Jump to content
Sign in to follow this  
MiG1289

help figure out my log(Resolved)

Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:09:13 PM, on 3/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

D:\DU Meter\DUMeter.exe

D:\Spybot\Spybot - Search & Destroy\updated version\TeaTimer.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

D:\firefox\firefox.exe

C:\Documents and Settings\Michael\Desktop\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=userinit.exe,hibxmrn.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: GNX Rolex - {1E88C4FE-1FD6-427A-ADE5-86F647BEA2F0} - C:\WINDOWS\drnpfdxkfw.dll

O2 - BHO: (no name) - {66A7526B-975E-495D-BD13-78679FEA6F7C} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Media Player - {8388F272-9EDA-4F4E-88FD-4711CBA4BA2B} - C:\WINDOWS\wmpdxm.dll

O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMeter.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Spybot\Spybot - Search & Destroy\updated version\TeaTimer.exe

O4 - HKCU\..\Policies\Explorer\Run: [{F4488B5E-0BBE-1033-1228-040219040001}]

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\S-1-5-21-823518204-1078081533-725345543-1004\..\Run: [spybotSD TeaTimer] D:\Spybot\Spybot - Search & Destroy\updated version\TeaTimer.exe (User '?')

O4 - HKUS\S-1-5-21-823518204-1078081533-725345543-1004\..\Policies\Explorer\Run: [{F4488B5E-0BBE-1033-1228-040219040001}] (User '?')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User 'Default user')

O4 - S-1-5-21-823518204-1078081533-725345543-1004 Startup: PrevxCSI.lnk = ? (User '?')

O4 - Startup: PrevxCSI.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MSOFFI~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O20 - Winlogon Notify: vtstq - C:\WINDOWS\

O21 - SSODL: bokpkov - {62AAC4EA-60FB-4DD3-B77B-2D9FF0531A93} - C:\WINDOWS\bokpkov.dll

O21 - SSODL: altvxvm - {4A7FA553-3368-4CA0-8F15-2A2705BDE75E} - C:\WINDOWS\altvxvm.dll

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

 

--

End of file - 4646 bytes

 

 

something isn't right here and i need your help, thanks.

Share this post


Link to post
Share on other sites

Hi and welcome

 

 

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

 

* Open Spybot Search & Destroy.

* In the Mode menu click "Advanced mode" if not already selected.

* Choose "Yes" at the Warning prompt.

* Expand the "Tools" menu.

* Click "Resident".

* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.

* In the File menu click "Exit" to exit Spybot Search & Destroy.

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: UserInit=userinit.exe,hibxmrn.exe

O2 - BHO: GNX Rolex - {1E88C4FE-1FD6-427A-ADE5-86F647BEA2F0} - C:\WINDOWS\drnpfdxkfw.dll

O2 - BHO: Windows Media Player - {8388F272-9EDA-4F4E-88FD-4711CBA4BA2B} - C:\WINDOWS\wmpdxm.dll

O20 - Winlogon Notify: vtstq - C:\WINDOWS\

O21 - SSODL: bokpkov - {62AAC4EA-60FB-4DD3-B77B-2D9FF0531A93} - C:\WINDOWS\bokpkov.dll

O21 - SSODL: altvxvm - {4A7FA553-3368-4CA0-8F15-2A2705BDE75E} - C:\WINDOWS\altvxvm.dll

 

 

 

 

NEXT**

 

Download SDFix or from Here and save it to your Desktop

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.cmd to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log

 

 

 

 

NEXT**

 

Download Combofix from any of the links below, and save it to your desktop.<--Important

 

Link 1

Link 2

Link 3

 

 

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

If your anti-virus or firewall complains, please allow this script to run as it is not malicious.

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

  • Double click combofix.exe and follow the prompts.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Please be patient while the scan runs, at times it may appear to stall.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

After rebooting ensure your Security applications have been re-enabled.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

In your next reply post:

SDFix Report.txt

ComboFix.txt

New HJT log taken after the above scan has run

Share this post


Link to post
Share on other sites

SDFix: Version 1.157

 

Run by Michael on Sun 03/16/2008 at 12:34 AM

 

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

Name:

DP1112

 

Path:

\??\C:\WINDOWS\system32\Drivers\DP.sys

 

DP1112 - Deleted

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\altvxvm.dll - Deleted

C:\WINDOWS\bokpkov.dll - Deleted

C:\WINDOWS\fmsxwqs.exe - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-16 00:37:29

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:7c,1d,59,90,34,18,ff,16,70,da,58,46,cf,d6,a8,ba,37,ee,dd,34,cd,..

