Jump to content

lowen0816

Members
 View Profile  See their activity

  • Posts

    5

  • Joined

  • Last visited

Reputation

0 Neutral
  1. lowen0816
    So far so good. Thanks so much for your help. I hope you are paid very well :-). Besides AVG 8.5 (AV and AS) is there anything else that you would recommend installing on my machine for future protection? Thanks, Lori quote name='miekiemoes' date='Aug 13 2009, 03:29 PM' post='109677'] Hi, This looks OK again. * Go to start > run and copy and paste next command in the field: ComboFix /u Make sure there's a space between Combofix and / Then hit enter. This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again. Let me know in your next reply how things are now.
  2. lowen0816
    Here is the new combofix log - thanks! ComboFix 09-08-10.06 - Owner 08/13/2009 13:07.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.234 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\temp\__c00A82C4.dat" "c:\windows\system32\25A.tmp" "c:\windows\system32\4.tmp" "c:\windows\System32\dneinobj32.dll" "c:\windows\system32\GroupPolicy000.dat" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\Owner\APPLIC~1\02000000522750ff654C.manifest c:\docume~1\Owner\APPLIC~1\02000000522750ff654O.manifest c:\docume~1\Owner\APPLIC~1\02000000522750ff654P.manifest c:\docume~1\Owner\APPLIC~1\02000000522750ff654S.manifest c:\docume~1\Owner\LOCALS~1\Temp\17.tmp c:\documents and settings\Owner\Application Data\02000000522750ff654C.manifest c:\documents and settings\Owner\Application Data\02000000522750ff654O.manifest c:\documents and settings\Owner\Application Data\02000000522750ff654P.manifest c:\documents and settings\Owner\Application Data\02000000522750ff654S.manifest c:\documents and settings\Owner\Local Settings\Temp\17.tmp c:\temp\__c00A82C4.dat c:\windows\GnuHashes.ini c:\windows\system32\__c00E1D0.dat c:\windows\system32\25A.tmp c:\windows\system32\4.tmp c:\windows\System32\dneinobj32.dll c:\windows\system32\GroupPolicy000.dat c:\windows\system32\SystemX86 c:\windows\system32\SystemX86\253.crack.zip c:\windows\system32\SystemX86\253.crack.zip.kwd c:\windows\system32\SystemX86\254.keygen.zip c:\windows\system32\SystemX86\254.keygen.zip.kwd c:\windows\system32\SystemX86\255.serial.zip c:\windows\system32\SystemX86\255.serial.zip.kwd c:\windows\system32\SystemX86\256.setup.zip c:\windows\system32\SystemX86\256.setup.zip.kwd c:\windows\system32\SystemX86\257.music.au c:\windows\system32\SystemX86\257.music.au.kwd c:\windows\system32\SystemX86\258.music2.au c:\windows\system32\SystemX86\258.music2.au.kwd c:\windows\system32\SystemX86\259.music3.au c:\windows\system32\SystemX86\259.music3.au.kwd c:\windows\system32\SystemX86\260.music.snd c:\windows\system32\SystemX86\260.music.snd.kwd . ((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 ))))))))))))))))))))))))))))))) . 2009-08-13 02:43 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-13 01:01 . 2009-08-13 01:01 -------- d-----w- c:\program files\Trend Micro 2009-08-12 01:00 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-08-12 01:00 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-08-12 01:00 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-08-12 00:59 . 2009-08-13 16:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-12 00:59 . 2009-08-12 01:03 -------- d-----w- c:\program files\Common Files\PC Tools 2009-08-12 00:59 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-08-12 00:59 . 2009-08-12 01:04 -------- d-----w- c:\program files\Spyware Doctor 2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools 2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\docume~1\Owner\APPLIC~1\PC Tools 2009-08-09 16:36 . 2009-08-10 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-09 16:36 . 2009-08-10 12:53 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-08-09 16:36 . 2009-08-10 12:53 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-09 16:36 . 2009-08-10 12:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-09 16:35 . 2009-08-13 12:49 -------- d-----w- c:\windows\system32\drivers\Avg 2009-08-09 07:03 . 2009-08-09 07:03 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-09 07:03 . 2009-08-09 07:03 -------- d-----w- c:\program files\MSBuild 2009-08-09 07:02 . 2009-08-09 07:02 -------- d-----w- c:\program files\Reference Assemblies 2009-08-09 03:29 . 2009-08-09 03:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-08-09 03:29 . 2009-08-09 03:29 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Malwarebytes 2009-08-09 03:28 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-09 03:28 . 2009-08-09 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-09 03:28 . 2009-08-09 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-09 03:28 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-09 02:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-09 02:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-09 02:44 . 2009-08-09 02:44 -------- d-----w- C:\3b76648fd05db8de4f0df1e7 2009-08-09 02:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-09 02:37 . 2009-08-09 02:37 -------- d-----w- C:\d7fc1a37c58d226bb7b6152bb397daf3 2009-08-09 02:37 . 2009-08-09 02:37 -------- d-----w- C:\e7fe6792882ba60ea68825b7a2d0dd93 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll 2009-07-26 03:12 . 