Jump to content

MBAM and HijackThis: Please help neither will run for me


Recommended Posts

Insomniac recommended I follow the instructions so I am doing so to the T lol ok so I down loaded both MBAM and HijackThis and attempted to install them as instructed, one at a time and both acted the same the file opened asked if I wanted it to run and I clicked run and then it vanished I waited a long while but nothing happened.

Please let me know what to do next.

Desperate,

Onyxia

Link to post
Share on other sites

  • 2 weeks later...

O.k. I tried two of the three because I could not get done what you instructed ... I took a screen shot of the Root Repeal and am adding it to this post because I just don't know what to do, the file highlighted is the only .sys I see and I have tried to wipe it several times and still it comes back as well as I try to install the mbam setup and I can see it running in mt task manager but only the first install screen pops up asking me to run or cancel then nothing so I thought maybe I should try the procexp becasue I did have that dang anti virus issue a month ago but went to another form and they had a read me that told how to delete it also I used avira then as it was the only thing that works on my computer how ever when I tried the procexp I did not see anything like what was said so now I am even more frustrated because I don't know what to do, oh also I tried to make a report from the root repeal but it just keeps crashing and leaving me with these crash reports:

ROOTREPEAL CRASH REPORT

-------------------------

Exception Code: 0xc0000005

Exception Address: 0x0040e8ea

Attempt to read from address: 0x00000014

O.k. so here is the screen shot :

post-11922-1239649570_thumb.jpg

I hope I did that right...

Hope you can help me .

Onyxia

post-11922-1239649570_thumb.jpg

Link to post
Share on other sites

  • Root Admin

Please see if you can get this to run or not. You can try it in Safe Mode and renaming if you have to as well.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

  • Root Admin

Post re-opened by user request.

If you're unable to get any of those tools to run then please download and burn this from a friends computer or a work computer if you have to.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file named
    rescuecd.exe

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    here
    if you're unable to view the entire screen of Avira.
  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

O.k. I think I have a different version of Avira then you suggested it asks at the end to end or see the report before so I had copied the report and am pasting it here now, I hope this is o.k. because I don't know anyone around here with a computer and we live out in the sticks :D if there isn't anything you can do with this report my friend says when he gets hope ( which is 4 hours away ) he will send me a burned CD of the rescue Avira but until then this is what I have for you.

Thank you

Onyxia

Avira AntiVir Personal

Report file date: Friday, April 17, 2009 21:40

Scanning for 1355927 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : PURPLENURPLE

Version information:

BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:26

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:33:26

ANTIVIR2.VDF : 7.1.3.63 1588224 Bytes 4/16/2009 01:00:56

ANTIVIR3.VDF : 7.1.3.72 20992 Bytes 4/17/2009 01:00:56

Engineversion : 8.2.0.148

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 21:36:42

AESCRIPT.DLL : 8.1.1.75 373113 Bytes 4/18/2009 01:01:06

AESCN.DLL : 8.1.1.10 127348 Bytes 4/18/2009 01:01:05

AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 22:24:41

AEPACK.DLL : 8.1.3.14 397685 Bytes 4/18/2009 01:01:04

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 00:01:56

AEHEUR.DLL : 8.1.0.119 1724791 Bytes 4/18/2009 01:01:03

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 00:01:56

AEGEN.DLL : 8.1.1.36 340341 Bytes 4/18/2009 01:00:58

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 18:32:40

AECORE.DLL : 8.1.6.9 176500 Bytes 4/18/2009 01:00:57

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 18:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 18:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09

AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:24

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 15:45:45

RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 19:55:12

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +GAME,-HIDDENEXT,+JOKE,-PHISH,

Start of the scan: Friday, April 17, 2009 21:40

Starting search for hidden objects.

The repair notes were written to the file 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\AVSCAN-20090418-120611-FD35E0F0.avp'.

c:\windows\system32\drivers\uacbmlilrld.sys

[iNFO] The file is not visible.

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '4a4cfad0.qua'!

c:\windows\temp\uac1373.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '4a4cfad3.qua'!

c:\windows\temp\uac1577.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49ae99c4.qua'!

c:\windows\system32\sdra64.exe

[iNFO] The file is not visible.

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[iNFO] No SpecVir entry was found!

c:\windows\system32\uacaetnowdd.log

[iNFO] The file is not visible.

c:\windows\system32\uacahjbxfyb.log

[iNFO] The file is not visible.

c:\windows\system32\uacbhulfbab.dat

[iNFO] The file is not visible.

c:\windows\system32\uacboscdjol.dll

[iNFO] The file is not visible.

[DETECTION] Is the TR/PCK.Tdss.F.2164 Trojan

[iNFO] No SpecVir entry was found!

c:\windows\system32\uacbvfqrfsv.log

[iNFO] The file is not visible.

c:\windows\system32\uacftkpupib.log

[iNFO] The file is not visible.

c:\windows\system32\uacinit.dll

[iNFO] The file is not visible.

c:\windows\system32\uackpmetabt.log

[iNFO] The file is not visible.

c:\windows\system32\uackwsivycm.dll

[iNFO] The file is not visible.

[DETECTION] Is the TR/Alureon.BF Trojan

[iNFO] No SpecVir entry was found!

c:\windows\system32\uacnnupeqpx.log

[iNFO] The file is not visible.

c:\windows\system32\uacoppfiqrg.dll

[iNFO] The file is not visible.

[DETECTION] Is the TR/PCK.Tdss.F.2060 Trojan

[iNFO] No SpecVir entry was found!

c:\windows\system32\uacptjgpuyr.log

[iNFO] The file is not visible.

c:\windows\system32\uacqevpeton.log

[iNFO] The file is not visible.

c:\windows\system32\uacqthxyqem.log

[iNFO] The file is not visible.

c:\windows\system32\uacqyrudorx.dll

[iNFO] The file is not visible.

[DETECTION] Is the TR/PCK.Tdss.F.2061 Trojan

[iNFO] No SpecVir entry was found!

c:\windows\system32\uacrlmydopm.log

[iNFO] The file is not visible.

c:\windows\system32\uacsdpbarmn.log

[iNFO] The file is not visible.

c:\windows\system32\uacsqfheteo.log

[iNFO] The file is not visible.

c:\windows\system32\uacssiiacxs.log

[iNFO] The file is not visible.

c:\windows\system32\uacuidtgqyr.log

[iNFO] The file is not visible.

c:\windows\system32\uacumisprgb.log

[iNFO] The file is not visible.

c:\windows\system32\uacwulkdqjh.dll

[iNFO] The file is not visible.

[DETECTION] Is the TR/PCK.Tdss.F.2062 Trojan

[iNFO] No SpecVir entry was found!

c:\windows\system32\uacxexocecv.log

[iNFO] The file is not visible.

c:\windows\system32\uacxvampqvy.log

[iNFO] The file is not visible.

c:\windows\system32\uacybgwrhfo.log

[iNFO] The file is not visible.

c:\windows\system32\lowsec\local.ds

[iNFO] The file is not visible.

c:\windows\system32\lowsec\user.ds

[iNFO] The file is not visible.

c:\windows\temp\uac1894.tmp

[iNFO] The file is not visible.

[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit

[iNFO] No SpecVir entry was found!

c:\windows\temp\uac1d95.tmp

[iNFO] The file is not visible.

[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit

[iNFO] No SpecVir entry was found!

c:\windows\temp\uac240d.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/TDss.ror Trojan

[iNFO] No SpecVir entry was found!

c:\windows\temp\uac3265.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/Alureon.BF Trojan

[iNFO] No SpecVir entry was found!

c:\windows\temp\uac6220.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/TDss.66048 Trojan

[iNFO] No SpecVir entry was found!

c:\windows\temp\uac77f0.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/TDss.66048 Trojan

[iNFO] No SpecVir entry was found!

c:\windows\temp\uac7b07.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/TDss.66048 Trojan

[iNFO] No SpecVir entry was found!

c:\windows\temp\uac99cf.tmp

[iNFO] The file is not visible.

c:\windows\temp\uac9ba3.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/TDss.66048 Trojan

[iNFO] No SpecVir entry was found!

c:\windows\temp\uacba9.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/TDss.66048 Trojan

[iNFO] No SpecVir entry was found!

c:\windows\temp\uacc95a.tmp

[iNFO] The file is not visible.

c:\windows\temp\uacfba.tmp

[iNFO] The file is not visible.

c:\windows\system32\lowsec

[iNFO] The directory is not visible.

c:\documents and settings\all users\application data\pc tools\pc tools antivirus\temp\wdmain11.chm385\img\uaccent.gif

[iNFO] The file is not visible.

c:\documents and settings\all users\application data\pc tools\pc tools antivirus\temp\wdmain11.chm670\img\uaccent.gif

[iNFO] The file is not visible.

c:\documents and settings\all users\application data\pc tools\pc tools antivirus\temp\wdmain11.chm725\img\uaccent.gif

[iNFO] The file is not visible.

c:\documents and settings\all users\application data\pc tools\pc tools antivirus\temp\wdmain11.chm755\img\uaccent.gif

[iNFO] The file is not visible.

c:\documents and settings\cierra\local settings\temp\uac189d.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/PCK.Tdss.F.1738 Trojan

[iNFO] No SpecVir entry was found!

c:\documents and settings\cierra\local settings\temp\uac1be8.tmp

[iNFO] The file is not visible.