"p0"="D:\DAEMON Tools\"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,e3,11,9e,ee,f8,74,1f,ff,0f,cf,5d,3b,15,15,63,ea,45,..

"khjeh"=hex:f9,77,f8,cb,a3,c6,22,c4,60,3d,26,eb,7e,6f,01,b6,8e,39,dd,93,7d,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:29,8a,a0,c5,d3,71,c1,43,d7,fc,d7,5c,e3,f7,0b,55,49,eb,5f,69,bb,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]

"ujdew"=hex:20,02,00,00,93,24,68,bc,f4,d2,0b,17,3f,e8,a1,b5,94,ee,ca,08,3d,..

"ljej40"=hex:9c,c4,5b,29,90,b5,b7,c1,1e,36,dd,7c,af,b6,3c,ce,6d,60,12,31,50,..

"ljej41"=hex:01,b3,11,2f,e8,6c,e5,c7,1f,0c,87,7a,ae,2c,5f,c8,6d,9a,79,37,e4,..

"ljej42"=hex:01,7a,84,24,e8,66,50,cc,1f,df,33,71,ae,48,cb,c3,6d,72,12,3f,e4,..

"ljej43"=hex:01,92,57,3c,e8,55,a4,d4,1f,5c,c7,69,ae,42,1e,db,6d,1c,38,24,e4,..

"ljej44"=hex:01,2c,8c,32,e8,a8,68,da,1f,64,3a,67,ae,3e,d1,d5,6d,db,e6,2a,e4,..

"ljej45"=hex:01,1c,02,0b,e8,77,d7,e3,1f,9a,bb,5e,ae,20,52,ec,6d,1f,67,13,e4,..

"ljej46"=hex:01,0c,c1,01,e8,da,16,e9,1f,21,74,54,ae,09,92,e6,6d,06,a7,19,e4,..

"ljej47"=hex:01,01,fa,07,e8,84,1f,ef,1f,a8,72,52,ae,bc,89,e0,6d,15,a9,1f,e4,..

"ljej48"=hex:01,72,2f,1d,e8,58,cd,f5,1f,12,5d,48,ae,ec,bb,fa,6d,f0,9f,05,e4,..

"ljej49"=hex:01,43,43,13,e8,38,a9,fb,1f,a5,f8,46,ae,2f,16,f4,6d,fe,22,0b,e4,..

"ljej410"=hex:01,a9,ca,16,e8,f2,20,fe,1f,16,41,43,ae,4c,9e,f1,6d,b3,ba,0e,e4,..

"ljej411"=hex:01,c3,b8,6d,e8,02,5f,85,1f,5e,32,38,ae,af,c8,8a,6d,a9,eb,75,e4,..

"ljej412"=hex:01,b6,4b,63,e8,48,a2,8b,1f,be,c7,36,ae,a5,1d,84,6d,fe,34,7b,e4,..

"ljej413"=hex:01,b4,47,66,e8,6d,96,8e,1f,76,fb,33,ae,1e,10,81,6d,6f,20,7e,e4,..

"ljej414"=hex:01,a3,52,7d,e8,1a,b9,95,1f,c0,cf,28,ae,88,25,9a,6d,e5,0c,65,e4,..

"ljej415"=hex:01,bf,82,71,e8,11,69,99,1f,fb,3f,24,ae,41,d4,96,6d,40,fc,69,e4,..

"ljej416"=hex:01,54,d5,74,e8,28,24,9c,1f,9c,44,21,ae,01,a1,93,6d,a4,b0,6c,e4,..

"ljej417"=hex:01,98,71,4b,e8,fa,98,a3,1f,77,e8,1e,ae,82,05,ac,6d,46,2c,53,e4,..

"ljej418"=hex:01,a1,f5,4f,e8,8b,04,a7,1f,2e,64,1a,ae,47,80,a8,6d,aa,d3,57,e4,..

"ljej419"=hex:01,c8,47,42,e8,7b,97,aa,1f,a6,f9,17,ae,e4,16,a5,6d,73,3d,5a,e4,..

"ljej420"=hex:01,54,2f,46,e8,89,ce,ae,1f,d1,a1,13,ae,25,be,a1,6d,5e,95,5e,e4,..

"ljej421"=hex:01,dc,e2,5a,e8,1a,0a,b2,1f,73,1e,0f,ae,6a,fa,bd,6d,12,d9,42,e4,..

