Jump to content

Change Mode

I Got Looksky Too :/


Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:27:13 PM, on 9/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-itnow.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F3 - REG:win.ini: load=C:\WINDOWS\system32\vxgxvsxfh\lsass.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\vxgxvsxfh\lsass.exe

O1 - Hosts: 1.1.1.1 f-secure.com

O1 - Hosts: 1.1.1.1 www.f-secure.com

O1 - Hosts: 1.1.1.1 ftp.f-secure.com

O1 - Hosts: 1.1.1.1 ftp.sophos.com

O1 - Hosts: 1.1.1.1 liveupdate.symantec.com

O1 - Hosts: 1.1.1.1 customer.symantec.com

O1 - Hosts: 1.1.1.1 dispatch.mcafee.com

O1 - Hosts: 1.1.1.1 download.mcafee.com

O1 - Hosts: 1.1.1.1 rads.mcafee.com

O1 - Hosts: 1.1.1.1 mast.mcafee.com

O1 - Hosts: 1.1.1.1 my-etrust.com

O1 - Hosts: 1.1.1.1 www.my-etrust.com

O1 - Hosts: 1.1.1.1 nai.com

O1 - Hosts: 1.1.1.1 www.nai.com

O1 - Hosts: 1.1.1.1 networkassociates.com

O1 - Hosts: 1.1.1.1 secure.nai.com

O1 - Hosts: 1.1.1.1 securityresponse.symantec.com

O1 - Hosts: 1.1.1.1 service1.symantec.com

O1 - Hosts: 1.1.1.1 sophos.com

O1 - Hosts: 1.1.1.1 www.sophos.com

O1 - Hosts: 1.1.1.1 support.microsoft.com

O1 - Hosts: 1.1.1.1 symantec.com

O1 - Hosts: 1.1.1.1 www.symantec.com

O1 - Hosts: 1.1.1.1 update.symantec.com

O1 - Hosts: 1.1.1.1 updates.symantec.com

O1 - Hosts: 1.1.1.1 us.mcafee.com

O1 - Hosts: 1.1.1.1 vil.nai.com

O1 - Hosts: 1.1.1.1 viruslist.com

O1 - Hosts: 1.1.1.1 www.viruslist.com

O1 - Hosts: 1.1.1.1 grisoft.com

O1 - Hosts: 1.1.1.1 www.grisoft.com

O1 - Hosts: 1.1.1.1 free.grisoft.com

O1 - Hosts: 1.1.1.1 trendmicro.com

O1 - Hosts: 1.1.1.1 housecall.trendmicro.com

O1 - Hosts: 1.1.1.1 www.trendmicro.com

O1 - Hosts: 1.1.1.1 pandasoftware.com

O1 - Hosts: 1.1.1.1 www.pandasoftware.com

O1 - Hosts: 1.1.1.1 usa.kaspersky.com

O1 - Hosts: 1.1.1.1 ewido.net

O1 - Hosts: 1.1.1.1 www.ewido.net

O1 - Hosts: 1.1.1.1 zonelabs.com

O1 - Hosts: 1.1.1.1 www.zonelabs.com

O1 - Hosts: 1.1.1.1 bitdefender.com

O1 - Hosts: 1.1.1.1 www.bitdefender.com

O1 - Hosts: 1.1.1.1 download.bitdefender.com

O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com

O1 - Hosts: 1.1.1.1 spywareinfo.com

O1 - Hosts: 1.1.1.1 www.spywareinfo.com

O1 - Hosts: 1.1.1.1 merijn.org

O1 - Hosts: 1.1.1.1 www.merijn.org

O1 - Hosts: 1.1.1.1 sysinternals.com

O1 - Hosts: 1.1.1.1 www.sysinternals.com

O1 - Hosts: 1.1.1.1 onguardonline.gov

O1 - Hosts: 1.1.1.1 www.onguardonline.gov

O1 - Hosts: 1.1.1.1 avast.com

O1 - Hosts: 1.1.1.1 www.avast.com

O1 - Hosts: 1.1.1.1 safety.live.com

O1 - Hosts: 1.1.1.1 www.paretologic.com

O1 - Hosts: 1.1.1.1 paretologic.com

O1 - Hosts: 1.1.1.1 virusscan.jotti.org

O1 - Hosts: 1.1.1.1 services.google.com

O1 - Hosts: 1.1.1.1 www.webroot.com

O1 - Hosts: 1.1.1.1 webroot.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1EC08C3B-6EA7-0451-A73A-69E34DEAAE9D} - C:\WINDOWS\system32\jrb.dll (file missing)

O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll

O2 - BHO: (no name) - {EAE1D421-3FE9-5D3B-E828-4F76641B53B2} - C:\WINDOWS\system32\igrens.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Fdift] "C:\Documents and Settings\Charlie\My Documents\?racle\rundll32.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: lsass.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138253325640

O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: NameServer = 209.112.162.135

O20 - AppInit_DLLs: mad.dll

O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)

O21 - SSODL: msmhost - {BF80D7DF-DE81-451C-AE3C-8BEE65B3D64C} - C:\WINDOWS\msmhost.dll

O21 - SSODL: msmdev - {B6DF15D1-80E2-4474-81B4-02A35CE23218} - C:\WINDOWS\msmdev.dll

O22 - SharedTaskScheduler: WaitWain for Windows - {C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C} - (no file)

O22 - SharedTaskScheduler: {874443fe-aa33-4ebf-a6ac-73208787e62d} - bestreak - (no file)

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe

 

--

End of file - 11296 bytes

 

 

so i pretty much read up on this forum about this damn cursed virus. and i just ran a scan and didn't delete anything. i have downloaded AVAST and PREVX and they didn't do CRAP. :pullhair: i am seriously sick of this virus and i beg you to pleaseeeeeee tell me what to download next to get this piece of crap trojan off.

Link to post
Share on other sites

There is more than Looksky showing up on the HijackThis log!!