2009-07-26 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\windows\system32\drivers\NSS 2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\program files\Norton Security Scan 2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\program files\NortonInstaller 2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-13 16:30 . 2005-08-16 00:33 59640 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-13 02:30 . 2007-05-09 23:24 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-12 23:18 . 2009-04-30 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-08-12 22:01 . 2005-05-20 18:29 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-10 20:11 . 2009-03-12 03:27 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire 2009-08-10 20:11 . 2009-03-12 03:27 -------- d-----w- c:\docume~1\Owner\APPLIC~1\LimeWire 2009-08-10 01:25 . 2009-04-30 01:46 -------- d-----w- c:\program files\MSECACHE 2009-08-09 16:35 . 2009-03-06 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-08-09 03:48 . 2009-08-08 22:35 2857 ----a-w- c:\windows\system32\nodes.txt.tmp 2009-08-05 09:01 . 2005-03-23 16:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-26 03:12 . 2005-05-20 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-07-17 19:01 . 2005-03-23 16:52 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 14:08 . 2005-03-23 16:53 286720 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-11 14:59 . 2005-05-20 18:45 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-29 16:12 . 2005-03-23 16:53 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 16:12 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 16:12 . 2005-03-23 16:52 17408 ------w- c:\windows\system32\corpol.dll 2009-06-16 14:36 . 2005-03-23 16:52 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2005-03-23 16:52 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2005-03-23 16:52 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2005-03-23 16:52 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2005-03-23 18:08 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2005-03-23 16:53 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2005-03-23 16:52 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-23 13:59 . 2009-01-24 02:22 202240 ----a-w- c:\windows\system32\Hotel For Dogs - Friday.scr 2007-07-20 15:13 . 2007-07-20 15:13 774144 ----a-w- c:\program files\RngInterstitial.dll 2008-06-27 18:59 . 2008-08-26 03:04 163840 ----a-w- c:\program files\mozilla firefox\components\nsgkff20_meter2.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-13_16.24.06 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-13 17:17 . 2009-08-13 17:17 16384 c:\windows\Temp\Perflib_Perfdata_1f8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 68856] "RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 136600] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-03 180269] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-10 1948440] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-10 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] Domestic Security Version 4.87 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\ValuSoft\\Beyond Pearl Harbor Pacific Warriors\\Pacific Warriors.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/11/2009 9:00 PM 130936] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/9/2009 12:36 PM 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/9/2009 12:36 PM 108552] R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [7/7/2006 8:59 PM 1984] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/10/2009 8:53 AM 298776] R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/18/2009 11:17 PM 266240] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/11/2009 8:59 PM 348752] . Contents of the 'Scheduled Tasks' folder 2009-08-13 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-26 01:31] 2009-08-13 c:\windows\Tasks\Norton Security Scan for Owner.job - c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-26 03:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080 uInternet Settings,ProxyOverride = ams-server*;<local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxps://vserver01/VirtualServer/activex/VMRCActiveXClient.cab FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\4bi9ibcy.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-13 13:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3067963684-463181519-798121359-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ [HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing] @Denied: (2) (Administrators) @Allowed: (2) (Administrators) "Policy"=hex:00,00,00,00 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3460) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\system32\wdfmgr.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\windows\system32\msiexec.exe . ************************************************************************** . Completion time: 2009-08-13 13:23 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-13 17:23 ComboFix2.txt 2009-08-13 16:29 Pre-Run: 61,994,651,648 bytes free Post-Run: 61,963,833,344 bytes free 257 --- E O F --- 2009-08-13 07:12
  3. lowen0816