"ljej422"=hex:01,6f,b1,5e,e8,98,58,b6,1f,86,2f,0b,ae,84,c4,b9,6d,d5,ee,46,e4,..

"ljej423"=hex:01,86,51,55,e8,04,b9,bd,1f,17,cf,00,ae,26,2b,b2,6d,9f,09,4d,e4,..

"ljej424"=hex:01,72,43,a9,e8,a1,aa,41,1f,47,fd,fc,ae,79,19,4e,6d,4c,38,b1,e4,..

"ljej425"=hex:01,19,4d,ad,e8,9c,ac,45,1f,43,c3,f8,ae,77,1f,4a,6d,6d,3a,b5,e4,..

"ljej426"=hex:01,ab,5e,a1,e8,1e,be,49,1f,d0,d1,f4,ae,94,2e,46,6d,3d,04,b9,e4,..

"ljej427"=hex:01,e6,be,a2,e8,fb,5e,4a,1f,4c,31,f7,ae,13,cd,45,6d,b1,e7,ba,e4,..

"ljej428"=hex:01,5c,ed,a6,e8,00,0d,4e,1f,e4,62,f3,ae,58,fe,41,6d,6b,d5,be,e4,..

"ljej429"=hex:01,ad,21,ba,e8,c2,c9,52,1f,b3,5e,ef,ae,25,ba,5d,6d,c1,98,a2,e4,..

"ljej430"=hex:01,e1,6a,be,e8,90,82,56,1f,13,e5,eb,ae,90,01,59,6d,46,53,a6,e4,..

"ljej431"=hex:01,8b,80,b3,e8,f7,68,5b,1f,03,3f,e6,ae,9e,db,54,6d,7a,f9,ab,e4,..

"ljej432"=hex:01,c4,5b,29,e8,b5,b7,c1,1f,36,dc,7c,ae,b6,3c,ce,6d,60,12,31,e4,..

"ljej433"=hex:01,c4,5b,29,e8,b5,b7,c1,1f,36,dc,7c,ae,b6,3c,ce,6d,60,12,31,e4,..

"ljej434"=hex:01,c4,58,29,e8,b5,97,e2,ac,36,dc,7c,ae,b6,3c,ce,6d,60,12,31,e4,..

"ljej435"=hex:01,c4,5b,29,e8,b5,b7,c1,1f,36,dc,7c,ae,b6,3c,ce,6d,60,12,31,e4,..

"ljej436"=hex:01,c4,5b,29,e8,b5,b7,c1,1f,36,dc,7c,ae,b6,3c,ce,6d,60,12,31,e4,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41]

"ujdew"=hex:20,02,00,00,fc,c4,9e,11,62,d0,7a,34,2d,dd,2f,af,8c,5d,68,e3,7f,..

"ljej40"=hex:8e,12,9a,f7,c1,e2,d6,a9,71,76,b6,39,06,59,a1,c1,76,68,bb,b2,d4,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:7c,1d,59,90,34,18,ff,16,70,da,58,46,cf,d6,a8,ba,37,ee,dd,34,cd,..

"p0"="D:\DAEMON Tools\"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,e3,11,9e,ee,f8,74,1f,ff,0f,cf,5d,3b,15,15,63,ea,45,..

"khjeh"=hex:f9,77,f8,cb,a3,c6,22,c4,60,3d,26,eb,7e,6f,01,b6,8e,39,dd,93,7d,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:29,8a,a0,c5,d3,71,c1,43,d7,fc,d7,5c,e3,f7,0b,55,49,eb,5f,69,bb,..

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]

"DisplayName"="Alcohol 120%"

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Messenger"

"D:\\BitComet\\BitComet.exe"="D:\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"

"D:\\AIM\\aim.exe"="D:\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

"D:\\LimeWire\\LimeWire.exe"="D:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"E:\\ProjectTorque\\ProjectTorque.bin"="E:\\ProjectTorque\\ProjectTorque.bin:*:Enabled:Project Torque"

"D:\\turbo tax 2007\\TurboTax Deluxe 2007\\32bit\\ttax.exe"="D:\\turbo tax 2007\\TurboTax Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"

"D:\\turbo tax 2007\\TurboTax Deluxe 2007\\32bit\\updatemgr.exe"="D:\\turbo tax 2007\\TurboTax Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"D:\\AIM\\aim.exe"="D:\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Sat 17 Jun 2006 211 ..SH. --- "C:\BOOT.BAK"

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"

Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"

Tue 20 Jun 2006 731,418 A.SH. --- "C:\WINDOWS\system32\qtstv.tmp"