 

Please download to the Desktop: MsnVirRem.exe

  • Close any other programs running as the tool requires a reboot to complete the removal process.
  • Double click MsnVirRem.exe to run the tool
  • Click the button labeled Search and Destroy to scan for infected files.
  • When the scanning is complete you are prompted to reboot/restart the machine ONLY if infected.
  • Click "OK" if this is the case and then click the "REBOOT" Button.
  • After the reboot, you receive "file not found" error messages (usually 4). Please acknowledge these error messages and continue.
  • A Message should then popup from MsnVirRem. If not, double click the program again for it to finish.
The tool creates a log file of it's removal process located at C:\msnvirrem.log

 

~~~~

Next, download SmitfraudFix

Extract the files to the Desktop

 

Boot to Safe Mode as follows:

  • Restart the computer
  • After hearing the computer beep once, but before the Windows appears, press F8.
  • The Windows XP Advanced Options menu appears
  • Select the option for Safe Mode using the arrow keys.
Open SmitfraudFix
  • Double-click smitfraudfix.cmd
  • Select Option 2 - Clean by typing 2 and press Enter (Deletes infected files)
  • You are prompted: Do you want to clean the registry? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool also checks if a relevant file, wininet.dll, is infected.

You may be prompted to replace the infected file (if found).

Replace infected file? Answer Y (yes) and hit Enter to restore a clean file.

 

~~~~

Restart the computer to complete the removal process.

 

~~~~

Now, download ComboFix

Save it to the Desktop

 

Double-click combofix.exe to run the program

Follow the prompts.

(Don't click on the window while the program is running, it may cause your system to stall.)

 

When finished, a log, ComboFix.txt, is produced.

 

~~~~

Run HijackThis once again to obtain a new log.

