Tom's Hardware > Forum > Windows XP > Windows XP General Discussion > MSN MSIE Wont connect, virus. OH NOES!

MSN MSIE Wont connect, virus. OH NOES!

Forum Windows XP : Windows XP General Discussion - MSN MSIE Wont connect, virus. OH NOES!

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Page:    Previous 1 2 Next Bottom Search this thread
Word :    Username :           
 
Sponsored Links
Register or log in to remove.
kevin2m4   07-16-2009 at 03:05:58 AM
- 0 +

ok for some reason my original post doesnt show....


Hello there, computer geek in trouble. I have a computer that has recieved a nasty virus on sunday that none of my scanners can seem to pick up

I noticed the computer was loading TONS of oho0f.exe 's in task manager and i have never seen these before. figuring they were viral i closed some and they would keep loading back up. i could find nothing online about them so i started scanning. eventually i found i had abcjump and some other redirector that was preventing my research on this problem, and eventually msie and msn would not connect to the internet. (i did find 16-20 trojans although, all that seemed to have sneaked by my mcafee scanner) however steam, and icq would, and the scanners i was using could still get updates.
I installed NOD, adaware, malwarebytes, ive ran cccleaner, trend micro security center, in addition to mcaffee... and still cannot find a name or even a hit on this virus. icq worked for a while, and now wont. im using a swedish version of firefox, and it works fine. ftp is still good too. when i boot the computer it says something about a drive not being available and i dont have access to it, also i cant eliminate anything from msconfig as its saying i dont have administrator access (i am the admin) and when i try to do
sfc /scannow it freezes.

when i run kasperskys online scanner, i get BSOD IRQL not less or equal than crash. also my dvd burner isnt showing as a burner anymore.

ive also ran all the scans in safemode,

here is hijack this info

Reply to kevin2m4
kevin2m4   07-16-2009 at 03:07:42 AM
- 0 +

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:22 PM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vVX6000.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe,
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: UltraMon.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuit [...] plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/control [...] oader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr [...] NPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/bina [...] b56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mi [...] 4961248968
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ol [...] uncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ [...] wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: c:\windows\system32\ragutali.dll,C:\WINDOWS\system32\bazisomi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Maxtor Scheduler2 Service (MaxSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 12324 bytes

Reply to kevin2m4
kevin2m4   07-16-2009 at 03:29:58 AM
- 0 +

--------[ EVEREST Ultimate Edition ]------------------------------------------------------------------------------------

Version EVEREST v4.60.1500
Benchmark Module 2.3.237.0
Homepage http://www.lavalys.com/
Report Type Report Wizard
Computer PIMP-6BVMACV9YE
Generator kev
Operating System Microsoft Windows XP Professional 5.1.2600 (WinXP Retail)
Date 2009-07-15
Time 21:08


--------[ Summary ]-----------------------------------------------------------------------------------------------------

Computer:
Computer Type ACPI Multiprocessor PC
Operating System Microsoft Windows XP Professional
OS Service Pack Service Pack 3
Internet Explorer 7.0.5730.13 (IE 7.0)
DirectX 4.09.00.0904 (DirectX 9.0c)
Computer Name PIMP-6BVMACV9YE
User Name kev
Logon Domain PIMP-6BVMACV9YE
Date / Time 2009-07-15 / 21:08

Motherboard:
CPU Type DualCore AMD Athlon 4050e, 2100 MHz (10.5 x 200)
Motherboard Name Asus M3A (3 PCI, 2 PCI-E x1, 1 PCI-E x16, 4 DDR2 DIMM, Audio, Gigabit LAN)
Motherboard Chipset AMD 770, AMD Hammer
System Memory 3072 MB (DDR2-800 DDR2 SDRAM)
DIMM1: Kingston 2G-UDIMM 2 GB DDR2-800 DDR2 SDRAM (5-5-5-18 @ 400 MHz) (4-4-4-12 @ 266 MHz) (3-3-3-9 @ 200 MHz)
DIMM3: Kingston KTC1G-UDIMM 1 GB DDR2-800 DDR2 SDRAM (5-5-5-18 @ 400 MHz) (4-4-4-12 @ 266 MHz) (3-3-3-9 @ 200 MHz)
BIOS Type AMI (05/12/08)
Communication Port Communications Port (COM1)