Tue 1 Aug 2006 720,763 ..SH. --- "C:\WINDOWS\system32\qtstv.bak1"

Fri 26 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Sun 26 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRMbackup\DRMv1.bak"

Tue 15 Nov 2005 78,104 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"

Tue 15 Nov 2005 12,912 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"

Fri 5 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Tue 26 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRMbackup\Cache\Indiv02.tmp"

Sat 8 Dec 2007 888 ...HR --- "C:\Documents and Settings\Michael\Application Data\SecuROM\UserData\securom_v7_01.bak"

Sat 1 Dec 2007 444 ...HR --- "C:\Documents and Settings\Patrick\Application Data\SecuROM\UserData\securom_v7_01.bak"

 

Finished!

Share this post


Link to post
Share on other sites

ComboFix 08-03-14.4 - Michael 2008-03-16 0:58:21.1 - NTFSx86

 

Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\Common Files\{F4488~1

C:\Program Files\winupdates

C:\Program Files\winupdates\a.zip

C:\WINDOWS\boot.ini

C:\WINDOWS\keyboard1.dat

C:\WINDOWS\mirarsetup_876075.exe

C:\WINDOWS\system32\dobe~1

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\wnsapisv.exe

C:\WINDOWS\system32\ystem3~1

C:\WINDOWS\system32ghynf.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\LEGACY_CMDSERVICE

-------\LEGACY_NM

-------\LEGACY_NPF

-------\nm

 

 

((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))

.

 

2008-03-16 00:33 . 2005-03-02 13:09 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll

2008-03-16 00:32 . 2008-03-16 00:32 <DIR> d-------- C:\WINDOWS\ERUNT

2008-03-16 00:29 . 2008-03-16 00:38 <DIR> d-------- C:\SDFix

2008-03-15 02:19 . 2008-03-15 02:19 <DIR> d-------- C:\Program Files\PrevxCSI

2008-03-15 02:19 . 2008-03-15 02:21 10,752 --a------ C:\WINDOWS\system32\drivers\pxark.sys

2008-03-15 02:18 . 2008-03-15 02:18 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\PrevxCSI

2008-03-15 01:57 . 2008-03-15 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx

2008-03-15 01:57 . 2006-11-08 00:01 66,048 --a------ C:\WINDOWS\ieResetIcons.exe

2008-03-15 01:57 . 2008-03-15 01:57 230 --a------ C:\WINDOWS\system32\spupdsvc.inf

2008-03-14 18:52 . 2008-03-14 18:52 97 --a------ C:\WINDOWS\wininit.ini

2008-03-14 18:09 . 2008-03-14 18:12 49 --a------ C:\amp.bat

2008-02-26 15:47 . 2008-02-26 15:46 691,545 --a------ C:\WINDOWS\unins000.exe

2008-02-26 15:47 . 2008-02-26 15:47 2,541 --a------ C:\WINDOWS\unins000.dat

2008-02-26 15:22 . 2008-02-26 15:22 <DIR> d-------- C:\Documents and Settings\Michael\Deskto

2008-02-20 18:20 . 2008-02-20 18:20 <DIR> d-------- C:\Temp\AGE

2008-02-19 20:10 . 2008-02-19 20:13 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Intuit

2008-02-19 20:09 . 2008-02-19 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit

2008-02-19 20:08 . 2008-02-19 20:08 <DIR> d-------- C:\Program Files\Common Files\Intuit

2008-02-19 20:08 . 2007-10-22 18:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll

2008-02-19 19:08 . 2003-07-19 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd

2008-02-19 19:08 . 2005-01-03 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-15 07:16 --------- d-----w C:\Documents and Settings\Michael\Application Data\Azureus

2008-03-15 06:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-03-15 05:44 --------- d-----w C:\Documents and Settings\Michael\Application Data\LimeWire

2008-03-15 05:40 --------- d-----w C:\Documents and Settings\Michael\Application Data\AVG7

2008-03-14 23:21 --------- d-----w C:\Documents and Settings\Michael\Application Data\Registry Booster

2008-02-20 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7

2008-02-20 01:10 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-01 14:06 53,880 ----a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT

2006-05-06 06:21 138 ----a-w C:\Program Files\INSTALL.LOG

2006-08-01 08:22 720,763 --sh--w C:\WINDOWS\system32\qtstv.bak1

2006-08-01 12:17 720,941 --sh--w C:\WINDOWS\system32\qtstv.ini2

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DU Meter"="D:\DU Meter\DUMeter.exe" [2005-02-01 21:28 1469952]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="D:\AVGANT~1\avgw.exe" [2007-07-12 21:42 145920]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