[DETECTION] Is the TR/PCK.Tdss.F.1712 Trojan

[iNFO] No SpecVir entry was found!

c:\documents and settings\nem\local settings\temp\nsd106.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\nem\local settings\temp\nsf1ee.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\nem\local settings\temp\nsf6.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\nem\local settings\temp\nslfb.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\nem\local settings\temp\nsm177.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\nem\local settings\temp\nsp1dc.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\nem\local settings\temp\nss1e8.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\nem\local settings\temp\nsv57.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\temp\local settings\temp\uacf56b.tmp

[iNFO] The file is not visible.

c:\documents and settings\temp\local settings\temp\nsc15.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\temp\local settings\temp\nsm1d.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\temp\local settings\temp\nsn1b.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\temp\local settings\temp\nsq11.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\temp\local settings\temp\nss1d.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\temp\local settings\temp\nsw12.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\temp\local settings\temp\nsx27.tmp\uac.dll

[iNFO] The file is not visible.

c:\documents and settings\temp\local settings\temp\nsy37.tmp\uac.dll

[iNFO] The file is not visible.

End of the scan: Saturday, April 18, 2009 12:06

Used time: 14:25:46 Hour(s)

The scan has been done completely.

0 Scanned directories

67 Files were scanned

20 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

3 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

47 Files not concerned

0 Archives were scanned

0 Warnings

3 Notes

252860 Objects were scanned with rootkit scan

72 Hidden objects were found

Link to post
Share on other sites

I was hopping the above information I posted from a report off of avira after scanning my computer would help you to help me fix what is wrong in my computer.

My computer does boot up so until it stops booting on its own I don't think I can use the rescue one you had recommended, so I installed avira personal in hopes something could be done, currently ( while waiting for a reply ) I am attempting to run scans and take down each virus it detects, I tried this once before to see if I could remove each by hand but for someone that is not a tech you can imagine what a long and tedious, imposable task this is lol but you can't blame one for trying, how ever my attempts to remove them all failed as they just came back every time I deleted them also you should know that in the end when it is done scanning and the window pops up asking the four questions : move to quarantine, copy to quarantine, ignore, delete. I have tried each to see if I could get rid of the problem but again the same ones keep returning >.< three that say they are windows files, So I have taken screen shots of these as well seeings you can't get a report from this portion of the scan. If you need any of this info I am more then willing to post it. Anyway I wanted to get an update up so that you knew I was still here waiting and having difficulty's again thank you for all that you do here.

Onyxia

Link to post
Share on other sites

Whooooh! yay now we are talking ! Pardon the excitement but I took your advice on changing the file name and after changing it several times over an 8 an a half hour period, restarting a dozen times or so it finely ran, though I had a little trouble and I am not sure what the effect will be as in safe mode my computer will not connect to the net and my restore point is not working and when I down loaded it and tried to place it in the combofix file as instructed it would not work, there was no restore point don't know how bad that is but hay I finely got combofix to run oh and don't rename the file tree it makes you change it to have numbers and letters >.< odd anyway I think this is where I now post the report.... Also I am sure it deleted several hundred files O_O but what ever works right ok so here is the file . I will be on at 6am EST tomorrow and all day awaiting the results as I plain on doing nothing more on the computer until I am told what to else needs doing Thank you again and again for your help.

Onyxia

ComboFix 09-04-18.01 - Administrator 04/21/2009 0:02.1 - NTFSx86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.138 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\gerrrrrrr.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\ChkDisk.lnk

c:\documents and settings\Cierra\Application Data\sdra64.exe

c:\documents and settings\Guest\Application Data\sdra64.exe

c:\documents and settings\Nem\Application Data\Internet Antivirus Pro

c:\documents and settings\Nem\Application Data\Internet Antivirus Pro\db\config.cfg

c:\documents and settings\Nem\Application Data\sdra64.exe

c:\documents and settings\Nem\Start Menu\Programs\Startup\ChkDisk.lnk

c:\documents and settings\TEMP\Application Data\Internet Antivirus Pro

c:\documents and settings\TEMP\Application Data\Internet Antivirus Pro\db\config.cfg