    Here is the combofix log: ComboFix 09-08-10.06 - Owner 08/13/2009 12:09.1.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.235 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\Owner\APPLIC~1\02000000522750ff654C.manifest c:\docume~1\Owner\APPLIC~1\02000000522750ff654O.manifest c:\docume~1\Owner\APPLIC~1\02000000522750ff654P.manifest c:\docume~1\Owner\APPLIC~1\02000000522750ff654S.manifest c:\docume~1\Owner\LOCALS~1\Temp\12.tmp c:\documents and settings\Owner\Application Data\02000000522750ff654C.manifest c:\documents and settings\Owner\Application Data\02000000522750ff654O.manifest c:\documents and settings\Owner\Application Data\02000000522750ff654P.manifest c:\documents and settings\Owner\Application Data\02000000522750ff654S.manifest c:\documents and settings\Owner\Local Settings\Temp\12.tmp c:\recycler\S-1-5-21-3683029557-3838375364-467069692-1003 c:\recycler\S-1-5-21-3991424399-1867458613-948240738-1003 c:\windows\GnuHashes.ini c:\windows\Installer\25645904.msi c:\windows\Installer\2564590b.msi c:\windows\Installer\25645912.msi c:\windows\Installer\259be.msi c:\windows\system32\__c00E12BA.dat c:\windows\system32\BSTIEPrintCtl1.dll c:\windows\system32\ehgeTbD.vbs c:\windows\system32\GroupPolicy000.dat c:\windows\system32\Zuyb94X.vbs C:\xcrashdump.dat D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 ))))))))))))))))))))))))))))))) . 2009-08-13 02:43 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-13 01:01 . 2009-08-13 01:01 -------- d-----w- c:\program files\Trend Micro 2009-08-12 01:00 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-08-12 01:00 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-08-12 01:00 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-08-12 00:59 . 2009-08-13 16:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-12 00:59 . 2009-08-12 01:03 -------- d-----w- c:\program files\Common Files\PC Tools 2009-08-12 00:59 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-08-12 00:59 . 2009-08-12 01:04 -------- d-----w- c:\program files\Spyware Doctor 2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools 2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\docume~1\Owner\APPLIC~1\PC Tools 2009-08-11 01:57 . 1980-08-17 00:00 27648 ----a-w- c:\temp\__c00A82C4.dat 2009-08-09 16:36 . 2009-08-10 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-09 16:36 . 2009-08-10 12:53 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-08-09 16:36 . 2009-08-10 12:53 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-09 16:36 . 2009-08-10 12:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-09 16:35 . 2009-08-13 12:49 -------- d-----w- c:\windows\system32\drivers\Avg 2009-08-09 07:03 . 2009-08-09 07:03 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-09 07:03 . 2009-08-09 07:03 -------- d-----w- c:\program files\MSBuild 2009-08-09 07:02 . 2009-08-09 07:02 -------- d-----w- c:\program files\Reference Assemblies 2009-08-09 03:29 . 2009-08-09 03:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-08-09 03:29 . 2009-08-09 03:29 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Malwarebytes 2009-08-09 03:28 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-09 03:28 . 2009-08-09 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-09 03:28 . 2009-08-09 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-09 03:28 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-09 02:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-09 02:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-09 02:44 . 2009-08-09 02:44 -------- d-----w- C:\3b76648fd05db8de4f0df1e7 2009-08-09 02:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-09 02:37 . 2009-08-09 02:37 -------- d-----w- C:\d7fc1a37c58d226bb7b6152bb397daf3 2009-08-09 02:37 . 2009-08-09 02:37 -------- d-----w- C:\e7fe6792882ba60ea68825b7a2d0dd93 2009-08-08 00:01 . 2009-08-08 00:01 122368 ----a-w- c:\windows\system32\dneinobj32.dll 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll 2009-07-26 03:12 . 2009-07-26 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\windows\system32\drivers\NSS 2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\program files\Norton Security Scan 2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\program files\NortonInstaller 2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-13 16:24 . 2009-08-13 16:24 590 --sha-w- c:\windows\system32\GroupPolicy000.dat 2009-08-13 16:24 . 2009-08-13 16:24 518144 --sha-w- c:\windows\system32\4.tmp 2009-08-13 02:30 . 2007-05-09 23:24 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-12 23:18 . 2009-04-30 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-08-12 22:01 . 2005-05-20 18:29 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-12 15:21 . 2009-08-12 15:21 0 ----a-w- c:\windows\system32\25A.tmp 2009-08-10 20:11 . 2009-03-12 03:27 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire 2009-08-10 20:11 . 2009-03-12 03:27 -------- d-----w- c:\docume~1\Owner\APPLIC~1\LimeWire 2009-08-10 01:25 . 2009-04-30 01:46 -------- d-----w- c:\program files\MSECACHE 2009-08-09 16:35 . 2009-03-06 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-08-09 03:48 . 2009-08-08 22:35 2857 ----a-w- c:\windows\system32\nodes.txt.tmp 2009-08-05 09:01 . 