 

~~~~

Please post the C:\msnvirrem.log, the SmitFraudFix report located at C:\rapport.txt , the ComboFix.txt, and a new HijackThis log in your reply.

Edited by Aaflac
Link to post
Share on other sites

ok here are my reports

 

MsnVirRem Log by Skate_Punk_21

 

Fix running from: C:\Documents and Settings\Charlie\Desktop

9/12/2007

2:03:10 PM

 

---Infection Files Found---

C:\WINDOWS\system32\taskkill.com

 

Rebooting...

Rebooting...

Rebooting...

Rebooting...

Fixing Registry Permissions...

Editing Registry...

Fixing Host File...

**Fix Complete!**

 

SmitFraudFix v2.222

 

Scan done at 14:26:16.75, Wed 09/12/2007

Run from C:\Documents and Settings\Charlie\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}"="WaitWain for Windows"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\msmdev.dll Deleted

Deleting [HKEY_CLASSES_ROOT\CLSID\{B6DF15D1-80E2-4474-81B4-02A35CE23218}]

C:\WINDOWS\msmhost.dll Deleted

Deleting [HKEY_CLASSES_ROOT\CLSID\{BF80D7DF-DE81-451C-AE3C-8BEE65B3D64C}]

C:\WINDOWS\nsduo.dll Deleted

C:\WINDOWS\privacy_danger\ Deleted

C:\WINDOWS\system32\MTC.ini Deleted

C:\WINDOWS\system32\ot.ico Deleted

C:\WINDOWS\system32\1024\ Deleted

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

C:\DOCUME~1\Charlie\Desktop\Error Cleaner.url Deleted

C:\DOCUME~1\Charlie\Desktop\Privacy Protector.url Deleted

C:\DOCUME~1\Charlie\Desktop\Spyware?Malware Protection.url Deleted

C:\DOCUME~1\Charlie\FAVORI~1\Antivirus Test Online.url Deleted

C:\DOCUME~1\Charlie\FAVORI~1\Online Security Test.url Deleted

C:\DOCUME~1\Charlie\FAVORI~1\Error Cleaner.url Deleted

C:\DOCUME~1\Charlie\FAVORI~1\Privacy Protector.url Deleted

C:\Program Files\Video Access ActiveX Object\ Deleted

C:\Program Files\VideoAccessCodec\ Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: DhcpNameServer=209.112.162.135 209.112.162.136

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: NameServer=209.112.162.135

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BE5A1E3D-067A-4F4A-9569-E893F3676F0B}: DhcpNameServer=192.168.100.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: DhcpNameServer=209.112.162.135 209.112.162.136

HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: NameServer=209.112.162.135

HKLM\SYSTEM\CS1\Services\Tcpip\..\{BE5A1E3D-067A-4F4A-9569-E893F3676F0B}: DhcpNameServer=192.168.100.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: DhcpNameServer=209.112.162.135 209.112.162.136

HKLM\SYSTEM\CS3\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: NameServer=209.112.162.135

HKLM\SYSTEM\CS3\Services\Tcpip\..\{BE5A1E3D-067A-4F4A-9569-E893F3676F0B}: DhcpNameServer=192.168.100.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.100.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.100.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.100.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

ComboFix 07-09-13.1 - "Charlie" 2007-09-12 14:46:51.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT -8:00]

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\DOCUME~1\Charlie\APPLIC~1\DOBE~1

C:\DOCUME~1\Charlie\APPLIC~1\FNTS~1

C:\DOCUME~1\Charlie\APPLIC~1\ICROSO~1.NET

C:\DOCUME~1\Charlie\APPLIC~1\MANTEC~1

C:\DOCUME~1\Charlie\APPLIC~1\PPPATC~1

C:\DOCUME~1\Charlie\APPLIC~1\RACLE~1

C:\DOCUME~1\Charlie\APPLIC~1\RACLE~2

C:\DOCUME~1\Charlie\APPLIC~1\SSTEM~1

C:\DOCUME~1\Charlie\APPLIC~1\TSKS~1

C:\DOCUME~1\Charlie\APPLIC~1\WinTouch

C:\DOCUME~1\Charlie\APPLIC~1\WinTouch\wintouch.cfg

C:\DOCUME~1\Charlie\APPLIC~1\WinTouch\wintouch.cfg.e53849dc70f344561987dfd9e9547722

C:\DOCUME~1\Charlie\APPLIC~1\WNSXS~1

C:\DOCUME~1\Charlie\MYDOCU~1\RACLE~1

C:\DOCUME~1\Charlie\MYDOCU~1\SKS~1

C:\m.exe

C:\p.exe

C:\Program Files\Common Files\{08AE9~1

C:\Program Files\Common Files\{08AE9~2

C:\Program Files\Common Files\{38AE9~1

C:\Program Files\Common Files\{38AE9~2

C:\Program Files\Common Files\asembl~1

C:\Program Files\Common Files\sembly~1

C:\Program Files\Common Files\smbols~1

C:\Program Files\Common Files\ssembl~1

C:\Program Files\Common Files\tsks~1

C:\Program Files\fnts~1

C:\Program Files\icroso~1

C:\Program Files\mantec~1

C:\Program Files\pppatc~1

C:\Program Files\Seekmo Programs

C:\Program Files\sks~1

C:\Program Files\sks~1\??sks\

C:\Program Files\ssembl~1

C:\q.exe

C:\utc.exe

C:\WINDOWS\asks~1

C:\WINDOWS\crosof~1

C:\WINDOWS\curity~1

C:\WINDOWS\dat.txt

C:\WINDOWS\dobe~1

C:\WINDOWS\fnts~1

C:\WINDOWS\mantec~1

C:\WINDOWS\mcroso~1

C:\WINDOWS\ppatch~1

C:\WINDOWS\pppatc~1

C:\WINDOWS\racle~1

C:\WINDOWS\racle~2

C:\WINDOWS\rs.txt

C:\WINDOWS\scurit~1

C:\WINDOWS\sstem~1

C:\WINDOWS\sstem3~1

C:\WINDOWS\stem~1

C:\WINDOWS\system32\_002448_.tmp.dll

C:\WINDOWS\system32\_002450_.tmp.dll

C:\WINDOWS\system32\crosof~1.net

C:\WINDOWS\system32\curity~1

C:\WINDOWS\system32\dobe~1

C:\WINDOWS\system32\ecurit~1

C:\WINDOWS\system32\fnts~1

C:\WINDOWS\system32\icroso~1.net

C:\WINDOWS\system32\ppatch~1

C:\WINDOWS\system32\pppatc~1

C:\WINDOWS\system32\racle~1

C:\WINDOWS\system32\sembly~1

C:\WINDOWS\system32\sks~1

C:\WINDOWS\system32\sstem~1

C:\WINDOWS\system32\sstem3~1

C:\WINDOWS\system32\stem~1

C:\WINDOWS\system32\stem32~1

C:\WINDOWS\system32\unsvchosts.lzma

C:\WINDOWS\system32\wnsxs~1

C:\WINDOWS\system32\wtssvcc.exe

C:\WINDOWS\system32\ystem~1

C:\WINDOWS\tmlpcert2005

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_COM+_MESSAGES

-------\LEGACY_NPF

 

 

((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))

.

 

2007-09-12 14:42 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-12 14:26 3,030 --a------ C:\WINDOWS\SYSTEM32\tmp.reg

2007-09-12 14:25 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe

2007-09-12 14:25 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe

2007-09-12 14:25 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe

2007-09-12 14:25 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe

2007-09-11 23:25 <DIR> d-------- C:\Program Files\Trend Micro

2007-09-10 13:02 458 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pxfsf.dat

2007-09-09 23:53 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\Prevx

2007-09-09 23:50 <DIR> d-------- C:\Program Files\Prevx2

2007-09-09 23:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx

2007-09-07 18:14 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys

2007-09-07 18:14 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys

2007-09-07 18:14 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys

2007-09-07 18:14 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys

2007-09-01 19:03 <DIR> d-------- C:\Program Files\QuickTime

2007-08-29 13:35 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\Publish Providers

2007-08-29 13:35 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\NetMedia Providers

2007-08-29 13:30 33,340 --------- C:\WINDOWS\SYSTEM32\dbmsqlgc.dll

2007-08-29 13:30 24,576 --------- C:\WINDOWS\SYSTEM32\dbmsgnet.dll

2007-08-29 13:29 <DIR> d-------- C:\Program Files\Microsoft SQL Server

2007-08-29 13:29 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\Sony

2007-08-29 13:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony

2007-08-29 13:27 <DIR> d-------- C:\Program Files\Sony

2007-08-29 13:26 <DIR> d-------- C:\Program Files\Sony Setup

2007-08-24 15:06 <DIR> d-------- C:\Program Files\VirtualDJ

2007-08-24 14:04 2,314,332 --a------ C:\WINDOWS\SYSTEM32\LIBMMD.DLL

2007-08-15 04:10 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-12 14:20 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\WeatherBug

2007-09-12 03:03 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-09-12 02:33 --------- d-------- C:\Program Files\Microsoft Picture It! 2002

