computer was working fine until Tuesday night early Wednesday morning. I had AVG anti virus program running on my computer. It was set to do it's daily scan. It always updates just before it does the scan. It couldn't update... said it couldn't get an internet connection. I was on the internet at the time and the internet seemed to be working fine. It said to go to avg.com website so I did. I can't go to the site. Everytime I try to go to the site a seperate browser would open with a button in the window to "Go to the website". I click on it and it does nothing. In the browser I was originally working in there was a page brought up that was a pharmacy website. I tried going onto the avg site on a different computer we have here and could get to the avg site on that computer. I did a search on Google for anti virus programs. No matter what site I went to it would not let me get into that site. We finally got ClamWin downloaded on a different computer and transferred to this one and installed it. It hit on some Trojans. I couldn't do anything on the computer though as it was froze up. I turned it off and rebooted it. When Windows came up it showed my desktop but the taskbar on the bottom of the screen would not load... no start button... no quick launch buttons... no taskbar on the right either. I tried to click on a folder on my desktop and it wouldn't do anything. I reboot the computer in safe mode and couldn't do anything that way either. I rebooted again and booted up in "The last known good configuration" It booted up good with everything appearing to be working. I went and deleted the programs affected according to the report from ClamWin with the Add/Remove Programs in the control panel. I then ran ClamWin again. There was a few programs that I had missed from the previous report. I deleted them in the same manor as the previous time. Restarted the computer in the normal fashion and all appreared to boot correctly except that my volume control will not show up in the taskbar even though it shows in the control panel feature for it to be loaded in the taskbar. I tried my browser and it was still not working right. I uninstalled my browser and reinstalled it. It is still not working right. I still can't access the avg website. The only way I could get to this website was through a proxy server. I have 2 different browsers on this computer... firefox and Opera and neither one is working. I downloaded the HiJackThis that was mentioned in the instructions for this website. I have tried to install it but can't. When I click it to install it I get a box that asks if I want to run the program or not. The options are run and cancel. I click run and that is as far as it will go. It will not install or do anything at that point. The box just disappears and nothing.

I don't know what is wrong with my computer but I sure hope you can help me get it working right again.

Thank you for your help with this matter.

Report from Hi Jack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:42 PM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\TEMP\winlogin.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\WINDOWS\TEMP\winlogin.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [fc1a4884] rundll32.exe "C:\WINDOWS\system32\cpihthvf.dll",b
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [svschost.exe] C:\WINDOWS\system32\svschost.exe -check
O4 - HKCU\..\Run: [79564575881868474970298275665593] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\WINDOWS\TEMP\winlogin.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xsjfn83jkemfofght] C:\WINDOWS\TEMP\winlogin.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: cadjtm.dll,elpyxr.dll amjgjc.dll ovjrta.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4365 bytes

by **chryssi2001** » January 10th, 2009, 7:55 am

Hello DrPostman,

I apologise for the delay, the forum is busy.

If you still need help, post a new HijackThis log.

by **DrPostman** » January 10th, 2009, 9:09 pm

Below is a copy of the latest HiJackthis Scan log. An update on my computer first. On this past Tuesday night a friend of mine came over and managed to help me get Malware Bytes running and we ran a scan. I have a copy of the scan results from then if you would like them. The program found quite a bit of stuff. I allowed the program to do whatever it wanted to do with these and restarted the computer. It worked great. The Scanguard program has quit showing up on my computer. Last night though my browser started working weird again. I went to a website to a local company here and it kept bringing up other browser windows. Not sure if that is just my adblock for firefox not working or what. I have not run any more scans on here except the HiJack This just now and will wait till I hear from you before I do anything more with this. I am not sure what is happening at this point. So far the only problem I have experienced since running Malware Bytes is last night with my browser.

Here is the HiJack This log from a scan I did just now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:29 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ClamWin\bin\clamscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: cadjtm.dll,elpyxr.dll amjgjc.dll ovjrta.dll okibof.dll osvrif.dll bcnnjl.dll ldptjm.dll
O20 - Winlogon Notify: cbXPFyxV - cbXPFyxV.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3440 bytes

by **chryssi2001** » January 11th, 2009, 8:54 am

Hello DrPostman,

I won't need Malware Bytes report for now, but we will run the tool later.

You are still having problems, as you are still infected.

Are you a games player?
If yes i would suggest for protection, to changes all your passwords using a clean pc, and don't use this one to play games, untill we clean it.
----------------------------------------------
RENAME HIJACKTHIS

There is some infection hiding in your log.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe.

Do not run HijackThis now.
----------------------------------------------
Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.

by **DrPostman** » January 11th, 2009, 10:01 pm

Thank you for your reply to my post. I did exactly as you said with the Combofix. The log file report is below. As for the games... yes I do play games on here but not online games. I only play games that I have a CD for.