"AllowLegacyWebView"= 1 (0x1)

"AllowUnhashedWebView"= 1 (0x1)

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Connection Manager.lnk]

path=

backup=C:\WINDOWS\pss\Wireless Connection Manager.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Gangsters2Setup.lnk]

path=

backup=C:\WINDOWS\pss\Gangsters2Setup.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^PrevxCSI.lnk]

path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\PrevxCSI.lnk

backup=C:\WINDOWS\pss\PrevxCSI.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2007-10-10 22:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2006-08-01 17:35 67112 D:\AIM\aim.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

--a------ 2007-07-12 21:42 411648 D:\AVGANT~1\avgcc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDSwitchAgent]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c82cbab5.exe]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2005-12-10 09:57 133016 D:\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]

--ah----- 2005-11-22 20:38 221184 D:\dkeeper\DkIcon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DU Meter]

--ah----- 2005-02-01 21:28 1469952 D:\DU Meter\DUMeter.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eeeo]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-10-30 12:36 256576 D:\itunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\MSMSGS.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ntjv]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2006-08-12 00:43 7630848 C:\WINDOWS\system32\NvCpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2006-08-12 00:43 86016 C:\WINDOWS\system32\NvMcTray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2006-08-12 00:43 1519616 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06apelt]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2006-03-17 21:24 184320 D:\PowerISO\PWRISOVM.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qimq]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-10-25 21:58 282624 C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2006-03-01 18:22 577536 C:\WINDOWS\soundman.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

--------- 2008-01-28 11:43 2097488 D:\Spybot\Spybot - Search & Destroy\updated version\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2005-11-10 15:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wGzyM6F48]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win320822-1965723]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdates]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

--------- 2006-10-18 23:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xload]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ZuneNetworkSvc"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

"Diskeeper"=3 (0x3)

"Avg7UpdSvc"=3 (0x3)

"Avg7Alrt"=3 (0x3)

"Autodesk Licensing Service"=3 (0x3)

"Adobe LM Service"=3 (0x3)

"WudfSvc"=2 (0x2)

"wuauserv"=2 (0x2)

"SiSWLSvc"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"clr_optimization_v2.0.50727_32"=3 (0x3)

"Bonjour Service"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"D:\\AIM\\aim.exe"=

"D:\\LimeWire\\LimeWire.exe"=

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

\Shell\AutoRun\command - J:\autorun.exe

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402}]

C:\WINDOWS\system32\RunDLL32.exe

.

Contents of the 'Scheduled Tasks' folder

"2007-01-09 06:13:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-16 01:00:41

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-03-16 1:02:25 - machine was rebooted [Michael]

ComboFix-quarantined-files.txt 2008-03-16 06:02:22

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:05:47 AM, on 3/16/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

D:\DU Meter\DUMeter.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\wuauclt.exe

D:\firefox\firefox.exe

C:\Documents and Settings\Michael\Desktop\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMeter.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MSOFFI~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

 

--

End of file - 2718 bytes

Share this post


Link to post
Share on other sites

Welcome back

 

Some of these infections have been on this machine for a while, it was heavily infected to say the least.

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

 

 

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::

C:\WINDOWS\system32\qtstv.bak1

C:\WINDOWS\system32\qtstv.ini2

 

Folder::

C:\SDFix

 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c82cbab5.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eeeo]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ntjv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06apelt]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qimq]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wGzyM6F48]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win320822-1965723]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdates]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xload]

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

 

 

 

NEXT**

 

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

 

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

 

 

 

Now we need to check for any left overs...

 

NEXT**

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives

      Scan Mail Bases

  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Posted Image

 

Posted Image

 

 

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

 

 

 

In your next reply

 

ComboFix.txt

Kaspersky log

New HJT log taken after the above scans have run

 

Comments on how your computer is at the moment.

 

 

Your may need several replies to post the requested logs, otherwise they might get cut off.