2007-09-10 04:03 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\uTorrent

2007-09-09 15:08 101047 --a------ C:\tysb.exe

2007-09-06 19:16 --------- d-------- C:\Program Files\Common Files\wfum

2007-09-06 02:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2007-09-01 19:02 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

2007-08-14 11:27 --------- d-------- C:\Program Files\Viewpoint

2007-08-14 11:27 --------- d-------- C:\Program Files\MSN Apps

2007-08-14 11:27 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\Viewpoint

2007-08-14 11:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint

2007-08-14 11:23 --------- d-------- C:\Program Files\MoodLogic

2007-08-04 16:05 --------- d-------- C:\Program Files\GetRight

2007-08-04 05:14 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\GetRightToGo

2007-07-28 02:16 --------- d-------- C:\Program Files\DietMP3

2007-07-27 20:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet

2007-07-27 20:28 --------- d-------- C:\Program Files\Common Files\Macrovision Shared

2007-07-18 02:27 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\Talkback

2007-06-13 02:23 1033216 --a------ C:\WINDOWS\explorer.exe

2006-10-20 01:28 17177896 --a------ C:\Program Files\Install_Messenger.exe

2004-10-29 21:45 41 --a------ C:\DOCUME~1\Charlie\APPLIC~1\tvmuknwrd.dll

2004-10-29 21:45 35 --a------ C:\DOCUME~1\Charlie\APPLIC~1\tvmcwrd.dll

2004-10-28 12:25 227899 --a------ C:\DOCUME~1\Charlie\APPLIC~1\tvmknwrd.dll

2004-06-14 01:44 0 -r-hs---- C:\Program Files\q330994.exe

2004-06-14 09:44:56 0 --sh--r C:\WINDOWS\cvchost.exe

2004-06-14 09:45:03 0 --sh--r C:\WINDOWS\dl.exe

2004-06-14 09:45:02 0 --sh--r C:\WINDOWS\dlm.exe

2004-06-14 09:45:02 0 --sh--r C:\WINDOWS\msstasks.exe

2004-06-14 09:44:54 0 --sh--r C:\WINDOWS\mssys.com

2004-06-14 09:45:02 0 --sh--r C:\WINDOWS\mstaskss.exe

2004-06-14 09:45:01 0 --sh--r C:\WINDOWS\msxmidi.exe

2004-06-14 09:44:58 0 --sh--r C:\WINDOWS\ntldr.exe

2004-06-14 09:44:58 0 --sh--r C:\WINDOWS\reg33.exe

2004-06-14 09:44:58 0 --sh--r C:\WINDOWS\rocky.exe

2004-06-14 09:45:04 0 --sh--r C:\WINDOWS\seksdialer.exe

2004-06-08 00:49:58 0 --sh--r C:\WINDOWS\urub.exe

2004-05-27 00:00:45 0 --sha-r C:\WINDOWS\Downloaded Program Files\Q330994.exe

2004-06-14 09:45:03 0 --sh--r C:\WINDOWS\SYSTEM\system.exe

2004-06-14 09:45:03 0 --sh--r C:\WINDOWS\SYSTEM\wmscrop.exe

2004-06-14 09:45:00 0 --sh--r C:\WINDOWS\SYSTEM32\d2kpax.dll

2004-06-14 09:45:07 0 --sh--r C:\WINDOWS\SYSTEM32\d2kpax.exe

2004-06-14 09:44:59 0 --sh--r C:\WINDOWS\SYSTEM32\jac.dll

2004-06-14 09:44:55 0 --sh--r C:\WINDOWS\SYSTEM32\msxslab.dll

2004-06-14 09:45:04 0 --sh--r C:\WINDOWS\SYSTEM32\system32.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1EC08C3B-6EA7-0451-A73A-69E34DEAAE9D}]

C:\WINDOWS\system32\jrb.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAE1D421-3FE9-5D3B-E828-4F76641B53B2}]

C:\WINDOWS\system32\igrens.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16]

"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 16:22]

"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 14:44]

"nwiz"="nwiz.exe" [2003-10-06 14:16 C:\WINDOWS\SYSTEM32\nwiz.exe]

"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2004-10-08 12:52]

"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-01-18 18:47]

"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-01-18 18:37]

"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 19:34]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-08 18:57]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 02:06]

"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [2007-08-29 11:05]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uninstal"="regsvr32 /u /s image.dll" []

"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2004-12-10 15:46]

"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 18:07]

"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]

"lsass"="" []

"Fdift"="C:\Documents and Settings\Charlie\My Documents\?racle\rundll32.exe" []

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

C:\DOCUME~1\Charlie\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"SpecifyDefaultButtons"=0 (0x0)

"Btn_Search"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=mad.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"= scecli scecli

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charlie^Start Menu^Programs^Startup^file.exe._eac_qt_]

path=C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\file.exe._eac_qt_

backup=C:\WINDOWS\pss\file.exe._eac_qt_Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0Ô@ÔÁÐ]­ú"ü‰üžigÝY]

C:\WINDOWS\smiff.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]

"C:\Program Files\rdso\eetu.exe" -vt ndrv

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Detector]

C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Begone]

c:\freescan\freescan.exe -FastScan

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:\Program Files]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:\Program Files\ISTsvc]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe]

C:\WINDOWS\smiff.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:\Program Files]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:\Program Files\ISTsvc]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe]

C:\WINDOWS\smiff.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ZESOFT"=2 (0x2)

"TBPSSvc"=2 (0x2)

 

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys

R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys

S2 .NET Connection Service;.NET Framework Service;C:\WINDOWS\svchost.exe

S2 TDKUSBDR;TDK MOJO USB driver;C:\WINDOWS\system32\Drivers\TDKUSBDR.sys

S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys

S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS

S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S3 WMP11;Instant Wireless PCI Card Driver;C:\WINDOWS\system32\DRIVERS\WMP11NDS.sys

 

.

Contents of the 'Scheduled Tasks' folder

"2002-12-27 22:10:54 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-13 14:54:07

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-13 14:58:29 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-09-13 14:58

.

--- E O F ---

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:03:08 PM, on 9/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1EC08C3B-6EA7-0451-A73A-69E34DEAAE9D} - C:\WINDOWS\system32\jrb.dll (file missing)

O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {EAE1D421-3FE9-5D3B-E828-4F76641B53B2} - C:\WINDOWS\system32\igrens.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Fdift] "C:\Documents and Settings\Charlie\My Documents\?racle\rundll32.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: lsass.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138253325640

O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: NameServer = 209.112.162.135

O20 - AppInit_DLLs: mad.dll

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe

 

--

End of file - 7554 bytes

Link to post
Share on other sites

We are not done yet, so hang in there!!

 

You have a variety of trojans, worms, etc. on that computer, and it is going to take a few tries before we can get rid of it.

 

Let's try the following to do some more cleanup:

 

Please download SuperAntiSpyware

Install the program

  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.

Make sure everything found has a check next to it, and press: Next

Then, click Finish

 

It is possible that the program asks to reboot in order to delete some files.

 

Obtain the SuperAntiSpyware log as follows:

  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log (It opens in your default text editor, such as Notepad)
~~~~