c:\program files\FunWebProducts

c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html

c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html

c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html

c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html

c:\program files\Internet Explorer\msimg32.dll

c:\program files\MyWebSearch

c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL

c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL

c:\program files\MyWebSearch\bar\3.bin\F3BKGERR.JPG

c:\program files\MyWebSearch\bar\3.bin\F3BROVLY.DLL

c:\program files\MyWebSearch\bar\3.bin\F3CJPEG.DLL

c:\program files\MyWebSearch\bar\3.bin\F3DTACTL.DLL

c:\program files\MyWebSearch\bar\3.bin\F3HISTSW.DLL

c:\program files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL

c:\program files\MyWebSearch\bar\3.bin\F3HTTPCT.DLL

c:\program files\MyWebSearch\bar\3.bin\F3IMSTUB.DLL

c:\program files\MyWebSearch\bar\3.bin\F3POPSWT.DLL

c:\program files\MyWebSearch\bar\3.bin\F3PSSAVR.SCR

c:\program files\MyWebSearch\bar\3.bin\F3REPROX.DLL

c:\program files\MyWebSearch\bar\3.bin\F3RESTUB.DLL

c:\program files\MyWebSearch\bar\3.bin\F3SCHMON.EXE

c:\program files\MyWebSearch\bar\3.bin\F3SCRCTR.DLL

c:\program files\MyWebSearch\bar\3.bin\F3SHLLVW.DLL

c:\program files\MyWebSearch\bar\3.bin\F3SPACER.WMV

c:\program files\MyWebSearch\bar\3.bin\F3WALLPP.DAT

c:\program files\MyWebSearch\bar\3.bin\F3WPHOOK.DLL

c:\program files\MyWebSearch\bar\3.bin\M3FFXTBR.JAR

c:\program files\MyWebSearch\bar\3.bin\M3FFXTBR.MANIFEST

c:\program files\MyWebSearch\bar\3.bin\M3HTML.DLL

c:\program files\MyWebSearch\bar\3.bin\M3IDLE.DLL

c:\program files\MyWebSearch\bar\3.bin\M3IMPIPE.EXE

c:\program files\MyWebSearch\bar\3.bin\M3MSG.DLL

c:\program files\MyWebSearch\bar\3.bin\M3NTSTBR.JAR

c:\program files\MyWebSearch\bar\3.bin\M3NTSTBR.MANIFEST

c:\program files\MyWebSearch\bar\3.bin\M3OUTLCN.DLL

c:\program files\MyWebSearch\bar\3.bin\M3PLUGIN.DLL

c:\program files\MyWebSearch\bar\3.bin\M3SKIN.DLL

c:\program files\MyWebSearch\bar\3.bin\M3SKPLAY.EXE

c:\program files\MyWebSearch\bar\3.bin\M3SLSRCH.EXE

c:\program files\MyWebSearch\bar\3.bin\M3SRCHMN.EXE

c:\program files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL

c:\program files\MyWebSearch\bar\3.bin\MWSOESTB.DLL

c:\program files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL

c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S

c:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm

c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css

c:\program files\MyWebSearch\bar\Avatar\COMMON\common.css

c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\include.js

c:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm

c:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm

c:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm

c:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf

c:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico

c:\program files\MyWebSearch\bar\Cache\08EB37D8.bin

c:\program files\MyWebSearch\bar\Cache\08EB397E.bin

c:\program files\MyWebSearch\bar\Cache\08EB4620.bin

c:\program files\MyWebSearch\bar\Cache\08EB4788.bin

c:\program files\MyWebSearch\bar\Cache\23F8BCE3

c:\program files\MyWebSearch\bar\Cache\23F8C0AC

c:\program files\MyWebSearch\bar\Cache\23F8C2DF.bin

c:\program files\MyWebSearch\bar\Cache\23F8C475.bin

c:\program files\MyWebSearch\bar\Cache\23F8C5DC.bin

c:\program files\MyWebSearch\bar\Cache\23F8C7FF.bin

c:\program files\MyWebSearch\bar\Cache\23F8C8CA.bin

c:\program files\MyWebSearch\bar\Cache\files.ini

c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S

c:\program files\MyWebSearch\bar\Game\CHESS.F3S

c:\program files\MyWebSearch\bar\Game\REVERSI.F3S

c:\program files\MyWebSearch\bar\History\search2

c:\program files\MyWebSearch\bar\icons\CM.ICO

c:\program files\MyWebSearch\bar\icons\MFC.ICO

c:\program files\MyWebSearch\bar\icons\PSS.ICO

c:\program files\MyWebSearch\bar\icons\SMILEY.ICO

c:\program files\MyWebSearch\bar\icons\WB.ICO

c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO

c:\program files\MyWebSearch\bar\Message\COMMON.F3S

c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S

c:\program files\MyWebSearch\bar\Notifier\DOG.F3S

c:\program files\MyWebSearch\bar\Notifier\FISH.F3S

c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S

c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S

c:\program files\MyWebSearch\bar\Notifier\MAID.F3S

c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S

c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S

c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S

c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S

c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S

c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm

c:\program files\MyWebSearch\bar\Settings\s_pid.dat

c:\windows\MSAGENT\cvmsksdi.bak1

c:\windows\MSAGENT\cvmsksdi.bak2

c:\windows\MSAGENT\cvmsksdi.ini

c:\windows\patch.exe

c:\windows\system32\comrepl.exe

c:\windows\system32\drivers\fad.sys

c:\windows\system32\drivers\UACbmlilrld.sys

c:\windows\system32\f3PSSavr.scr

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\mcrh.tmp

c:\windows\system32\mtyxojse.ini

c:\windows\system32\sdra64.exe

c:\windows\system32\UACbhulfbab.dat

c:\windows\system32\UACboscdjol.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACkpmetabt.log

c:\windows\system32\UACkwsivycm.dll

c:\windows\system32\UACoppfiqrg.dll

c:\windows\system32\UACqyrudorx.dll

c:\windows\system32\UACwulkdqjh.dll

c:\windows\system32\UACxjakvqks.log

c:\windows\system32\UACybgwrhfo.log

c:\windows\system32\lvkneti.dll . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_ZOQTJZHT

-------\Service_zoqtjzht

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))

.

8002-01-01 05:37 . 8002-01-01 05:37 -------- d-----w c:\documents and settings\Nem\Application Data\jjvoohnm

8002-01-01 05:37 . 8002-01-01 05:37 -------- d-----w c:\documents and settings\Nem\Local Settings\Application Data\jjvoohnm

8002-01-01 05:05 . 8002-01-01 05:05 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\jjvoohnm

2009-04-21 03:52 . 2009-04-21 03:52 552 ----a-w c:\windows\system32\d3d8caps.dat

2009-04-21 03:37 . 2009-04-21 03:37 -------- d-----w C:\whyme43

2009-04-21 03:21 . 2009-04-21 03:33 -------- d-----w C:\tree

2009-04-21 03:19 . 2009-04-21 03:20 -------- d-----w C:\Combo

2009-04-21 03:16 . 2009-04-21 03:17 -------- d-----w C:\32788R22FWJFW.2.tmp

2009-04-21 01:56 . 2009-04-21 01:58 -------- d-----w C:\32788R22FWJFW.1.tmp

2009-04-21 00:38 . 2009-04-21 00:38 127 ----a-w c:\documents and settings\TEMP\Local Settings\Application Data\fusioncache.dat

2009-04-20 23:39 . 2009-04-20 23:42 -------- d-----w C:\32788R22FWJFW.0.tmp

2009-04-20 17:23 . 2009-04-20 17:23 -------- d-----w c:\program files\Trend Micro

2009-04-17 21:24 . 2009-04-17 21:24 118 ----a-w c:\windows\system32\MRT.INI

2009-04-17 20:55 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-17 20:55 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-17 20:55 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-17 20:55 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-17 20:55 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-17 20:55 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-17 20:55 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-17 20:55 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-17 20:55 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-17 20:54 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-17 20:54 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb

2009-04-17 20:54 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-04-04 14:24 . 2009-04-04 14:24 -------- d-----w c:\documents and settings\TEMP\Local Settings\Application Data\jjvoohnm

2009-04-04 14:24 . 2009-04-04 14:24 -------- d-----w c:\documents and settings\TEMP\Application Data\jjvoohnm

2009-04-01 19:56 . 2009-04-01 19:56 -------- d-----w c:\documents and settings\Cierra\Local Settings\Application Data\Google

2009-03-29 11:59 . 2009-03-29 11:59 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Mozilla

2009-03-29 11:59 . 2009-03-29 11:59 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Identities

2009-03-29 11:58 . 2009-03-29 11:58 -------- d-----w c:\documents and settings\Guest\Application Data\Windows Desktop Search

2009-03-29 11:57 . 2009-03-29 11:57 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Google

2009-03-29 06:24 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-03-28 17:45 . 2009-03-28 17:45 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-03-27 23:23 . 2009-03-27 23:23 -------- d-----w c:\documents and settings\Nem\Application Data\PC Tools

2009-03-27 23:22 . 2009-03-27 23:22 -------- d-----w c:\documents and settings\Nem\Local Settings\Application Data\Google

2009-03-27 02:54 . 2009-03-27 02:54 -------- d-----w c:\documents and settings\TEMP\Application Data\PC Tools

2009-03-27 02:49 . 2009-03-29 06:03 -------- d-----w c:\program files\PC Tools AntiVirus

2009-03-27 02:49 . 2009-03-29 06:03 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools

2009-03-26 23:19 . 2009-03-29 05:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-26 23:16 . 2009-03-27 01:40 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-03-26 23:13 . 2009-03-26 23:13 -------- d-----w c:\documents and settings\TEMP\Local Settings\Application Data\Google

2009-03-25 22:13 . 2009-03-25 22:13 -------- d-----w c:\documents and settings\Cierra\Local Settings\Application Data\jjvoohnm

2009-03-25 22:13 . 2009-03-25 22:13 -------- d-----w c:\documents and settings\Cierra\Application Data\jjvoohnm

2009-03-24 18:01 . 2009-03-24 18:02 -------- d-----w c:\documents and settings\TEMP\Application Data\AdwareAlert

2009-03-24 17:35 . 2009-03-24 17:35 -------- d-----w c:\documents and settings\Administrator\Application Data\Windows Search

2009-03-22 19:10 . 2009-03-22 19:10 -------- d-----w c:\program files\WinPcap

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

5254-07-29 19:55 . 2009-01-11 16:01 -------- d-----w c:\documents and settings\TEMP\Application Data\Gtek

5254-07-29 19:55 . 2005-05-21 00:20 -------- d--ha-w c:\documents and settings\All Users\Application Data\GTek

5254-07-29 19:54 . 2006-08-22 22:49 -------- d-----w c:\program files\Brother

5254-07-29 19:54 . 2004-05-10 19:16 -------- d--h--w c:\program files\InstallShield Installation Information

5254-07-29 19:54 . 2004-05-10 18:50 -------- d-----w c:\program files\Common Files\InstallShield

2009-04-21 04:07 . 2003-03-31 12:00 106496 ----a-w c:\windows\SYSTEM32\urppbyq.dll

2009-04-21 03:29 . 2009-03-24 17:32 78440 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-17 22:56 . 2004-05-10 19:12 -------- d-----w c:\program files\Java

2009-04-17 22:43 . 2004-05-13 19:41 -------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-28 16:14 . 2009-01-11 16:01 78440 ----a-w c:\documents and settings\TEMP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-03-27 19:15 . 2004-06-13 20:15 -------- d-----w c:\program files\Google

2009-03-26 22:43 . 2004-05-21 15:50 -------- d-----w c:\program files\PerfectNav

2009-03-26 21:58 . 2008-12-29 04:33 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

2009-03-22 12:31 . 2009-03-16 19:10 -------- d-sh--w c:\documents and settings\Cierra\Application Data\lowsec

2009-03-22 09:59 . 2009-03-11 05:38 -------- d-sh--w c:\documents and settings\Nem\Application Data\lowsec

2009-03-13 19:22 . 2009-01-14 01:19 -------- d-----w c:\documents and settings\Cierra\Application Data\IMVU

2009-03-09 09:19 . 2009-01-03 15:36 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll

2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll

2009-03-03 00:18 . 2003-03-31 12:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll

2009-02-20 18:09 . 2004-08-04 07:56 78336 ------w c:\windows\SYSTEM32\ieencode.dll

2009-02-20 17:45 . 2009-01-14 01:17 -------- d-----w c:\documents and settings\Cierra\Application Data\IMVUClient

2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll

2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll

2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll

2009-02-09 12:10 . 2003-03-31 12:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll

2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys

2009-02-07 23:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe

2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\SYSTEM32\services.exe

2009-02-06 11:08 . 2003-03-31 12:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe

2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe

2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll

2009-01-03 08:44 . 2009-01-03 01:14 2086700 ----a-w c:\program files\Common Files\InternetAntivirusPro.exe

2006-01-06 18:31 . 2006-01-06 18:31 346 -c-ha-w c:\documents and settings\Liz Cardinale\hpothb07.dat

2006-01-06 18:31 . 2006-01-06 18:31 0 -c-ha-w c:\documents and settings\Guest\hpothb07.dat

2006-01-06 18:31 . 2009-03-24 17:32 0 ---ha-w c:\documents and settings\Administrator\hpothb07.dat

2006-01-06 18:31 . 2009-01-14 01:03 0 ---ha-w c:\documents and settings\Cierra\hpothb07.dat

2006-01-06 18:31 . 2009-01-11 16:01 0 ---ha-w c:\documents and settings\TEMP\hpothb07.dat

2006-01-06 18:31 . 2009-01-07 19:51 0 ---ha-w c:\documents and settings\Nem\hpothb07.dat

2006-01-06 18:31 . 2006-01-06 18:31 164 -c-ha-w c:\documents and settings\All Users\hpothb07.dat

2006-01-06 18:31 . 2006-01-06 18:31 0 -c-ha-w c:\documents and settings\Default User\hpothb07.dat

2004-05-10 19:28 . 2009-01-14 01:03 40080 ----a-w c:\documents and settings\Cierra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2004-05-10 19:28 . 2009-01-07 19:51 40080 ----a-w c:\documents and settings\Nem\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2004-05-10 19:28 . 2004-11-13 00:20 40080 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2006-04-04 17:00 . 2006-04-04 17:00 659852 -csh--w c:\windows\SYSTEM32\orqss.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E5C09E5-35C2-4847-9DA2-77EAF4D4AA60}]

2003-03-31 12:00 106496 ----a-w c:\windows\system32\lvkneti.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-10 77824]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-03-26 68592]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 54472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2007-8-3 921707]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]

2006-10-12 13:42 450649 ----a-r c:\windows\SYSTEM32\PRISMAPI.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk

backup=c:\windows\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Liz Cardinale^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\documents and settings\Liz Cardinale\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]

2003-08-13 15:27 28672 -c--a-w c:\windows\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2004-11-02 13:59 126976 ----a-w c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2004-11-02 14:03 155648 ----a-w c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

2003-09-04 01:12 221184 -c--a-w c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2004-05-10 19:19 77824 ----a-w c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=

"c:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=

"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=

"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=

"c:\\StubInstaller.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"59110:TCP"= 59110:TCP:Pando Media Booster

"59110:UDP"= 59110:UDP:Pando Media Booster

R2 DP1112;DP1112; [x]

R2 ITGrdEngine;Guard Service; [x]

S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

S2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.EXE [2006-10-12 61529]

.

Contents of the 'Scheduled Tasks' folder

2005-07-01 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-05-13 22:38]

.

- - - - ORPHANS REMOVED - - - -

BHO-{ABC42510-9B22-41c1-9DCD-8182A2D07C63} - c:\windows\system32\iehelper.dll

BHO-{CDBD4782-BDBD-4AF1-88E6-890F0FC7BCFE} - c:\windows\msagent\idsksmvc.dll

HKCU-Run-system tool - c:\windows\sysguard.exe

HKCU-Run-AdwareAlert - c:\program files\AdwareAlert\AdwareAlert.exe

Notify-idsksmvc - c:\windows\msagent\idsksmvc.dll

MSConfigStartUp-AIM - c:\program files\AIM\aim.exe

MSConfigStartUp-alchem - c:\windows\alchem.exe

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

MSConfigStartUp-ccRegVfy - c:\program files\Common Files\Symantec Shared\ccRegVfy.exe

MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe

MSConfigStartUp-dla - c:\windows\system32\dla\tfswctrl.exe

MSConfigStartUp-enstoj - c:\windows\enstoj.exe

MSConfigStartUp-mmtask - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

MSConfigStartUp-msnappau - c:\program files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe

MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL

MSConfigStartUp-NAV CfgWiz - c:\progra~1\NORTON~1\Cfgwiz.exe

MSConfigStartUp-ntjrgvqnvmr - c:\windows\System32\atywsq.exe

MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe

MSConfigStartUp-PCShield - c:\windows\system32\sfg_086a.dll

MSConfigStartUp-poluvwb - c:\windows\poluvwb.exe

MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe

MSConfigStartUp-Spyware Begone - c:\freescan\freescan.exe

MSConfigStartUp-Spyware Doctor - c:\program files\Spyware Doctor\swdoctor.exe

MSConfigStartUp-StorageGuard - c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

MSConfigStartUp-zzzHPSETUP - D:\Setup.exe

.

------- Supplementary Scan -------

.

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\TEMP\Start Menu\Programs\IMVU\Run IMVU.lnk

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\16guxzcg.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-21 00:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

@DACL=(02 0000)

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)

c:\windows\system32\PRISMAPI.DLL

- - - - - - - > 'explorer.exe'(1092)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\brss01a.exe

c:\program files\LSI SoftModem\agrsmsvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\SYSTEM32\PRISMSVR.exe

c:\windows\SYSTEM32\searchindexer.exe

.

**************************************************************************

.

Completion time: 2009-04-21 0:22 - machine was rebooted [Liz Cardinale]

ComboFix-quarantined-files.txt 2009-04-21 04:22

Pre-Run: 60,197,969,920 bytes free

Post-Run: 60,532,862,976 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5

414 --- E O F --- 2009-04-17 21:25

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\SYSTEM32\urppbyq.dll
c:\windows\system32\lvkneti.dll
c:\program files\Common Files\InternetAntivirusPro.exe
c:\documents and settings\Liz Cardinale\hpothb07.dat
c:\documents and settings\Guest\hpothb07.dat
c:\documents and settings\Administrator\hpothb07.dat
c:\documents and settings\Cierra\hpothb07.dat
c:\documents and settings\TEMP\hpothb07.dat
c:\documents and settings\Nem\hpothb07.dat
c:\documents and settings\All Users\hpothb07.dat
c:\documents and settings\Default User\hpothb07.dat
c:\windows\SYSTEM32\orqss.tmp
c:\windows\system32\drivers\npf.sys
c:\documents and settings\TEMP\Start Menu\Programs\IMVU\Run IMVU.lnk
c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll


Folder::
C:\32788R22FWJFW.0.tmp
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.2.tmp

Driver::
DP1112
ITGrdEngine
npf

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E5C09E5-35C2-4847-9DA2-77EAF4D4AA60}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

o.k. great work. I didn't have to go in safe mode this time and the restore point installed so here is the new combofix post and on to the next step.

Thank you again :D

Onyxia

ComboFix 09-04-21.A2 - Liz Cardinale 04/21/2009 6:56.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.83 [GMT -4:00]

Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\TEMP\Desktop\CFscript.txt.txt

* Created a new restore point

FILE ::

c:\documents and settings\Administrator\hpothb07.dat

c:\documents and settings\All Users\hpothb07.dat

c:\documents and settings\Cierra\hpothb07.dat

c:\documents and settings\Default User\hpothb07.dat

c:\documents and settings\Guest\hpothb07.dat

c:\documents and settings\Liz Cardinale\hpothb07.dat

c:\documents and settings\Nem\hpothb07.dat

c:\documents and settings\TEMP\hpothb07.dat

c:\documents and settings\TEMP\Start Menu\Programs\IMVU\Run IMVU.lnk

c:\program files\Common Files\InternetAntivirusPro.exe

c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll

c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

c:\windows\system32\drivers\npf.sys

c:\windows\system32\lvkneti.dll

c:\windows\SYSTEM32\orqss.tmp

c:\windows\SYSTEM32\urppbyq.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\32788R22FWJFW.0.tmp