Edited by Juliet

Share this post


Link to post
Share on other sites

ComboFix 08-03-14.4 - Michael 2008-03-16 21:10:54.2 - NTFSx86

 

Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Michael\Desktop\CFScript.txt

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\WINDOWS\system32\qtstv.bak1

C:\WINDOWS\system32\qtstv.ini2

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\SDFix

C:\SDFix\apps\assosfix.reg

C:\SDFix\apps\cliptext.exe

C:\SDFix\apps\download.exe

C:\SDFix\apps\dummy.sys

C:\SDFix\apps\Enable_Command_Prompt.reg

C:\SDFix\apps\ERDNT.E_E

C:\SDFix\apps\ERDNTDOS.LOC

C:\SDFix\apps\ERDNTWIN.LOC

C:\SDFix\apps\ERUNT.EXE

C:\SDFix\apps\ERUNT.LOC

C:\SDFix\apps\fix.reg

C:\SDFix\apps\FixBH.reg

C:\SDFix\apps\FixComponents.reg

C:\SDFix\apps\FIXCU.reg

C:\SDFix\apps\FIXLM.reg

C:\SDFix\apps\FixPath.exe

C:\SDFix\apps\FixRedir.reg

C:\SDFix\apps\FixSchedule.reg

C:\SDFix\apps\FixWebCheck.reg

C:\SDFix\apps\fixXP.reg

C:\SDFix\apps\FixXPsp2.reg

C:\SDFix\apps\grep.exe

C:\SDFix\apps\HPFix.reg

C:\SDFix\apps\HPFix2.reg

C:\SDFix\apps\HPFix3.reg

C:\SDFix\apps\HPFix4.reg

C:\SDFix\apps\HPFix5.reg

C:\SDFix\apps\HPFix6.reg

C:\SDFix\apps\HPFix7.reg

C:\SDFix\apps\isadmin.exe

C:\SDFix\apps\leg2.txt

C:\SDFix\apps\legacy.txt

C:\SDFix\apps\legacybk.txt

C:\SDFix\apps\locate.com

C:\SDFix\apps\LS.exe

C:\SDFix\apps\MD5File.exe

C:\SDFix\apps\MyGcpvFix.reg

C:\SDFix\apps\MyGkFix2.reg

C:\SDFix\apps\Process.exe

C:\SDFix\apps\procs.exe

C:\SDFix\apps\psservice.exe

C:\SDFix\apps\Rem.txt

C:\SDFix\apps\Rem2.txt

C:\SDFix\apps\Replace\regedit.exe

C:\SDFix\apps\Replace\W2K.exe

C:\SDFix\apps\Replace\w2k\beep.sys

C:\SDFix\apps\Replace\w2k\null.sys

C:\SDFix\apps\Replace\XP.exe

C:\SDFix\apps\Replace\xp\beep.sys

C:\SDFix\apps\Replace\xp\null.sys

C:\SDFix\apps\Reset_AppInit_DLLs.reg

C:\SDFix\apps\RestartIt!.exe

C:\SDFix\apps\Restore_SecurityCenter.reg

C:\SDFix\apps\Restore_SharedAccess.reg

C:\SDFix\apps\sc.exe

C:\SDFix\apps\sed.exe

C:\SDFix\apps\SF.exe

C:\SDFix\apps\shutdown.exe

C:\SDFix\apps\srv2.txt

C:\SDFix\apps\srv2bk.txt

C:\SDFix\apps\svc.txt

C:\SDFix\apps\svcbk.txt

C:\SDFix\apps\swreg.exe

C:\SDFix\apps\swsc.exe

C:\SDFix\apps\unzip.exe

C:\SDFix\apps\vfind.exe

C:\SDFix\apps\WINMSG.EXE

C:\SDFix\apps\winsec.reg

C:\SDFix\apps\zip.exe

C:\SDFix\backups\backupreg.zip

C:\SDFix\backups\backups.zip

C:\SDFix\backups\catchme.log

C:\SDFix\backups\HOSTS

C:\SDFix\catchme.exe

C:\SDFix\dummy.sys

C:\SDFix\Report.txt

C:\SDFix\RunThis.bat

C:\SDFix\SDFIX_ReadMe_Online.url

C:\WINDOWS\system32\qtstv.bak1

C:\WINDOWS\system32\qtstv.ini2

 

.

((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))

.

 

2008-03-16 00:33 . 2005-03-02 13:09 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll

2008-03-16 00:32 . 2008-03-16 00:32 <DIR> d-------- C:\WINDOWS\ERUNT

2008-03-15 02:19 . 2008-03-15 02:19 <DIR> d-------- C:\Program Files\PrevxCSI

2008-03-15 02:19 . 2008-03-15 02:21 10,752 --a------ C:\WINDOWS\system32\drivers\pxark.sys

2008-03-15 02:18 . 2008-03-15 02:18 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\PrevxCSI

2008-03-15 01:57 . 2008-03-15 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx

2008-03-15 01:57 . 2006-11-08 00:01 66,048 --a------ C:\WINDOWS\ieResetIcons.exe

2008-03-15 01:57 . 2008-03-15 01:57 230 --a------ C:\WINDOWS\system32\spupdsvc.inf

2008-03-14 18:52 . 2008-03-14 18:52 97 --a------ C:\WINDOWS\wininit.ini

2008-03-14 18:09 . 2008-03-14 18:12 49 --a------ C:\amp.bat

2008-02-26 15:47 . 2008-02-26 15:46 691,545 --a------ C:\WINDOWS\unins000.exe

2008-02-26 15:47 . 2008-02-26 15:47 2,541 --a------ C:\WINDOWS\unins000.dat

2008-02-26 15:22 . 2008-02-26 15:22 <DIR> d-------- C:\Documents and Settings\Michael\Deskto

2008-02-20 18:20 . 2008-02-20 18:20 <DIR> d-------- C:\Temp\AGE

2008-02-19 20:10 . 2008-02-19 20:13 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Intuit

2008-02-19 20:09 . 2008-02-19 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit

2008-02-19 20:08 . 2008-02-19 20:08 <DIR> d-------- C:\Program Files\Common Files\Intuit

2008-02-19 20:08 . 2007-10-22 18:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll

2008-02-19 19:08 . 2003-07-19 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd

2008-02-19 19:08 . 2005-01-03 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-15 07:16 --------- d-----w C:\Documents and Settings\Michael\Application Data\Azureus

2008-03-15 06:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-03-15 05:44 --------- d-----w C:\Documents and Settings\Michael\Application Data\LimeWire

2008-03-15 05:40 --------- d-----w C:\Documents and Settings\Michael\Application Data\AVG7

2008-03-14 23:21 --------- d-----w C:\Documents and Settings\Michael\Application Data\Registry Booster

2008-02-20 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7

2008-02-20 01:10 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-01 14:06 53,880 ----a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT

2006-05-06 06:21 138 ----a-w C:\Program Files\INSTALL.LOG

.

 

((((((((((((((((((((((((((((( [email protected]_ 1.02.13.35 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-03-16 05:55:02 60,112 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-03-17 00:48:34 60,112 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-03-16 05:55:02 394,778 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-03-17 00:48:34 394,778 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DU Meter"="D:\DU Meter\DUMeter.exe" [2005-02-01 21:28 1469952]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="D:\AVGANT~1\avgw.exe" [2007-07-12 21:42 145920]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

"AllowLegacyWebView"= 1 (0x1)

"AllowUnhashedWebView"= 1 (0x1)

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Connection Manager.lnk]

path=

backup=C:\WINDOWS\pss\Wireless Connection Manager.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Gangsters2Setup.lnk]

path=

backup=C:\WINDOWS\pss\Gangsters2Setup.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^PrevxCSI.lnk]

path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\PrevxCSI.lnk

backup=C:\WINDOWS\pss\PrevxCSI.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2007-10-10 22:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2006-08-01 17:35 67112 D:\AIM\aim.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

--a------ 2007-07-12 21:42 411648 D:\AVGANT~1\avgcc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDSwitchAgent]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2005-12-10 09:57 133016 D:\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]

--ah----- 2005-11-22 20:38 221184 D:\dkeeper\DkIcon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DU Meter]

--ah----- 2005-02-01 21:28 1469952 D:\DU Meter\DUMeter.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-10-30 12:36 256576 D:\itunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\MSMSGS.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2006-08-12 00:43 7630848 C:\WINDOWS\system32\NvCpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2006-08-12 00:43 86016 C:\WINDOWS\system32\NvMcTray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2006-08-12 00:43 1519616 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2006-03-17 21:24 184320 D:\PowerISO\PWRISOVM.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-10-25 21:58 282624 C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2006-03-01 18:22 577536 C:\WINDOWS\soundman.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

--------- 2008-01-28 11:43 2097488 D:\Spybot\Spybot - Search & Destroy\updated version\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2005-11-10 15:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

--------- 2006-10-18 23:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ZuneNetworkSvc"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

"Diskeeper"=3 (0x3)

"Avg7UpdSvc"=3 (0x3)

"Avg7Alrt"=3 (0x3)

"Autodesk Licensing Service"=3 (0x3)

"Adobe LM Service"=3 (0x3)

"WudfSvc"=2 (0x2)

"wuauserv"=2 (0x2)

"SiSWLSvc"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"clr_optimization_v2.0.50727_32"=3 (0x3)

"Bonjour Service"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"D:\\AIM\\aim.exe"=

"D:\\LimeWire\\LimeWire.exe"=

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

\Shell\AutoRun\command - J:\autorun.exe

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402}]

C:\WINDOWS\system32\RunDLL32.exe

.