Run ComboFix one more time, as well as HijackThis.

 

~~~~

Please provide the SuperAntiSpyware log, the new ComboFix.txt, and a new HijackThis log in your reply.

Link to post
Share on other sites

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 09/13/2007 at 07:20 PM

 

Application Version : 3.9.1008

 

Core Rules Database Version : 3305

Trace Rules Database Version: 1311

 

Scan type : Complete Scan

Total Scan Time : 00:47:38

 

Memory items scanned : 533

Memory threats detected : 0

Registry items scanned : 5975

Registry threats detected : 9

File items scanned : 47238

File threats detected : 44

 

Spyware.WebSearch (WinTools/HuntBar)

HKU\S-1-5-21-769307975-4161894680-2058935012-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{339BB23F-A864-48C0-A59F-29EA915965EC}

 

Adware.PLook

C:\PROGRAM FILES\PLOOK\PLOOK.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\plook.exe

C:\Program Files\PLOOK\uninst.exe

C:\Program Files\PLOOK\ver.plk

C:\Program Files\PLOOK

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PLook Application

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PLook Application#DisplayName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PLook Application#UninstallString

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PLook Application#DisplayIcon

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PLook Application#DisplayVersion

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PLook Application#URLInfoAbout

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PLook Application#Publisher

 

Adware.Tracking Cookie

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt

 

Trojan.Unknown Origin

C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WTSSVCC.EXE.VIR

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000026.EXE

 

Parasite.CoolWebSearch Variant

C:\SOUNDMX.EXE

 

Unclassified.Unknown Origin/System

C:\WINDOWS\SYSTEM32\ASFERROR.EXE

 

Adware.Spyware Labs

C:\WINDOWS\SYSTEM32\BO2802040113.EXE

 

------------------------------------------------------------------------------------------------------------------------------

 

ComboFix 07-09-13.1 - "Charlie" 2007-09-13 20:37:45.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.91 [GMT -8:00]

.

 

((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))

.

 

2007-09-13 18:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-09-13 18:12 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\SUPERAntiSpyware.com

2007-09-13 18:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-09-13 18:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-09-12 14:42 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-12 14:26 3,030 --a------ C:\WINDOWS\SYSTEM32\tmp.reg

2007-09-12 14:25 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe

2007-09-12 14:25 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe

2007-09-12 14:25 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe

2007-09-12 14:25 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe

2007-09-11 23:25 <DIR> d-------- C:\Program Files\Trend Micro

2007-09-10 13:02 458 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pxfsf.dat

2007-09-09 23:53 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\Prevx

2007-09-09 23:50 <DIR> d-------- C:\Program Files\Prevx2

2007-09-09 23:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx

2007-09-07 18:14 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys

2007-09-07 18:14 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys

2007-09-07 18:14 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys

2007-09-07 18:14 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys

2007-09-01 19:03 <DIR> d-------- C:\Program Files\QuickTime

2007-08-29 13:35 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\Publish Providers

2007-08-29 13:35 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\NetMedia Providers

2007-08-29 13:30 33,340 --------- C:\WINDOWS\SYSTEM32\dbmsqlgc.dll

2007-08-29 13:30 24,576 --------- C:\WINDOWS\SYSTEM32\dbmsgnet.dll

2007-08-29 13:29 <DIR> d-------- C:\Program Files\Microsoft SQL Server

2007-08-29 13:29 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\Sony

2007-08-29 13:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony

2007-08-29 13:27 <DIR> d-------- C:\Program Files\Sony

2007-08-29 13:26 <DIR> d-------- C:\Program Files\Sony Setup

2007-08-24 15:06 <DIR> d-------- C:\Program Files\VirtualDJ

2007-08-24 14:04 2,314,332 --a------ C:\WINDOWS\SYSTEM32\LIBMMD.DLL

2007-08-15 04:10 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-12 14:20 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\WeatherBug

2007-09-12 03:03 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-09-12 02:33 --------- d-------- C:\Program Files\Microsoft Picture It! 2002

2007-09-10 04:03 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\uTorrent

2007-09-09 15:08 101047 --a------ C:\tysb.exe

2007-09-06 19:16 --------- d-------- C:\Program Files\Common Files\wfum

2007-09-06 02:09 801144 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe

2007-09-06 02:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2007-09-06 02:00 95608 --a------ C:\WINDOWS\SYSTEM32\AVASTSS.scr

2007-09-01 19:02 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

2007-08-14 11:27 --------- d-------- C:\Program Files\Viewpoint

2007-08-14 11:27 --------- d-------- C:\Program Files\MSN Apps

2007-08-14 11:27 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\Viewpoint

2007-08-14 11:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint

2007-08-14 11:23 --------- d-------- C:\Program Files\MoodLogic

2007-08-04 16:05 --------- d-------- C:\Program Files\GetRight

2007-08-04 05:14 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\GetRightToGo

2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll

2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe

2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll

2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll

2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll

2007-07-28 02:16 --------- d-------- C:\Program Files\DietMP3

2007-07-27 20:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet

2007-07-27 20:28 --------- d-------- C:\Program Files\Common Files\Macrovision Shared

2007-07-18 22:59 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll

2007-07-18 02:27 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\Talkback

2007-07-12 15:31 765952 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll

2007-06-27 06:34 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll

2007-06-27 06:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll

2007-06-27 06:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll

2007-06-27 06:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll

2007-06-27 06:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll

2007-06-27 06:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll

2007-06-27 06:34 44544 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll

2007-06-27 06:34 384512 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll

2007-06-27 06:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll

2007-06-27 06:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll

2007-06-27 06:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll

2007-06-27 06:34 232960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll

2007-06-27 06:34 230400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll

2007-06-27 06:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll

2007-06-27 06:34 153088 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll

2007-06-27 06:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll

2007-06-27 06:34 124928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll

2007-06-27 06:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll

2007-06-27 06:34 105984 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll

2007-06-27 06:34 102400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll

2007-06-27 00:27 63488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe

2007-06-27 00:27 625152 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe

2007-06-27 00:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe

2007-06-26 23:00 161792 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll

2007-06-26 22:10 317440 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\unregmp2.exe

2007-06-25 22:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll

2007-06-25 22:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll

2007-06-19 05:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll

2007-06-19 05:31 282112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll

2007-06-13 02:23 1033216 --a------ C:\WINDOWS\explorer.exe

2007-06-13 02:23 1033216 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe

2006-10-20 01:28 17177896 --a------ C:\Program Files\Install_Messenger.exe

2004-10-29 21:45 41 --a------ C:\DOCUME~1\Charlie\APPLIC~1\tvmuknwrd.dll

2004-10-29 21:45 35 --a------ C:\DOCUME~1\Charlie\APPLIC~1\tvmcwrd.dll

2004-10-28 12:25 227899 --a------ C:\DOCUME~1\Charlie\APPLIC~1\tvmknwrd.dll

2004-06-14 01:44 0 -r-hs---- C:\Program Files\q330994.exe

2004-06-14 09:44:56 0 --sh--r C:\WINDOWS\cvchost.exe

2004-06-14 09:45:03 0 --sh--r C:\WINDOWS\dl.exe

2004-06-14 09:45:02 0 --sh--r C:\WINDOWS\dlm.exe

2004-06-14 09:45:02 0 --sh--r C:\WINDOWS\msstasks.exe

2004-06-14 09:44:54 0 --sh--r C:\WINDOWS\mssys.com

2004-06-14 09:45:02 0 --sh--r C:\WINDOWS\mstaskss.exe

2004-06-14 09:45:01 0 --sh--r C:\WINDOWS\msxmidi.exe

2004-06-14 09:44:58 0 --sh--r C:\WINDOWS\ntldr.exe

2004-06-14 09:44:58 0 --sh--r C:\WINDOWS\reg33.exe

2004-06-14 09:44:58 0 --sh--r C:\WINDOWS\rocky.exe

2004-06-14 09:45:04 0 --sh--r C:\WINDOWS\seksdialer.exe

2004-06-08 00:49:58 0 --sh--r C:\WINDOWS\urub.exe

2004-05-27 00:00:45 0 --sha-r C:\WINDOWS\Downloaded Program Files\Q330994.exe

2004-06-14 09:45:03 0 --sh--r C:\WINDOWS\SYSTEM\system.exe

2004-06-14 09:45:03 0 --sh--r C:\WINDOWS\SYSTEM\wmscrop.exe

2004-06-14 09:45:00 0 --sh--r C:\WINDOWS\SYSTEM32\d2kpax.dll

2004-06-14 09:45:07 0 --sh--r C:\WINDOWS\SYSTEM32\d2kpax.exe

2004-06-14 09:44:59 0 --sh--r C:\WINDOWS\SYSTEM32\jac.dll

2004-06-14 09:44:55 0 --sh--r C:\WINDOWS\SYSTEM32\msxslab.dll

2004-06-14 09:45:04 0 --sh--r C:\WINDOWS\SYSTEM32\system32.dll

.

 

((((((((((((((((((((((((((((( snapshot_2007-09-13_145747.60 )))))))))))))))))))))))))))))))))))))))))

.

----a-r 29,696 2007-09-14 02:12:22 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe

----a-r 18,944 2007-09-14 02:12:22 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

----a-r 65,024 2007-09-14 02:12:23 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

----atw 16,384 2007-09-14 04:33:35 C:\WINDOWS\Temp\Perflib_Perfdata_498.dat

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1EC08C3B-6EA7-0451-A73A-69E34DEAAE9D}]

C:\WINDOWS\system32\jrb.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAE1D421-3FE9-5D3B-E828-4F76641B53B2}]

C:\WINDOWS\system32\igrens.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16]

"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 16:22]

"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 14:44]

"nwiz"="nwiz.exe" [2003-10-06 14:16 C:\WINDOWS\SYSTEM32\nwiz.exe]

"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2004-10-08 12:52]

"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-01-18 18:47]

"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-01-18 18:37]

"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 19:34]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-08 18:57]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 02:06]

"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [2007-08-29 11:05]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uninstal"="regsvr32 /u /s image.dll" []

"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2004-12-10 15:46]

"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 18:07]

"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]

"lsass"="" []

"Fdift"="C:\Documents and Settings\Charlie\My Documents\?racle\rundll32.exe" []

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

C:\DOCUME~1\Charlie\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"SpecifyDefaultButtons"=0 (0x0)

"Btn_Search"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=mad.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"= scecli scecli

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charlie^Start Menu^Programs^Startup^file.exe._eac_qt_]

path=C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\file.exe._eac_qt_

backup=C:\WINDOWS\pss\file.exe._eac_qt_Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0Ô@ÔÁÐ]­ú"ü‰üžigÝY]

C:\WINDOWS\smiff.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]

"C:\Program Files\rdso\eetu.exe" -vt ndrv

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Detector]

C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Begone]

c:\freescan\freescan.exe -FastScan

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:\Program Files]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:\Program Files\ISTsvc]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe]

C:\WINDOWS\smiff.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:\Program Files]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:\Program Files\ISTsvc]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe]

C:\WINDOWS\smiff.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ZESOFT"=2 (0x2)

"TBPSSvc"=2 (0x2)

 

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys

R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys

S2 .NET Connection Service;.NET Framework Service;C:\WINDOWS\svchost.exe

S2 TDKUSBDR;TDK MOJO USB driver;C:\WINDOWS\system32\Drivers\TDKUSBDR.sys

S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys

S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS

S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S3 WMP11;Instant Wireless PCI Card Driver;C:\WINDOWS\system32\DRIVERS\WMP11NDS.sys

 

.

Contents of the 'Scheduled Tasks' folder

"2002-12-27 22:10:54 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-13 20:41:06

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-13 20:42:22

C:\ComboFix-quarantined-files.txt ... 2007-09-13 20:42

C:\ComboFix2.txt ... 2007-09-13 14:58

.

--- E O F ---

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:43:41 PM, on 9/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1EC08C3B-6EA7-0451-A73A-69E34DEAAE9D} - C:\WINDOWS\system32\jrb.dll (file missing)

O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {EAE1D421-3FE9-5D3B-E828-4F76641B53B2} - C:\WINDOWS\system32\igrens.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Fdift] "C:\Documents and Settings\Charlie\My Documents\?racle\rundll32.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: lsass.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138253325640

O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: NameServer = 209.112.162.135

O20 - AppInit_DLLs: mad.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe

 

--

End of file - 7780 bytes

Link to post
Share on other sites

Please go to Start > Run, and in the Open area copy/paste exactly what is listed below, and click OK after each line:

 

sc stop “.NET Connection Service”

sc delete “.NET Connection Service”

 