c:\32788r22fwjfw.0.tmp\License\Curl - license.txt

c:\32788r22fwjfw.0.tmp\License\dumphive-license.txt

c:\32788r22fwjfw.0.tmp\License\EXTRACT.TXT

c:\32788r22fwjfw.0.tmp\License\FI - license.txt

c:\32788r22fwjfw.0.tmp\License\mtee.txt.txt

c:\32788r22fwjfw.0.tmp\License\pv_5_2_2.zip

c:\32788r22fwjfw.0.tmp\License\streamtools.zip

c:\32788r22fwjfw.0.tmp\License\UnxUtilsDist.html

c:\32788r22fwjfw.0.tmp\License\Zip - license.txt

c:\32788r22fwjfw.0.tmp\N_\14300

c:\32788r22fwjfw.0.tmp\N_\19233

c:\32788r22fwjfw.0.tmp\N_\22241

c:\32788r22fwjfw.0.tmp\N_\25201

c:\32788r22fwjfw.0.tmp\N_\30504

c:\32788r22fwjfw.0.tmp\N_\N

c:\32788r22fwjfw.0.tmp\pev.cfexe

c:\32788r22fwjfw.0.tmp\pev.exe

c:\32788r22fwjfw.0.tmp\Policies.dat

c:\32788r22fwjfw.0.tmp\Prep.cmd

c:\32788r22fwjfw.0.tmp\Prep.inf

c:\32788r22fwjfw.0.tmp\psexec.cfexe

c:\32788r22fwjfw.0.tmp\Purity.dat

c:\32788r22fwjfw.0.tmp\pv.cfexe

c:\32788r22fwjfw.0.tmp\pv.exe

c:\32788r22fwjfw.0.tmp\RCLink

c:\32788r22fwjfw.0.tmp\REGDACL.sed

c:\32788r22fwjfw.0.tmp\RegDo.sed

c:\32788r22fwjfw.0.tmp\region.dat

c:\32788r22fwjfw.0.tmp\RegScan.cmd

c:\32788r22fwjfw.0.tmp\Resident.txt

c:\32788r22fwjfw.0.tmp\restore_pt.vbs

c:\32788r22fwjfw.0.tmp\RestoreO4.bat

c:\32788r22fwjfw.0.tmp\Rkey.cmd

c:\32788r22fwjfw.0.tmp\rogues.dat

c:\32788r22fwjfw.0.tmp\run2.sed

c:\32788r22fwjfw.0.tmp\safeboot.dat

c:\32788r22fwjfw.0.tmp\safeboot.def.dat

c:\32788r22fwjfw.0.tmp\safeboot.def.vista.dat

c:\32788r22fwjfw.0.tmp\SafeBootRepair.bat

c:\32788r22fwjfw.0.tmp\sed.cfexe

c:\32788r22fwjfw.0.tmp\SetEnvmt.bat

c:\32788r22fwjfw.0.tmp\setpath.cfexe

c:\32788r22fwjfw.0.tmp\SF.exe

c:\32788r22fwjfw.0.tmp\sfx.cmd

c:\32788r22fwjfw.0.tmp\SnapShot.cmd

c:\32788r22fwjfw.0.tmp\SRestore.cmd

c:\32788r22fwjfw.0.tmp\srizbi.md5

c:\32788r22fwjfw.0.tmp\SuppScan.cmd

c:\32788r22fwjfw.0.tmp\svc_wht.dat

c:\32788r22fwjfw.0.tmp\SvcDrv.vbs

c:\32788r22fwjfw.0.tmp\svchost.dat

c:\32788r22fwjfw.0.tmp\svchost.vista.dat

c:\32788r22fwjfw.0.tmp\swreg.exe

c:\32788r22fwjfw.0.tmp\swsc.cfexe

c:\32788r22fwjfw.0.tmp\swxcacls.cfexe

c:\32788r22fwjfw.0.tmp\system_ini.dat

c:\32788r22fwjfw.0.tmp\tail.cfexe

c:\32788r22fwjfw.0.tmp\toolbar.sed

c:\32788r22fwjfw.0.tmp\unzip.cfexe

c:\32788r22fwjfw.0.tmp\Update-CF.cmd

c:\32788r22fwjfw.0.tmp\vistareg.dat

c:\32788r22fwjfw.0.tmp\w2kreg.dat

c:\32788r22fwjfw.0.tmp\xpreg.dat

c:\32788r22fwjfw.0.tmp\zDomain.dat

c:\32788r22fwjfw.0.tmp\zhsvc.dat

c:\32788r22fwjfw.0.tmp\zip.cfexe

C:\32788R22FWJFW.1.tmp

c:\32788r22fwjfw.1.tmp\License\Curl - license.txt

c:\32788r22fwjfw.1.tmp\License\dumphive-license.txt

c:\32788r22fwjfw.1.tmp\License\EXTRACT.TXT

c:\32788r22fwjfw.1.tmp\License\FI - license.txt

c:\32788r22fwjfw.1.tmp\License\mtee.txt.txt

c:\32788r22fwjfw.1.tmp\License\pv_5_2_2.zip

c:\32788r22fwjfw.1.tmp\License\streamtools.zip

c:\32788r22fwjfw.1.tmp\License\UnxUtilsDist.html

c:\32788r22fwjfw.1.tmp\License\Zip - license.txt

c:\32788r22fwjfw.1.tmp\N_\11600

c:\32788r22fwjfw.1.tmp\N_\19948

c:\32788r22fwjfw.1.tmp\N_\20471

c:\32788r22fwjfw.1.tmp\N_\29394

c:\32788r22fwjfw.1.tmp\N_\31949

c:\32788r22fwjfw.1.tmp\N_\32424

c:\32788r22fwjfw.1.tmp\N_\5371

c:\32788r22fwjfw.1.tmp\N_\N

c:\32788r22fwjfw.1.tmp\pev.cfexe

c:\32788r22fwjfw.1.tmp\pev.exe

c:\32788r22fwjfw.1.tmp\Policies.dat

c:\32788r22fwjfw.1.tmp\Prep.cmd

c:\32788r22fwjfw.1.tmp\Prep.inf

c:\32788r22fwjfw.1.tmp\psexec.cfexe

c:\32788r22fwjfw.1.tmp\Purity.dat

c:\32788r22fwjfw.1.tmp\pv.cfexe

c:\32788r22fwjfw.1.tmp\pv.exe

c:\32788r22fwjfw.1.tmp\RCLink

c:\32788r22fwjfw.1.tmp\REGDACL.sed

c:\32788r22fwjfw.1.tmp\RegDo.sed

c:\32788r22fwjfw.1.tmp\region.dat

c:\32788r22fwjfw.1.tmp\RegScan.cmd

c:\32788r22fwjfw.1.tmp\Resident.txt

c:\32788r22fwjfw.1.tmp\restore_pt.vbs

c:\32788r22fwjfw.1.tmp\RestoreO4.bat

c:\32788r22fwjfw.1.tmp\Rkey.cmd

c:\32788r22fwjfw.1.tmp\rogues.dat

c:\32788r22fwjfw.1.tmp\run2.sed

c:\32788r22fwjfw.1.tmp\safeboot.dat

c:\32788r22fwjfw.1.tmp\safeboot.def.dat

c:\32788r22fwjfw.1.tmp\safeboot.def.vista.dat

c:\32788r22fwjfw.1.tmp\SafeBootRepair.bat

c:\32788r22fwjfw.1.tmp\sed.cfexe

c:\32788r22fwjfw.1.tmp\SetEnvmt.bat

c:\32788r22fwjfw.1.tmp\setpath.cfexe

c:\32788r22fwjfw.1.tmp\SF.exe

c:\32788r22fwjfw.1.tmp\sfx.cmd

c:\32788r22fwjfw.1.tmp\SnapShot.cmd

c:\32788r22fwjfw.1.tmp\SRestore.cmd

c:\32788r22fwjfw.1.tmp\srizbi.md5

c:\32788r22fwjfw.1.tmp\SuppScan.cmd

c:\32788r22fwjfw.1.tmp\svc_wht.dat

c:\32788r22fwjfw.1.tmp\SvcDrv.vbs

c:\32788r22fwjfw.1.tmp\svchost.dat

c:\32788r22fwjfw.1.tmp\svchost.vista.dat

c:\32788r22fwjfw.1.tmp\swreg.exe

c:\32788r22fwjfw.1.tmp\swsc.cfexe

c:\32788r22fwjfw.1.tmp\swxcacls.cfexe

c:\32788r22fwjfw.1.tmp\system_ini.dat

c:\32788r22fwjfw.1.tmp\tail.cfexe

c:\32788r22fwjfw.1.tmp\toolbar.sed

c:\32788r22fwjfw.1.tmp\unzip.cfexe

c:\32788r22fwjfw.1.tmp\Update-CF.cmd

c:\32788r22fwjfw.1.tmp\vistareg.dat

c:\32788r22fwjfw.1.tmp\w2kreg.dat

c:\32788r22fwjfw.1.tmp\xpreg.dat

c:\32788r22fwjfw.1.tmp\zDomain.dat

c:\32788r22fwjfw.1.tmp\zhsvc.dat

c:\32788r22fwjfw.1.tmp\zip.cfexe

C:\32788R22FWJFW.2.tmp

c:\32788r22fwjfw.2.tmp\License\Curl - license.txt

c:\32788r22fwjfw.2.tmp\License\dumphive-license.txt

c:\32788r22fwjfw.2.tmp\License\EXTRACT.TXT

c:\32788r22fwjfw.2.tmp\License\FI - license.txt

c:\32788r22fwjfw.2.tmp\License\mtee.txt.txt

c:\32788r22fwjfw.2.tmp\License\pv_5_2_2.zip

c:\32788r22fwjfw.2.tmp\License\streamtools.zip

c:\32788r22fwjfw.2.tmp\License\UnxUtilsDist.html

c:\32788r22fwjfw.2.tmp\License\Zip - license.txt

c:\32788r22fwjfw.2.tmp\N_\18983

c:\32788r22fwjfw.2.tmp\N_\2043

c:\32788r22fwjfw.2.tmp\N_\26796

c:\32788r22fwjfw.2.tmp\N_\28378

c:\32788r22fwjfw.2.tmp\N_\32757

c:\32788r22fwjfw.2.tmp\N_\N

c:\32788r22fwjfw.2.tmp\pev.cfexe

c:\32788r22fwjfw.2.tmp\pev.exe

c:\32788r22fwjfw.2.tmp\Policies.dat

c:\32788r22fwjfw.2.tmp\Prep.cmd

c:\32788r22fwjfw.2.tmp\Prep.inf

c:\32788r22fwjfw.2.tmp\psexec.cfexe

c:\32788r22fwjfw.2.tmp\Purity.dat

c:\32788r22fwjfw.2.tmp\pv.cfexe

c:\32788r22fwjfw.2.tmp\RCLink

c:\32788r22fwjfw.2.tmp\REGDACL.sed

c:\32788r22fwjfw.2.tmp\RegDo.sed

c:\32788r22fwjfw.2.tmp\region.dat

c:\32788r22fwjfw.2.tmp\RegScan.cmd

c:\32788r22fwjfw.2.tmp\Resident.txt