2005-03-23 16:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-26 03:12 . 2005-05-20 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-07-17 19:01 . 2005-03-23 16:52 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 14:08 . 2005-03-23 16:53 286720 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-11 14:59 . 2005-05-20 18:45 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-29 16:12 . 2005-03-23 16:53 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 16:12 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 16:12 . 2005-03-23 16:52 17408 ------w- c:\windows\system32\corpol.dll 2009-06-16 14:36 . 2005-03-23 16:52 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2005-03-23 16:52 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2005-03-23 16:52 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2005-03-23 16:52 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2005-03-23 18:08 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2005-03-23 16:53 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2005-03-23 16:52 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-23 13:59 . 2009-01-24 02:22 202240 ----a-w- c:\windows\system32\Hotel For Dogs - Friday.scr 2007-07-20 15:13 . 2007-07-20 15:13 774144 ----a-w- c:\program files\RngInterstitial.dll 2008-06-27 18:59 . 2008-08-26 03:04 163840 ----a-w- c:\program files\mozilla firefox\components\nsgkff20_meter2.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 68856] "RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 136600] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-03 180269] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-10 1948440] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\60e7fa28654] 2009-08-08 00:01 122368 ----a-w- c:\windows\system32\dneinobj32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-10 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] Domestic Security Version 4.87 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\ValuSoft\\Beyond Pearl Harbor Pacific Warriors\\Pacific Warriors.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/11/2009 9:00 PM 130936] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/9/2009 12:36 PM 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/9/2009 12:36 PM 108552] R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [7/7/2006 8:59 PM 1984] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/10/2009 8:53 AM 298776] R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/18/2009 11:17 PM 266240] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/11/2009 8:59 PM 348752] . Contents of the 'Scheduled Tasks' folder 2009-08-13 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-26 01:31] 2009-08-13 c:\windows\Tasks\Norton Security Scan for Owner.job - c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-26 03:12] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file) Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080 uInternet Settings,ProxyOverride = ams-server*;<local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxps://vserver01/VirtualServer/activex/VMRCActiveXClient.cab FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\4bi9ibcy.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-13 12:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\GroupPolicy000.dat 590 bytes c:\windows\system32\SystemX86 scan completed successfully hidden files: 2 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3067963684-463181519-798121359-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ [HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing] @Denied: (2) (Administrators) @Allowed: (2) (Administrators) "Policy"=hex:00,00,00,00 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(924) c:\windows\System32\dneinobj32.dll - - - - - - - > 'explorer.exe'(2896) c:\windows\system32\WININET.dll c:\windows\System32\dneinobj32.dll c:\windows\system32\4.tmp c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\system32\wdfmgr.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\windows\system32\msiexec.exe c:\windows\system32\imapi.exe . ************************************************************************** . Completion time: 2009-08-13 12:29 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-13 16:29 Pre-Run: 61,369,217,024 bytes free Post-Run: 61,984,526,336 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 260 --- E O F --- 2009-08-13 07:12
  4. lowen0816
    OK - first is the MalwareBytes log followed by the HJT log. I keep getting inundated with pop-ups. Thanks for your help. -Lori ************************************** Malwarebytes' Anti-Malware 1.40 Database version: 2615 Windows 5.1.2600 Service Pack 3 8/13/2009 11:24:57 AM mbam-log-2009-08-13 (11-24-57).txt Scan type: Quick Scan Objects scanned: 97627 Time elapsed: 18 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 1 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 25 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\__c00B7E80.dat (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\system32\__c00F3500.dat (Trojan.Downloader) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00b7e80 (Trojan.Downloader) -> Delete on reboot. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f403b5.