~~~~

Next, please open Notepad (Start > Run > in the Open field type: notepad)

Click: OK

 

Copy/ paste all the blue text below to Notepad:

 

File::

C:\tysb.exe

C:\DOCUME~1\Charlie\APPLIC~1\tvmuknwrd.dll

C:\DOCUME~1\Charlie\APPLIC~1\tvmcwrd.dll

C:\DOCUME~1\Charlie\APPLIC~1\tvmknwrd.dll

C:\Program Files\q330994.exe

C:\WINDOWS\cvchost.exe

C:\WINDOWS\dl.exe

C:\WINDOWS\dlm.exe

C:\WINDOWS\msstasks.exe

C:\WINDOWS\mssys.com

C:\WINDOWS\mstaskss.exe

C:\WINDOWS\msxmidi.exe

C:\WINDOWS\ntldr.exe

C:\WINDOWS\reg33.exe

C:\WINDOWS\rocky.exe

C:\WINDOWS\seksdialer.exe

C:\WINDOWS\urub.exe

C:\WINDOWS\Downloaded Program Files\Q330994.exe

C:\WINDOWS\SYSTEM\system.exe

C:\WINDOWS\SYSTEM\wmscrop.exe

C:\WINDOWS\SYSTEM32\d2kpax.dll

C:\WINDOWS\SYSTEM32\d2kpax.exe

C:\WINDOWS\SYSTEM32\jac.dll

C:\WINDOWS\SYSTEM32\msxslab.dll

C:\WINDOWS\SYSTEM32\system32.dll

C:\WINDOWS\smiff.exe

C:\WINDOWS\pss\file.exe._eac_qt_Startup

 

Folder::

C:\Program Files\Common Files\wfum

C:\Program Files\rdso

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1EC08C3B-6EA7-0451-A73A-69E34DEAAE9D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAE1D421-3FE9-5D3B-E828-4F76641B53B2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uninstal"=-

"lsass"=-

"Fdift"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=“”

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charlie^Start Menu^Programs^Startup^file.exe._eac_qt_]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0Ô@ÔÁÐ]­ú"ü‰üžigÝY]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:\Program Files]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:\Program Files\ISTsvc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:\Program Files]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:\Program Files\ISTsvc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe]

 

 

Save as CFScript.txt <-Important!!

Change the Save as type to: All Files

Save it to the Desktop.

 

Posted Image

 

 

Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe

ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

 

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

 

When finished, a log is produced: ComboFix.txt

 

~~~~

Run HijackThis once again to obtain a new log.

 