c:\32788r22fwjfw.2.tmp\restore_pt.vbs

c:\32788r22fwjfw.2.tmp\RestoreO4.bat

c:\32788r22fwjfw.2.tmp\Rkey.cmd

c:\32788r22fwjfw.2.tmp\rogues.dat

c:\32788r22fwjfw.2.tmp\run2.sed

c:\32788r22fwjfw.2.tmp\safeboot.dat

c:\32788r22fwjfw.2.tmp\safeboot.def.dat

c:\32788r22fwjfw.2.tmp\safeboot.def.vista.dat

c:\32788r22fwjfw.2.tmp\SafeBootRepair.bat

c:\32788r22fwjfw.2.tmp\sed.cfexe

c:\32788r22fwjfw.2.tmp\SetEnvmt.bat

c:\32788r22fwjfw.2.tmp\setpath.cfexe

c:\32788r22fwjfw.2.tmp\SF.exe

c:\32788r22fwjfw.2.tmp\sfx.cmd

c:\32788r22fwjfw.2.tmp\SnapShot.cmd

c:\32788r22fwjfw.2.tmp\SRestore.cmd

c:\32788r22fwjfw.2.tmp\srizbi.md5

c:\32788r22fwjfw.2.tmp\SuppScan.cmd

c:\32788r22fwjfw.2.tmp\svc_wht.dat

c:\32788r22fwjfw.2.tmp\SvcDrv.vbs

c:\32788r22fwjfw.2.tmp\svchost.dat

c:\32788r22fwjfw.2.tmp\svchost.vista.dat

c:\32788r22fwjfw.2.tmp\swreg.exe

c:\32788r22fwjfw.2.tmp\swsc.cfexe

c:\32788r22fwjfw.2.tmp\swxcacls.cfexe

c:\32788r22fwjfw.2.tmp\system_ini.dat

c:\32788r22fwjfw.2.tmp\tail.cfexe

c:\32788r22fwjfw.2.tmp\toolbar.sed

c:\32788r22fwjfw.2.tmp\unzip.cfexe

c:\32788r22fwjfw.2.tmp\Update-CF.cmd

c:\32788r22fwjfw.2.tmp\vistareg.dat

c:\32788r22fwjfw.2.tmp\w2kreg.dat

c:\32788r22fwjfw.2.tmp\xpreg.dat

c:\32788r22fwjfw.2.tmp\zDomain.dat

c:\32788r22fwjfw.2.tmp\zhsvc.dat

c:\32788r22fwjfw.2.tmp\zip.cfexe

c:\documents and settings\Administrator\hpothb07.dat

c:\documents and settings\All Users\hpothb07.dat

c:\documents and settings\Cierra\hpothb07.dat

c:\documents and settings\Default User\hpothb07.dat

c:\documents and settings\Guest\hpothb07.dat

c:\documents and settings\Liz Cardinale\Application Data\FunWebProducts

c:\documents and settings\Liz Cardinale\Application Data\FunWebProducts\Data\Liz Cardinale\avatar.dat

c:\documents and settings\Liz Cardinale\Application Data\Internet Antivirus Pro

c:\documents and settings\Liz Cardinale\Application Data\Internet Antivirus Pro\db\config.cfg

c:\documents and settings\Liz Cardinale\Application Data\Internet Antivirus Pro\db\Urls.inf

c:\documents and settings\Liz Cardinale\Application Data\Internet Antivirus Pro\settings.ini

c:\documents and settings\Liz Cardinale\Application Data\Internet Antivirus Pro\uill.ini

c:\documents and settings\Liz Cardinale\Application Data\Internet Antivirus Pro\unins000.exe

c:\documents and settings\Liz Cardinale\Application Data\Internet Antivirus Pro\Uninstall Internet Antivirus Pro.lnk

c:\documents and settings\Liz Cardinale\hpothb07.dat

c:\documents and settings\Liz Cardinale\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe

c:\documents and settings\Nem\hpothb07.dat

c:\documents and settings\TEMP\hpothb07.dat

c:\program files\Common Files\InternetAntivirusPro.exe

c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll

c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

c:\windows\system32\drivers\npf.sys

c:\windows\SYSTEM32\orqss.tmp

c:\windows\system32\lvkneti.dll . . . . failed to delete

c:\windows\SYSTEM32\urppbyq.dll . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DP1112

-------\Legacy_ITGRDENGINE

-------\Legacy_NPF

-------\Service_DP1112

-------\Service_ITGrdEngine

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))

.

8002-01-01 05:37 . 8002-01-01 05:37 -------- d-----w c:\documents and settings\Nem\Application Data\jjvoohnm

8002-01-01 05:37 . 8002-01-01 05:37 -------- d-----w c:\documents and settings\Nem\Local Settings\Application Data\jjvoohnm

8002-01-01 05:05 . 8002-01-01 05:05 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\jjvoohnm

8002-01-01 05:05 . 8002-01-01 05:05 -------- d-----w c:\documents and settings\NetworkService\Application Data\jjvoohnm

2009-04-21 03:52 . 2009-04-21 03:52 552 ----a-w c:\windows\system32\d3d8caps.dat

2009-04-21 03:37 . 2009-04-21 03:37 -------- d-----w C:\whyme43

2009-04-21 03:21 . 2009-04-21 03:33 -------- d-----w C:\tree

2009-04-21 03:19 . 2009-04-21 03:20 -------- d-----w C:\Combo

2009-04-21 00:38 . 2009-04-21 00:38 127 ----a-w c:\documents and settings\TEMP\Local Settings\Application Data\fusioncache.dat

2009-04-20 17:23 . 2009-04-20 17:23 -------- d-----w c:\program files\Trend Micro

2009-04-17 21:24 . 2009-04-17 21:24 118 ----a-w c:\windows\system32\MRT.INI

2009-04-17 20:55 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-17 20:55 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-17 20:55 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-17 20:55 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-17 20:55 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-17 20:55 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-17 20:55 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-17 20:55 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-17 20:55 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-17 20:54 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-17 20:54 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb

2009-04-17 20:54 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-04-04 14:24 . 2009-04-04 14:24 -------- d-----w c:\documents and settings\TEMP\Local Settings\Application Data\jjvoohnm

2009-04-04 14:24 . 2009-04-04 14:24 -------- d-----w c:\documents and settings\TEMP\Application Data\jjvoohnm

2009-04-01 19:56 . 2009-04-01 19:56 -------- d-----w c:\documents and settings\Cierra\Local Settings\Application Data\Google

2009-03-29 11:59 . 2009-03-29 11:59 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Mozilla

2009-03-29 11:59 . 2009-03-29 11:59 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Identities

2009-03-29 11:58 . 2009-03-29 11:58 -------- d-----w c:\documents and settings\Guest\Application Data\Windows Desktop Search

2009-03-29 11:57 . 2009-03-29 11:57 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Google

2009-03-29 06:24 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-03-28 17:45 . 2009-03-28 17:45 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-03-27 23:23 . 2009-03-27 23:23 -------- d-----w c:\documents and settings\Nem\Application Data\PC Tools

2009-03-27 23:22 . 2009-03-27 23:22 -------- d-----w c:\documents and settings\Nem\Local Settings\Application Data\Google