Combofix report:

ComboFix 09-01-10.03 - Administrator 2009-01-11 19:39:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.148 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\windows\system32\fvhthipc.ini
c:\windows\system32\levdxwjj.ini
c:\windows\system32\TDSSosvd.dat

----- BITS: Possible infected sites -----

hxxp://childhe.com
hxxp://rapidshare.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SWAPM
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
-------\Service_VFILT

((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-07 00:54 . 2009-01-07 00:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-06 23:08 . 2009-01-07 00:54 <DIR> d-------- c:\program files\GAry
2009-01-06 23:02 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 23:01 . 2009-01-06 23:03 <DIR> d-------- c:\program files\BEATTHEFUCKER
2009-01-06 23:01 . 2009-01-06 23:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 23:01 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 19:07 . 2009-01-05 19:07 7,168 --a------ c:\windows\system32\0s_install.exe
2009-01-03 18:43 . 2009-01-03 18:43 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 23:58 . 2008-12-31 23:58 <DIR> d-------- c:\program files\ClamWin
2008-12-31 23:58 . 2008-12-31 23:58 <DIR> d-------- c:\documents and settings\All Users\.clamwin
2008-12-31 23:58 . 2008-12-31 23:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\.clamwin
2008-12-31 07:21 . 2008-11-17 13:05 12,576 --a------ c:\windows\system32\drivers\TfKbMon.sys
2008-12-31 05:48 . 2009-01-01 16:36 0 --a------ c:\windows\system32\drivers\27ffd505.sys
2008-12-31 05:46 . 2008-12-31 05:46 2 --a------ C:\-65386453
2008-12-31 05:45 . 2008-12-31 05:46 4,707 --a------ c:\windows\system32\aidb.dat
2008-12-31 05:44 . 2008-12-31 05:44 113,664 --a------ c:\windows\system32\mqapi.exe
2008-12-31 01:46 . 2008-12-31 01:52 <DIR> d-------- c:\program files\LucyQ Deluxe
2008-12-31 01:36 . 2008-12-31 01:38 <DIR> d-------- c:\documents and settings\Administrator\uspy
2008-12-28 03:04 . 2008-12-28 03:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayPond
2008-12-28 03:02 . 2008-12-28 03:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Meridian93
2008-12-28 03:02 . 2008-12-28 03:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jetsetter
2008-12-28 03:01 . 2008-12-28 03:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\blg
2008-12-28 03:01 . 2008-12-28 03:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\blg
2008-12-28 02:51 . 2008-12-28 02:51 0 --a------ c:\windows\system32\system32xp.exe.tmp
2008-12-13 23:56 . 2008-12-29 01:05 <DIR> d-------- c:\program files\LeeGTs Games
2008-12-13 23:54 . 2008-12-13 23:54 73,625,706 --a------ c:\windows\system32\xa31238421.exe
2008-12-13 23:54 . 2008-12-13 23:54 73,625,706 --a------ c:\windows\system32\xa31229500.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 01:30 --------- d-----w c:\program files\Trillian
2009-01-11 09:03 --------- d-----w c:\program files\Games
2009-01-11 09:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 01:08 --------- d-----w c:\program files\Varmintz Deluxe
2009-01-01 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-31 13:48 --------- d-----w c:\program files\Opera
2008-12-14 06:24 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2008-12-14 06:24 --------- d-----w c:\documents and settings\Administrator\Application Data\PlayFirst
2008-12-14 06:23 --------- d-----w c:\documents and settings\Administrator\Application Data\Games
2008-12-11 00:13 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2008-12-10 01:11 --------- d-----w c:\documents and settings\Administrator\Application Data\Shape games
2008-12-10 01:09 --------- d-----w c:\documents and settings\All Users\Application Data\NeptunesAdve
2008-12-10 01:08 --------- d-----w c:\documents and settings\Administrator\Application Data\Anabel
2008-12-10 01:02 --------- d-----w c:\program files\Janes Hotel
2008-12-10 01:01 --------- d-----w c:\program files\Ice Cream Mania
2008-12-10 01:01 --------- d-----w c:\program files\Flower Shop Big City Break
2008-12-10 01:01 --------- d-----w c:\program files\Fishing Craze
2008-12-10 01:01 --------- d-----w c:\program files\Delicious 2 Deluxe
2008-12-10 01:01 --------- d-----w c:\program files\Cake Mania 2
2008-12-10 00:21 --------- d-----w c:\program files\Happy Hour
2008-12-10 00:16 --------- d-----w c:\program files\Eye For Design
2008-12-09 23:52 --------- d-----w c:\program files\Paparazzi
2008-12-09 09:59 --------- d-----w c:\documents and settings\Administrator\Application Data\Ubisoft
2008-12-06 07:52 --------- d-----w c:\program files\mcbiz4
2008-12-01 23:45 --------- d-----w c:\documents and settings\Administrator\Application Data\Artogon
2008-12-01 23:17 --------- d-----w c:\documents and settings\Administrator\Application Data\FileSubmit
2008-11-30 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\Alawar Stargaze
2008-11-30 06:29 --------- d-----w c:\program files\Burger Island
2008-11-29 01:01 --------- d-----w c:\documents and settings\All Users\Application Data\BigFish
2008-11-29 01:00 --------- d-----w c:\documents and settings\Administrator\Application Data\BigFish
2008-11-29 00:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Dragon Altar Games
2008-11-29 00:45 --------- d-----w c:\program files\Sultan of Persia
2008-11-27 01:44 --------- d-----w c:\program files\Sallys Salon
2008-11-26 23:51 --------- d-----w c:\program files\Bookworm Adventures Deluxe
2008-11-23 07:21 --------- d-----w c:\program files\The Race
2008-11-18 05:30 --------- d-----w c:\documents and settings\All Users\Application Data\Playrix Entertainment
2008-11-18 03:30 --------- d-----w c:\documents and settings\Administrator\Application Data\cerasus.media
2008-11-18 03:26 --------- d-----w c:\program files\Common Files\SWF Studio
2008-11-18 03:25 --------- d-----w c:\documents and settings\Administrator\Application Data\SpinTop Games
2008-11-18 03:23 --------- d-----w c:\documents and settings\All Users\Application Data\Gogii Games
2008-11-18 03:23 --------- d-----w c:\documents and settings\Administrator\Application Data\Gogii Games
2008-11-14 10:07 --------- d-----w c:\program files\Law And Order The Vengeful Heart
2008-11-14 06:19 --------- d-----w c:\documents and settings\All Users\Application Data\AlawarWrapper
2008-10-13 00:04 286,720 ----a-w c:\windows\iun506.exe
2008-08-12 06:05 0 ----a-w c:\program files\temp01
2006-02-23 13:16 34,048 ----a-w c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 13:16 45,056 ----a-w c:\program files\mozilla firefox\plugins\upd62int.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-11 443968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=c:\windows\system32\klomp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51:58 13560]
S1 27ffd505;27ffd505;c:\windows\system32\drivers\27ffd505.sys [2008-12-31 0]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-06 38496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f25bed3-49e6-11dd-8085-ebf2c1b884a6}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\rsdxzsvb.job
- c:\windows\system32\rundll32.exe [2008-04-13 21:42]
.
- - - - ORPHANS REMOVED - - - -