~~~~

Please provide the contents of the new ComboFix log , and the new HijackThis log in your reply.

Link to post
Share on other sites

ComboFix 07-09-13.1 - "Charlie" 2007-09-14 22:56:41.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.47 [GMT -8:00]

* Created a new restore point

 

FILE::

C:\tysb.exe

C:\DOCUME~1\Charlie\APPLIC~1\tvmuknwrd.dll

C:\DOCUME~1\Charlie\APPLIC~1\tvmcwrd.dll

C:\DOCUME~1\Charlie\APPLIC~1\tvmknwrd.dll

C:\Program Files\q330994.exe

C:\WINDOWS\cvchost.exe

C:\WINDOWS\dl.exe

C:\WINDOWS\dlm.exe

C:\WINDOWS\msstasks.exe

C:\WINDOWS\mssys.com

C:\WINDOWS\mstaskss.exe

C:\WINDOWS\msxmidi.exe

C:\WINDOWS\ntldr.exe

C:\WINDOWS\reg33.exe

C:\WINDOWS\rocky.exe

C:\WINDOWS\seksdialer.exe

C:\WINDOWS\urub.exe

C:\WINDOWS\Downloaded Program Files\Q330994.exe

C:\WINDOWS\SYSTEM\system.exe

C:\WINDOWS\SYSTEM\wmscrop.exe

C:\WINDOWS\SYSTEM32\d2kpax.dll

C:\WINDOWS\SYSTEM32\d2kpax.exe

C:\WINDOWS\SYSTEM32\jac.dll

C:\WINDOWS\SYSTEM32\msxslab.dll

C:\WINDOWS\SYSTEM32\system32.dll

C:\WINDOWS\smiff.exe

C:\WINDOWS\pss\file.exe._eac_qt_Startup

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\DOCUME~1\Charlie\APPLIC~1\tvmcwrd.dll

C:\DOCUME~1\Charlie\APPLIC~1\tvmknwrd.dll

C:\DOCUME~1\Charlie\APPLIC~1\tvmuknwrd.dll

C:\Program Files\Common Files\wfum

C:\Program Files\Common Files\wfum\wfumd\class-barrel

C:\Program Files\Common Files\wfum\wfumd\vocabulary

C:\Program Files\q330994.exe

C:\tysb.exe

C:\WINDOWS\cvchost.exe

C:\WINDOWS\dl.exe

C:\WINDOWS\dlm.exe

C:\WINDOWS\Downloaded Program Files\Q330994.exe

C:\WINDOWS\msstasks.exe

C:\WINDOWS\mssys.com

C:\WINDOWS\mstaskss.exe

C:\WINDOWS\msxmidi.exe

C:\WINDOWS\ntldr.exe

C:\WINDOWS\pss\file.exe._eac_qt_Startup

C:\WINDOWS\reg33.exe

C:\WINDOWS\rocky.exe

C:\WINDOWS\seksdialer.exe

C:\WINDOWS\SYSTEM\system.exe

C:\WINDOWS\SYSTEM\wmscrop.exe

C:\WINDOWS\SYSTEM32\d2kpax.dll

C:\WINDOWS\SYSTEM32\d2kpax.exe

C:\WINDOWS\SYSTEM32\jac.dll

C:\WINDOWS\SYSTEM32\msxslab.dll

C:\WINDOWS\SYSTEM32\system32.dll

C:\WINDOWS\urub.exe

 

.

((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))

.

 

2007-09-13 18:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-09-13 18:12 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\SUPERAntiSpyware.com

2007-09-13 18:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-09-13 18:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-09-12 14:42 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-12 14:26 3,030 --a------ C:\WINDOWS\SYSTEM32\tmp.reg

2007-09-12 14:25 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe

2007-09-12 14:25 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe

2007-09-12 14:25 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe

2007-09-12 14:25 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe

2007-09-11 23:25 <DIR> d-------- C:\Program Files\Trend Micro

2007-09-10 13:02 458 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pxfsf.dat

2007-09-09 23:53 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\Prevx

2007-09-09 23:50 <DIR> d-------- C:\Program Files\Prevx2

2007-09-09 23:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx

2007-09-07 18:14 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys

2007-09-07 18:14 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys

2007-09-07 18:14 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys

2007-09-07 18:14 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys

2007-09-01 19:03 <DIR> d-------- C:\Program Files\QuickTime

2007-08-29 13:35 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\Publish Providers

2007-08-29 13:35 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\NetMedia Providers

2007-08-29 13:30 33,340 --------- C:\WINDOWS\SYSTEM32\dbmsqlgc.dll

2007-08-29 13:30 24,576 --------- C:\WINDOWS\SYSTEM32\dbmsgnet.dll

2007-08-29 13:29 <DIR> d-------- C:\Program Files\Microsoft SQL Server

2007-08-29 13:29 <DIR> d-------- C:\DOCUME~1\Charlie\APPLIC~1\Sony

2007-08-29 13:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony

2007-08-29 13:27 <DIR> d-------- C:\Program Files\Sony

2007-08-29 13:26 <DIR> d-------- C:\Program Files\Sony Setup

2007-08-24 15:06 <DIR> d-------- C:\Program Files\VirtualDJ

2007-08-24 14:04 2,314,332 --a------ C:\WINDOWS\SYSTEM32\LIBMMD.DLL

2007-08-15 04:10 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-14 23:03 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\WeatherBug

2007-09-12 03:03 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-09-12 02:33 --------- d-------- C:\Program Files\Microsoft Picture It! 2002

2007-09-10 04:03 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\uTorrent

2007-09-06 02:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2007-09-01 19:02 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

2007-08-14 11:27 --------- d-------- C:\Program Files\Viewpoint

2007-08-14 11:27 --------- d-------- C:\Program Files\MSN Apps

2007-08-14 11:27 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\Viewpoint

2007-08-14 11:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint

2007-08-14 11:23 --------- d-------- C:\Program Files\MoodLogic

2007-08-04 16:05 --------- d-------- C:\Program Files\GetRight

2007-08-04 05:14 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\GetRightToGo

2007-07-28 02:16 --------- d-------- C:\Program Files\DietMP3

2007-07-27 20:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet

2007-07-27 20:28 --------- d-------- C:\Program Files\Common Files\Macrovision Shared

2007-07-18 02:27 --------- d-------- C:\DOCUME~1\Charlie\APPLIC~1\Talkback

2006-10-20 01:28 17177896 --a------ C:\Program Files\Install_Messenger.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2004-12-10 15:46]

"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 18:07]

"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

C:\DOCUME~1\Charlie\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\

DESKTOP.INI [2002-09-03 07:00:00]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"SpecifyDefaultButtons"=0 (0x0)

"Btn_Search"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=mad.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"= scecli scecli

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Detector]

C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Begone]

c:\freescan\freescan.exe -FastScan

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ZESOFT"=2 (0x2)

"TBPSSvc"=2 (0x2)

 

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys

R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys

S2 .NET Connection Service;.NET Framework Service;C:\WINDOWS\svchost.exe

S2 TDKUSBDR;TDK MOJO USB driver;C:\WINDOWS\system32\Drivers\TDKUSBDR.sys

S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys

S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS

S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S3 WMP11;Instant Wireless PCI Card Driver;C:\WINDOWS\system32\DRIVERS\WMP11NDS.sys

 

.