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f19e83d8.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f7d436.exe (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\WINDOWS\system32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\__c00B7E80.dat (Trojan.Downloader) -> Delete on reboot. C:\Documents and Settings\Owner\Local Settings\Temp\_A00F403B5.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\_A00F19E83D8.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\_A00F7D436.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c0016100.dat (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c00F3500.dat (Trojan.Downloader) -> Delete on reboot. C:\Documents and Settings\Owner\Local Settings\Temp\10.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\11.tmp (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\Owner\Local Settings\Temp\15.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\253.crack.zip (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\253.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\254.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\254.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\255.serial.zip (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\255.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\256.setup.zip (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\256.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\257.music.au (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\257.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\258.music2.au (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\258.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\259.music3.au (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\259.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\260.music.snd (Worm.Archive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SystemX86\260.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully. ******************************************************************************** ***************** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:34:14 AM, on 8/13/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\CSHelper.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file) O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H O4 - HKCU\..\Run: [A00F1F509.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F1F509.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://cdgtrain.duhs.duke.edu:8081/clinapp...intdll/smsx.cab O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - https://vserver01/VirtualServer/activex/VMR...tiveXClient.cab O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: 60e7fa28654 - C:\WINDOWS\System32\dneinobj32.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: __c00E12BA - C:\WINDOWS\system32\__c00E12BA.dat O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O24 - Desktop Component 0: (no name) - http://car-racing-games.freeonlinegames.com/images/fogbg.gif -- End of file - 9558 bytes
  5. lowen0816
    Thanks for your help!! HJT LOG: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:19:48 PM, on 8/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\CSHelper.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Registry Mechanic\RegMech.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file) O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H O4 - HKCU\..\Run: [A00F403B5.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F403B5.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: delrb.bat O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://cdgtrain.duhs.duke.edu:8081/clinapp...intdll/smsx.cab O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - https://vserver01/VirtualServer/activex/VMR...tiveXClient.cab O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: 60e7fa28654 - C:\WINDOWS\System32\dneinobj32.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: __c00B7E80 - C:\WINDOWS\system32\__c00B7E80.dat O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O24 - Desktop Component 0: (no name) - http://car-racing-games.freeonlinegames.com/images/fogbg.gif -- End of file - 9511 bytes MALWARE LOG: Malwarebytes' Anti-Malware 1.40 Database version: 2583 Windows 5.1.2600 Service Pack 3 (Safe Mode) 8/12/2009 8:43:55 PM mbam-log-2009-08-12 (20-43-55).txt Scan type: Quick Scan Objects scanned: 95276 Time elapsed: 11 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 1 Registry Values Infected: 5 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\__c00C2A5D.dat (Trojan.Downloader) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00c2a5d (Trojan.Downloader) -> Delete on reboot. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f5b9e1.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00fe6378.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1e52b.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f36216.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f5492ebb.exe (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\__c00C2A5D.dat (Trojan.Downloader) -> Delete on reboot. C:\temp\__c009835B.dat (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\85.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\A.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.