Notify-cbXPFyxV - cbXPFyxV.dll

.
------- Supplementary Scan -------
.
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file://c:\program files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file://c:\program files\Jigsaw Puzzle Platinum\Images\armhelper.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g4vlymwa.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?client=fir ... =en&tab=wn
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g4vlymwa.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Opera\program\plugins\np32dsw.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 19:43:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-11 19:51:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 01:50:55

Pre-Run: 24,980,885,504 bytes free
Post-Run: 25,804,496,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
196

HiJack This report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:32 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3513 bytes

Waiting to hear back from you before I do anything else. Again I thank you for all your help with this computer.

by **chryssi2001** » January 12th, 2009, 3:22 pm

Hello DrPostman,

I'm afraid I have unpleasant news for you.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read information here.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

It would best for you to reformat and re-install this system, as it can be trusted any more.

Let me know what you decide.

by **DrPostman** » January 12th, 2009, 9:40 pm

Thank you for your quick response to my post. This computer is old and has been giving me a lot of trouble. About a year ago it crashed on me and someone had to go into it and format the hard drive and try to rescue it. The back door you spoke about was put on here by this person so he could access my computer to save my important documents I have on here. This was a friend who did this and would not gain anything by what he told me. He said that the hard drive was on it's last leg and needed to be replaced. I am just going to get a new hard drive and transfer my important documents to a disk and install a new hard drive and do away with this one.
What do I need to do to make sure that the new hard drive does not end up with this virus on it as well? How do I make sure that the files I want to transfer to the new drive are safe to transfer?
Again I thank you very much for all your help with this computer. You have really been a big help.

by **chryssi2001** » January 13th, 2009, 3:55 pm

Hello DrPostman,

The back door you spoke about was put on here by this person so he could access my computer to save my important documents I have on here.

Even if it's like this, i can't see the reason he did it, since he infected so badly this pc.

What do I need to do to make sure that the new hard drive does not end up with this virus on it as well? How do I make sure that the files I want to transfer to the new drive are safe to transfer?

Scan all the documents with an antivirus before you install them back on the new hard drive.
----------------------------------------------
REFORMAT & REINSTALL

Since you decided to do a clean install read some information below.

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.
You can Print all these information, so you have them handy.

Reformatting Windows XP by wng_z3r0
When should I re-format? How should I reinstall?
Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net...

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
Here are some free Anti Virus programs which i recommend to use:
- Antivir PersonalEditionClassic
  - Free anti-virus software for Windows.
  - Detects and removes more than 50,000 viruses. Free support.
- avast! 4 Home Edition
  - Anti-virus program for Windows.
  - The home edition is freeware for noncommercial users.
- AVG Anti-Virus Free Edition
  - Free edition of the AVG anti-virus program for Windows.
  - Available for single computer use for home and non commercial use.
Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
Here are some free Firewalls which i recommend to use:
(Use only one, and disable your Windows Firewall)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialise and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software.
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good Luck!

by **Gary R** » January 16th, 2009, 3:47 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.

Free Malware Removal Forum

Need help... following directions

Need help... following directions

Re: Need help... following directions

Re: Need help... following directions

Re: Need help... following directions

Re: Need help... following directions

Re: Need help... following directions

Re: Need help... following directions

Re: Need help... following directions

Re: Need help... following directions

Who is online