Display:
Video Adapter ATI Radeon HD 3600 Series (512 MB)
Video Adapter ATI Radeon HD 3600 Series (512 MB)
Video Adapter NVIDIA GeForce FX 5200 (Microsoft Corporation) (128 MB)
3D Accelerator ATI Radeon HD 3650 (RV635)
3D Accelerator nVIDIA GeForce FX 5200
Monitor Acer AL1916 [19" LCD] (1541323)
Monitor LG L1932TQ (Digital) / Flatron T930B (160934684)
Monitor Plug and Play Monitor [NoDB] (170116843009)

Multimedia:
Audio Adapter ATI Radeon HDMI @ ATI RV635 - High Definition Audio Controller
Audio Adapter Creative SB Live! Value (CT4830) Sound Card
Audio Adapter Realtek ALC883 @ ATI SB600 - High Definition Audio Controller

Storage:
IDE Controller AMD PCI IDE Controller
IDE Controller AMD SATA Controller(Native IDE Mode)
Storage Controller AN18LKI5 IDE Controller
Storage Controller VAXSCSI Controller
Disk Drive ST31000528AS
Disk Drive ST3250410AS (250 GB, 7200 RPM, SATA-II)
Optical Drive HL-DT-ST DVDRAM GH20NS10 (DVD+R9:10x, DVD-R9:10x, DVD+RW:20x/8x, DVD-RW:20x/6x, DVD-RAM:12x, DVD-ROM:16x, CD:48x/32x/48x DVD+RW/DVD-RW/DVD-RAM)
Optical Drive IQ2548T JGG054J SCSI CdRom Device
Optical Drive QNS G96VC5UF SCSI CdRom Device
SMART Hard Disks Status Unknown

Partitions:
C: (NTFS) 232.9 GB (153.4 GB free)
H: (NTFS) 931.5 GB (731.8 GB free)
Total Size 1164.4 GB (885.3 GB free)

Input:
Keyboard HID Keyboard Device
Mouse Microsoft USB IntelliMouse Optical (IntelliPoint)

Network:
Primary IP Address 192.168.1.100
Primary MAC Address 00-0C-41-62-48-44
Network Adapter Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller (192.168.1.103)
Network Adapter Wireless-G PCI Adapter (192.168.1.100)

Peripherals:
Printer HP Deskjet F4100 series
Printer Microsoft XPS Document Writer
Printer Send To OneNote 2007
Printer WebEx Document Loader
USB1 Controller ATI SB600 - OCHI USB Controller
USB1 Controller ATI SB600 - OCHI USB Controller
USB1 Controller ATI SB600 - OCHI USB Controller
USB1 Controller ATI SB600 - OCHI USB Controller
USB1 Controller ATI SB600 - OCHI USB Controller
USB2 Controller ATI SB600 - EHCI USB 2.0 Controller
USB Device C-Media USB Sound Device
USB Device Generic USB Hub
USB Device Microsoft LifeCam VX-6000 #6
USB Device Microsoft LifeCam VX-6000.
USB Device Microsoft USB IntelliMouse Optical
USB Device USB Composite Device
USB Device USB Composite Device
USB Device USB Composite Device
USB Device USB Human Interface Device
USB Device USB Human Interface Device
USB Device USB Human Interface Device

DMI:
DMI BIOS Vendor American Megatrends Inc.
DMI BIOS Version 0901
DMI System Manufacturer System manufacturer
DMI System Product System Product Name
DMI System Version System Version
DMI System Serial Number System Serial Number
DMI System UUID 40CA3B7A-08AEDC11-8691001E-8C6AEB59
DMI Motherboard Manufacturer ASUSTeK Computer INC.
DMI Motherboard Product M3A
DMI Motherboard Version Rev 1.xx
DMI Motherboard Serial Number MB-1234567890
DMI Chassis Manufacturer Chassis Manufacture
DMI Chassis Version Chassis Version
DMI Chassis Serial Number Chassis Serial Number
DMI Chassis Asset Tag Asset-1234567890
DMI Chassis Type Desktop Case


--------[ Debug - PCI ]-------------------------------------------------------------------------------------------------


Message edited by kevin2m4 on 07-16-2009 at 03:32:36 AM
Reply to kevin2m4
btk1w1   07-16-2009 at 04:13:14 AM
- 0 +

The only line that jumps out is:

O20 - AppInit_DLLs: c:\windows\system32\ragutali.dll,C:\WINDOWS\system32\bazisomi.dll

The 2 dll files, ragutali.dll and bazisomi.dll, only produce few negative results when researched.

There was one indication that the malware could be related to a vundo infection. The later Vundo variants have the ability to hide themselves from a HJT scan.