2009-03-27 02:54 . 2009-03-27 02:54 -------- d-----w c:\documents and settings\TEMP\Application Data\PC Tools

2009-03-27 02:49 . 2009-03-29 06:03 -------- d-----w c:\program files\PC Tools AntiVirus

2009-03-27 02:49 . 2009-03-29 06:03 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools

2009-03-26 23:19 . 2009-03-29 05:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-26 23:16 . 2009-03-27 01:40 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-03-26 23:13 . 2009-03-26 23:13 -------- d-----w c:\documents and settings\TEMP\Local Settings\Application Data\Google

2009-03-25 22:13 . 2009-03-25 22:13 -------- d-----w c:\documents and settings\Cierra\Local Settings\Application Data\jjvoohnm

2009-03-25 22:13 . 2009-03-25 22:13 -------- d-----w c:\documents and settings\Cierra\Application Data\jjvoohnm

2009-03-24 18:01 . 2009-03-24 18:02 -------- d-----w c:\documents and settings\TEMP\Application Data\AdwareAlert

2009-03-24 17:35 . 2009-03-24 17:35 -------- d-----w c:\documents and settings\Administrator\Application Data\Windows Search

2009-03-22 19:10 . 2009-03-22 19:10 -------- d-----w c:\program files\WinPcap

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

5254-07-29 19:55 . 2009-01-11 16:01 -------- d-----w c:\documents and settings\TEMP\Application Data\Gtek

5254-07-29 19:55 . 2005-05-21 00:20 -------- d--h--w c:\documents and settings\Liz Cardinale\Application Data\GTek

5254-07-29 19:55 . 2005-05-21 00:20 -------- d--ha-w c:\documents and settings\All Users\Application Data\GTek

5254-07-29 19:54 . 2006-08-22 22:49 -------- d-----w c:\program files\Brother

5254-07-29 19:54 . 2004-05-10 19:16 -------- d--h--w c:\program files\InstallShield Installation Information

5254-07-29 19:54 . 2004-05-10 18:50 -------- d-----w c:\program files\Common Files\InstallShield

2009-04-21 04:07 . 2003-03-31 12:00 106496 ----a-w c:\windows\SYSTEM32\urppbyq.dll

2009-04-21 03:29 . 2009-03-24 17:32 78440 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-17 22:56 . 2004-05-10 19:12 -------- d-----w c:\program files\Java

2009-04-17 22:43 . 2004-05-13 19:41 -------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-28 16:14 . 2009-01-11 16:01 78440 ----a-w c:\documents and settings\TEMP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-03-27 19:15 . 2004-06-13 20:15 -------- d-----w c:\program files\Google

2009-03-26 22:43 . 2004-05-21 15:50 -------- d-----w c:\program files\PerfectNav

2009-03-26 21:58 . 2008-12-29 04:33 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

2009-03-22 12:31 . 2009-03-16 19:10 -------- d-sh--w c:\documents and settings\Cierra\Application Data\lowsec

2009-03-22 09:59 . 2009-03-11 05:38 -------- d-sh--w c:\documents and settings\Nem\Application Data\lowsec

2009-03-13 19:22 . 2009-01-14 01:19 -------- d-----w c:\documents and settings\Cierra\Application Data\IMVU

2009-03-09 09:19 . 2009-01-03 15:36 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll

2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll

2009-03-03 00:18 . 2003-03-31 12:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll

2009-02-20 18:09 . 2004-08-04 07:56 78336 ------w c:\windows\SYSTEM32\ieencode.dll

2009-02-20 17:45 . 2009-01-14 01:17 -------- d-----w c:\documents and settings\Cierra\Application Data\IMVUClient

2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll

2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll

2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll

2009-02-09 12:10 . 2003-03-31 12:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll

2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys

2009-02-07 23:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe

2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\SYSTEM32\services.exe

2009-02-06 11:08 . 2003-03-31 12:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe

2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe

2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll

2009-01-06 20:30 . 2004-05-13 18:37 78440 -c--a-w c:\documents and settings\Liz Cardinale\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2004-05-31 19:43 . 2004-05-31 19:43 136 -c--a-w c:\documents and settings\Liz Cardinale\Local Settings\Application Data\fusioncache.dat

2004-05-10 19:28 . 2009-01-14 01:03 40080 ----a-w c:\documents and settings\Cierra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2004-05-10 19:28 . 2009-01-07 19:51 40080 ----a-w c:\documents and settings\Nem\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2004-05-10 19:28 . 2004-11-13 00:20 40080 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((( SnapShot@2009-04-21_04.18.23 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-04-21 11:08 . 2009-04-21 11:08 16384 c:\windows\temp\Perflib_Perfdata_154.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E5C09E5-35C2-4847-9DA2-77EAF4D4AA60}]

2003-03-31 12:00 106496 ----a-w c:\windows\system32\lvkneti.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-10 77824]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-03-26 68592]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 54472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2007-8-3 921707]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]

2006-10-12 13:42 450649 ----a-r c:\windows\SYSTEM32\PRISMAPI.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk

backup=c:\windows\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Liz Cardinale^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\documents and settings\Liz Cardinale\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=

"c:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=

"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=

"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=

"c:\\StubInstaller.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"59110:TCP"= 59110:TCP:Pando Media Booster

"59110:UDP"= 59110:UDP:Pando Media Booster

S0 weihbfcn;weihbfcn;c:\windows\system32\drivers\weihbfcn.sys [2003-03-31 23424]

S2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.EXE [2006-10-12 61529]

.

Contents of the 'Scheduled Tasks' folder

2005-07-01 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-05-13 22:38]

.

.

------- Supplementary Scan -------

.

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\TEMP\Start Menu\Programs\IMVU\Run IMVU.lnk

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\16guxzcg.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-21 07:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)

c:\windows\system32\PRISMAPI.DLL

- - - - - - - > 'explorer.exe'(3868)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\brss01a.exe

c:\program files\LSI SoftModem\agrsmsvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\SYSTEM32\PRISMSVR.exe

c:\windows\SYSTEM32\searchindexer.exe

.

**************************************************************************

.

Completion time: 2009-04-21 7:14 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-21 11:13

ComboFix2.txt 2009-04-21 04:22

Pre-Run: 60,496,400,384 bytes free

Post-Run: 60,693,856,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5

473 --- E O F --- 2009-04-17 21:25

Link to post
Share on other sites

MBAM log file

Malwarebytes' Anti-Malware 1.36

Database version: 2019

Windows 5.1.2600 Service Pack 3

4/21/2009 7:34:05 AM

mbam-log-2009-04-21 (07-34-05).txt

Scan type: Quick Scan

Objects scanned: 96791

Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 105

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 4

Files Infected: 27

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e5c09e5-35c2-4847-9da2-77eaf4d4aa60} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{5e5c09e5-35c2-4847-9da2-77eaf4d4aa60} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internet antivirus pro_is1 (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\TEMP\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\TEMP\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\TEMP\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\SYSTEM32\lvkneti.dll (Trojan.BHO.H) -> Delete on reboot.

C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus Pro Home Page.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus Pro.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro\Purchase License.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\TEMP\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\TEMP\Application Data\AdwareAlert\Log\2009 Mar 24 - 02_01_44 PM_046.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\TEMP\Application Data\AdwareAlert\Log\2009 Mar 26 - 06_06_21 PM_578.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\TEMP\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Liz Cardinale\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Antivirus Pro.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\Liz Cardinale\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACaetnowdd.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACahjbxfyb.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACbvfqrfsv.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACftkpupib.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACsqfheteo.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACnnupeqpx.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACptjgpuyr.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACqevpeton.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACqthxyqem.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACrlmydopm.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACsdpbarmn.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACssiiacxs.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACuidtgqyr.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACumisprgb.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACxexocecv.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACxvampqvy.log (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:40:10 AM, on 4/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\LSI SoftModem\agrsmsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\PRISMSVC.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: (no name) - {5E5C09E5-35C2-4847-9DA2-77EAF4D4AA60} - c:\windows\system32\lvkneti.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\qsb.exe" /autorun

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\TEMP\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1240274284718

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240273345531

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--

End of file - 6354 bytes

Link to post
Share on other sites

  • Root Admin

STEP 01

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 04

    Please create a BOOTLOG
  • Search for this file and if found please delete it. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Apr 22 07:51:00 2009

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610002

Found and removed: Software\Classes\JavaPlugin.160_02

------------------------------------

Finished reporting.