Contents of the 'Scheduled Tasks' folder

"2007-01-09 06:13:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-16 21:12:06

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-03-16 21:12:34

ComboFix-quarantined-files.txt 2008-03-17 02:12:26

ComboFix2.txt 2008-03-16 06:02:26

Share this post


Link to post
Share on other sites

I can't get the Kaspersky Online Scanner to work. Here is the HijackThis log.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:55:11 PM, on 3/16/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\DU Meter\DUMeter.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\spoolsv.exe

D:\firefox\beta\firefox.exe

C:\Documents and Settings\Michael\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMeter.exe

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MSOFFI~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

 

--

End of file - 2708 bytes

Share this post


Link to post
Share on other sites

Welcome back

 

Next, launch Notepad, (Start > Run, type in: notepad)

copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards.

 

Please reboot the machine

 

 

It's important we update your version of Java

 

Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5
  • Scroll to Java Runtime Environment (JRE) 6 Update 5 and click on the download button

    Click on the Accept License Agreement button

    Next select

    Download Now! Windows Offline Installation, Multi-language

     

    Now close all windows, including your browser.

    Double click on the Java installation that you downloaded and follow the prompts.

     

    NEXT-remove all older versions of Java

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
===**

 

Clearing Java Cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)Posted Image

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave all Checked
    • Applications and Applets

      Trace and Log Files

  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

 

 

 

Let's see if we can get a Panda scan

 

Next go Here to run Panda's ActiveScan.

Once you are on the Panda site click the Scan your PC button

A new window will open...click the Check Now button.

Enter your State/Providence

Enter your E-mail address and click send.

Select either Home user or Company.

Click the big Scan Now button

  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a few minutes)
When the download is complete, click on My Computer to start the scan.

When the scan completes, if anything malicious is detected, click the See Report button, then Save report and save it to a convenient location (activescan.txt to desktop).

Post the contents of the ActiveScan report

 

 

 

In your next reply post:

Panda ActiveScan report

New HJT log

 

Can you give me comments on how the computer is at the moment.

Share this post


Link to post
Share on other sites

The computer seems to be working a lot better. But i still cannot run the panda anti-virus. The window will popup but it is blank. I still cna not press the agree button on the other antivirus either. I uninstalled and install the new java and ran the .reg that you gave me.

Share this post


Link to post
Share on other sites

Welcome back

 

The computer seems to be working a lot better. But i still cannot run the panda anti-virus. The window will popup but it is blank. I still cna not press the agree button on the other antivirus either.

Usually it's your antivirus protection that stops this but, we can try this scan.

 

 

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

In your next reply, please post:

* the Malwarebytes' Anti-Malware log

* new HijackThis log taken after the above scan has run

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.09

Database version: 534

 

Scan type: Quick Scan

Objects scanned: 29913

Time elapsed: 2 minute(s), 5 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{8388f272-9eda-4f4e-88fd-4711cba4ba2b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.bltm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:48:12 PM, on 3/24/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

D:\DU Meter\DUMeter.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

D:\firefox\beta\firefox.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Michael\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMeter.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\AVGANT~1\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MSOFFI~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

 

--

End of file - 2945 bytes

 

 

When i try and change my screen resolution or anything in the properties i get this message.

 

Posted Image

 

I do not use internet explorer, im using firefox 3

Edited by MiG1289

Share this post


Link to post
Share on other sites

Try this

 

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.

Apply.

Apply and Exit Display properties.

Reboot your machine.

 

If that doesn't work

http://support.microsoft.com/kb/q193110/

 

 

Post back again and let me know what issues remain.

Share this post


Link to post
Share on other sites

Try this

 

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.

Apply.

Apply and Exit Display properties.

Reboot your machine.

 

If that doesn't work

http://support.microsoft.com/kb/q193110/

Post back again and let me know what issues remain.

 

 

no issues are remaining that i know of. thanks for your help.

Share this post


Link to post
Share on other sites

Your good to go, good job!

 

Below are recommendations to protect your computer.

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 2.0 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

 

How to prevent Malware: Created by Miekiemoes

 

Here are some additional utilities that will further enhance your safety.

# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

 

 

Read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

 

Slow Computer? Check here first; it may not be malware

http://www.castlecops.com/postitle175256-0-0-.html

Free Antivirus-AntiSpyware-Firewall Software

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...