Contents of the 'Scheduled Tasks' folder

"2002-12-27 22:10:54 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-14 23:02:39

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-14 23:09:19 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-09-14 23:09

C:\ComboFix2.txt ... 2007-09-13 20:42

C:\ComboFix3.txt ... 2007-09-13 14:58

.

--- E O F ---

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:12:29 PM, on 9/14/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: lsass.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138253325640

O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: NameServer = 209.112.162.135

O20 - AppInit_DLLs: mad.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe

 

--

End of file - 7372 bytes

 

 

THANK YOU AAFLAC :D

Link to post
Share on other sites

The logs looks better, but we still have the .NET Framework Service to get rid of.

 

Please go to Start > Run, and in the Open area type services.msc

Click: OK

  • Locate the service - .NET Framework Service (.NET Connection Service)
  • Double-click on it to open the Properties dialog.
  • Stop the service by using the Stop button.
  • Change the Startup type to Disabled
  • Click: OK
Now, run HijackThis
  • Go to Config > Misc Tools > Delete an NT service
  • In the box that appears, copy/paste .NET Connection Service
  • Click: OK
  • Answer No, if prompted to reboot
Back in HijackThis
  • Go to Config > Misc Tools > and click on Delete a File on Reboot
  • In the File Name field of the Enter File to be Deleted window, copy/paste:

     

    C:\WINDOWS\System32\mad.dll

     

  • Press the Open button
  • You are notified that the file in question will be deleted on reboot
  • Click No when asked whether you want to restart the computer
~~~~

Go back to the main window of HijackThis, and Scan

Check box for the following entries if they exist:

 

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll (file missing)

 

O20 - AppInit_DLLs: mad.dll

 

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

 

Select: Fix checked

(You may get an error for the O20 entry, but press on)

 

~~~~

Restart the computer.

 

~~~~

Run HijackThis once again to obtain a new log.

 

~~~~

Please provide a new HijackThis log in your reply.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:34:06 PM, on 9/15/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Prevx2\PXAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Prevx2\PXConsole.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: lsass.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138253325640

O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: NameServer = 209.112.162.135

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe

 

--

End of file - 7041 bytes

Link to post
Share on other sites

A WeatherBug entry is showing on the HijackThis log. It is technically not spyware but the free version is adware supported.

 

Its removal is recommended, but it is up to you whether you want to do so.

 

An ad free alternative is Weather Pulse

 

If you opt to remove WeatherBug, in order to avoid future problems, make sure the program is not running before uninstalling it.

If there is a WeatherBug icon in the system tray (in the lower right hand corner of the screen) right-click on it and choose "Exit WeatherBug" or "Terminate Weatherbug".

 

Once the program is closed, then remove it easily from the Add or Remove Programs section of the Control Panel by following these steps:

 

Go to Start > Control Panel > Add or Remove Programs

In the list of currently installed programs, select:

WeatherBug

Click: Remove

 

Run HijackThis, Scan

Check box for:

 

O4 - Startup: lsass.lnk = ?

(The above is a leftover, but not from WeatherBug. It must go.)

 

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

If you elected to uninstall the program, this entry may no longer be there.

 

Select: Fix checked

 

~~~~

Restart the computer.

 

~~~~

Run HijackThis once again, and post a new log.

 

 

Also, are you still having malware problems?

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:13:31 PM, on 9/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Prevx2\PXAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Prevx2\PXConsole.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138253325640

O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEEA1A7-9A47-4553-9DFF-83C0504F7F24}: NameServer = 209.112.162.135

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe

 

--

End of file - 7027 bytes

 

 

 

 

I have no malware problems, but i do with the WeatherBug and i HATE IT.

I didn't see it in the Add or Remove Programs section. So i don't know how to delete it, but I did delete it, how you told me to with HiJackThis. but thank you for helping me Aaflac :D

Link to post
Share on other sites

If you are not having malware problems, you are good to go!

 

Let’s delete some folders and reset system restore.

 

Please launch Notepad, (Start > Run, type in: notepad)

Copy/paste all the blue text below to it:

 

@echo off

if exist "%temp%\log.txt" del "%temp%\log.txt"

 

for %%g in (

C:\SDFix

C:\Documents and Settings\Charlie\Desktop\MsnVirRem

C:\Documents and Settings\Charlie\Desktop\SmitfraudFix

%systemdrive%\Qoobox

) do (

rd /s/q %%g >nul 2>&1

if exist %%g echo.%%~g>>"%temp%\log.txt"

)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"

) else echo.Deleted Successfully !!

 

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs

wscript SR.vbs

 

(

echo.REGEDIT4&echo.

echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]

echo."hidden"=dword:00000002

echo."hidefileext"=dword:00000001

echo."showsuperhidden"=dword:00000000

)>rehide.reg

 

regedit /s rehide.reg

del rehide.reg SR.vbs

nircmd wait 7000

del %0

 

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: wrap.bat

Save as Type: All files

Click: Save

Exit out of Notepad

 

Next, on the Desktop, double click on Wrap.bat and allow it to run

It should look like this: Posted Image

 

If all goes well, a Deleted Successfully notice appears, and the batch file self deletes. If not, let us know!!

 

~~~~

Some of the best suggestions and programs to remain malware free are contained in Tony Klein’s article:

How Did I Get Infected In The First Place

 

It is also a very good practice to perform an online virus scan on a regular basis.

Scanners do not have identical malware definitions, and what one misses, another one can catch.

Some of the scanners are:

BitDefender Online Scanner

ESET NOD32 Online Scanner

F-Secure Online Scanner

Panda ActiveScan

TrendMicro HouseCall

 

~~~~

If you have any questions or comments, post back. Otherwise...

 

Good luck, and safe journey through the Internet!!

Link to post
Share on other sites
×
×
  • Create New...