DDS (Ver_09-03-16.01) - NTFSx86

Run by Liz Cardinale at 10:42:40.40 on Wed 04/22/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.71 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

svchost.exe

C:\Program Files\LSI SoftModem\agrsmsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\PRISMSVC.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\TEMP\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File

BHO: : {5e5c09e5-35c2-4847-9da2-77eaf4d4aa60} - c:\windows\system32\lvkneti.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_9993303B90FE6C1D.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [Google Quick Search Box] "c:\program files\google\quick search box\qsb.exe" /autorun

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto

dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\dell wireless\PRISMCFG.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\temp\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1240274284718

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240273345531

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_9993303B90FE6C1D.dll

Notify: igfxcui - igfxsrvc.dll

Notify: PRISMAPI.DLL - PRISMAPI.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\temp\applic~1\mozilla\firefox\profiles\16guxzcg.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

============= SERVICES / DRIVERS ===============

R0 weihbfcn;weihbfcn;c:\windows\system32\drivers\weihbfcn.sys [2003-3-31 23424]

R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2007-8-3 61529]

=============== Created Last 30 ================

2009-04-21 13:16 27,496 a------- c:\windows\system32\mucltui.dll.mui

2009-04-21 13:16 268,648 a------- c:\windows\system32\mucltui.dll

2009-04-21 07:21 <DIR> --d----- c:\docume~1\temp\applic~1\Malwarebytes

2009-04-21 07:20 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-04-21 07:20 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-21 07:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-04-21 07:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-04-21 06:46 <DIR> a-dshr-- C:\cmdcons

2009-04-20 23:52 552 a------- c:\windows\system32\d3d8caps.dat

2009-04-20 23:37 <DIR> --d----- C:\whyme43

2009-04-20 23:21 <DIR> --d----- C:\tree

2009-04-20 23:19 <DIR> --d----- C:\Combo

2009-04-20 19:43 161,792 a------- c:\windows\SWREG.exe

2009-04-20 19:43 98,816 a------- c:\windows\sed.exe

2009-04-20 13:23 <DIR> --d----- c:\program files\Trend Micro

2009-04-17 17:24 118 a------- c:\windows\system32\MRT.INI

2009-04-17 16:55 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll

2009-04-17 16:55 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-17 16:55 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll

2009-04-17 16:55 284,160 -c------ c:\windows\system32\dllcache\pdh.dll

2009-04-17 16:55 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe

2009-04-17 16:55 110,592 -c------ c:\windows\system32\dllcache\services.exe

2009-04-17 16:55 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll

2009-04-17 16:55 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll

2009-04-17 16:55 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll

2009-04-17 16:54 2,560 -------- c:\windows\system32\xpsp4res.dll

2009-04-17 16:54 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb

2009-04-17 16:54 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

2009-04-04 10:24 <DIR> --d----- c:\docume~1\temp\applic~1\jjvoohnm

2009-03-29 02:24 55,640 a------- c:\windows\system32\drivers\avgntflt.sys

2009-03-26 22:54 <DIR> --d----- c:\docume~1\temp\applic~1\PC Tools

2009-03-26 22:49 <DIR> --d----- c:\program files\PC Tools AntiVirus

2009-03-26 22:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools

==================== Find3M ====================

2009-04-21 00:07 106,496 a------- c:\windows\system32\urppbyq.dll

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll

2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll

2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll

2009-02-20 14:09 78,336 -------- c:\windows\system32\ieencode.dll

2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll

2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll

2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll

2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys

2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe

2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe

2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe

2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe

2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 10:43:26.70 ===============

http://www.malwarebytes.org/forums/style_i...e_types/zip.gif

Malwarebytes' Anti-Malware 1.36

Database version: 2026

Windows 5.1.2600 Service Pack 3

4/22/2009 11:00:37 AM

mbam-log-2009-04-22 (11-00-37).txt

Scan type: Quick Scan

Objects scanned: 97104

Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e5c09e5-35c2-4847-9da2-77eaf4d4aa60} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{5e5c09e5-35c2-4847-9da2-77eaf4d4aa60} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\SYSTEM32\lvkneti.dll (Trojan.BHO.H) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:05:29 AM, on 4/22/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\LSI SoftModem\agrsmsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\PRISMSVC.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: (no name) - {5E5C09E5-35C2-4847-9DA2-77EAF4D4AA60} - c:\windows\system32\lvkneti.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\qsb.exe" /autorun

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\TEMP\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1240274284718

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240273345531

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--

End of file - 6026 bytes

( I accidently over looked two steps and had to go back and redo them I hope this did not effect the order of things but after missing the steps I did go back and do them in order Thanks ever so much

Onyxia )

Attach.zip

Attach.zip

Link to post
Share on other sites

ntbtlog.txt

Service Pack 3 4 22 2009 11:17:49.500

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver weihbfcn.sys

Loaded driver PCIIde.sys

Loaded driver \WINDOWS\System32\Drivers\PCIIDEX.SYS

Loaded driver intelide.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Mup.sys

Loaded driver agp440.sys

Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\System32\DRIVERS\ialmnt5.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\AGRSM.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\Rtnicxp.sys

Loaded driver \SystemRoot\System32\DRIVERS\serial.sys

Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\parport.sys

Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\Drivers\AFS2K.SYS

Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\system32\drivers\ALCXWDM.SYS

Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\System32\DRIVERS\psched.sys

Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\update.sys

Loaded driver \SystemRoot\System32\DRIVERS\omci.sys

Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Did not load driver \SystemRoot\System32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\DRIVERS\p3.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys

Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Service Pack 3 4 22 2009 11:25:39.500

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver weihbfcn.sys

Loaded driver PCIIde.sys

Loaded driver \WINDOWS\System32\Drivers\PCIIDEX.SYS

Loaded driver intelide.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Mup.sys

Loaded driver agp440.sys

Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\System32\DRIVERS\ialmnt5.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\AGRSM.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\Rtnicxp.sys

Loaded driver \SystemRoot\System32\DRIVERS\serial.sys

Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\parport.sys

Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\Drivers\AFS2K.SYS

Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\system32\drivers\ALCXWDM.SYS

Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\System32\DRIVERS\psched.sys

Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\update.sys

Loaded driver \SystemRoot\System32\DRIVERS\omci.sys

Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Did not load driver \SystemRoot\System32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\DRIVERS\p3.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys

Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Link to post
Share on other sites

( o.k. I am posting the rootrepeal but it seems to be having some issues it opens and I do as directed, checking all boxes then the C drive then scan I can see it start the scan and everything says " could not get file information... " as it scans then poof its gone and leaves this report in the folder )

ROOTREPEAL CRASH REPORT

-------------------------

Exception Code: 0xc0000005

Exception Address: 0x0040e8ea

Attempt to read from address: 0x00000014

( Also when I first click and start it, it opens a error report that reads )

RootRepeal Error

Could not read module file!

Please contact the author!

( here is a pic of what it looks like while scanning before it crashies)

post-11922-1240429158_thumb.jpg

( Onyxia )

post-11922-1240429158_thumb.jpg

Link to post
Share on other sites

  • Root Admin

Okay, you have a Root Kit that is re-spawning that we need to track down for removal.

Please create a NEW folder on your Desktop named: BadFiles

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.

  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • You should see a tab on top with 3
    >
Link to post
Share on other sites

:rolleyes: Hmmm I have got all the files in a folder ready to be zipped how ever I have another issue. it seems when all my trouble started I lost my ability to zip things now I have two trial versions of zips one being .rar and the other being Winzip I don't know if either of these will do so I figure if I pack the folder in each of these you can figure out which one to use but sadly this is all I have I hope in the end this too will be resolved. Also so that it would actually had to put the .bad folder in another folder named Infection.zip in order to have it named Infection.zip as well hope that is o.k.

Onyxia

... ok maybe I won't use the .rar

Upload failed. You are not permitted to upload this type of file

O.o ... hope the winzip works out then...

* Computer virus' are like misquotes ... only the one who created them actually gets why they where created and everyone else agrees they are a nuisance. *

Edited by AdvancedSetup
removed attached file. No longer needed. Thanks for submitting it.
Link to post
Share on other sites

  • Root Admin

Okay please run the following now.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.36

Database version: 2033

Windows 5.1.2600 Service Pack 3

4/23/2009 8:58:42 PM

mbam-log-2009-04-23 (20-58-42).txt

Scan type: Quick Scan

Objects scanned: 97628

Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e5c09e5-35c2-4847-9da2-77eaf4d4aa60} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{5e5c09e5-35c2-4847-9da2-77eaf4d4aa60} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\SYSTEM32\lvkneti.dll (Trojan.BHO.H) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\DRIVERS\weihbfcn.sys (Rootkit.Sentinel) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:03:10 PM, on 4/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\LSI SoftModem\agrsmsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\PRISMSVC.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\qsb.exe" /autorun

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\TEMP\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1240274284718

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240273345531

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--

End of file - 5889 bytes

Thank you so much and sorry I did not post back sooner.

Onyxia :rolleyes:

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.