Navigate to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe and rename HijackThis.exe to Analyse.exe and run the scan again. We'll see if anything more pops up.

Reply to btk1w1
kevin2m4   07-16-2009 at 04:20:28 AM
- 0 +

Thanks for the fast reply and the information

im about to do the scan again, but interesting note; i imported my bookmarks passwords and cookies into firefox using their import button, and it too stopped having access to the internet.
i ran cc cleaner, uninstalled firefox and reinstalled it to come back here.

Reply to kevin2m4
kevin2m4   07-16-2009 at 04:25:33 AM
- 0 +

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:53 PM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vVX6000.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\analyze.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe,
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: UltraMon.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuit [...] plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/control [...] oader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr [...] NPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/bina [...] b56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mi [...] 4961248968
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ol [...] uncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ [...] wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: c:\windows\system32\ragutali.dll,C:\WINDOWS\system32\bazisomi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Maxtor Scheduler2 Service (MaxSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 12322 bytes

Reply to kevin2m4
kevin2m4   07-16-2009 at 04:39:16 AM
- 0 +

i also did a start - search on ragutali.dll and bazisomi.dll and nothing came up hmm

Message quoted 1 times
Reply to kevin2m4
btk1w1   07-16-2009 at 04:45:02 AM
- 0 +

OK.... The scan didn't turn up anything more.

First thing, you have evidence of three antivirus products running resident.

NOD32, Mcafee and Symantec / Norton.

You said that you are running NOD32? I have provided links below to remove Mcafee and Norton with their removal tools.

http://majorgeeks.com/Norton_Remov [...] d4749.html

http://majorgeeks.com/McAfee_Consu [...] d5420.html

Can you open Malwarebytes Antimalware and click on the "Logs" tab. Post the most recent MBAM logfile.

Download, install, update then run SUPERAntiSpyware (SAS)

http://www.superantispyware.com/

Clean everything it finds and post the log from this scan also.

Click Preferences, then click the Statistics/Logs tab and Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. Post the most recent (there should only be one).

I will be away for a few hours, but will look at the logs when I return.

Reply to btk1w1
btk1w1   07-16-2009 at 04:48:35 AM
- 0 +

kevin2m4 wrote :

i also did a start - search on ragutali.dll and bazisomi.dll and nothing came up hmm



They are probably hidden files. You will need to go into control panel > folder options and highlight "Show hidden files and folders" and apply the change.

Once this is done go to virustotal and upload the files for analysis.

http://www.virustotal.com/

You will get a log for each, can you provide those as well.

Reply to btk1w1
btk1w1   07-16-2009 at 04:50:13 AM
- 0 +

When you browse for them you will need to navigate to:

c:\windows\system32\ragutali.dll

and

C:\WINDOWS\system32\bazisomi.dll

Reply to btk1w1
kevin2m4   07-16-2009 at 05:48:03 AM
- 0 +

ok i removed nav and mcafee
i have 4 most recent malware bytes files

1st
Malwarebytes' Anti-Malware 1.36
Database version: 2128
Windows 5.1.2600 Service Pack 3

7/13/2009 2:33:25 AM
mbam-log-2009-07-13 (02-33-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 84260
Time elapsed: 13 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gsf83iujid.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\kev\Local Settings\Temporary Internet Files\Content.IE5\76VFCIL6\udvvmquz[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\kev\Local Settings\Temporary Internet Files\Content.IE5\PIAUL9W9\xhuyph[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\kev\Local Settings\Temporary Internet Files\Content.IE5\X41CFAM4\slvanev[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.


2nd

Malwarebytes' Anti-Malware 1.36
Database version: 2128
Windows 5.1.2600 Service Pack 3

7/13/2009 9:27:39 PM
mbam-log-2009-07-13 (21-27-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91134
Time elapsed: 16 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


3rd

Malwarebytes' Anti-Malware 1.36
Database version: 2128
Windows 5.1.2600 Service Pack 3

7/13/2009 10:33:17 PM
mbam-log-2009-07-13 (22-33-17).txt

Scan type: Quick Scan
Objects scanned: 119023
Time elapsed: 15 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\acpi32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\acpi32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\acpi32.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TMP11E2.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\kev\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN38.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\smss.exe_ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

4th
Malwarebytes' Anti-Malware 1.36
Database version: 2128
Windows 5.1.2600 Service Pack 3

7/14/2009 12:53:25 AM
mbam-log-2009-07-14 (00-53-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 236361
Time elapsed: 27 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Reply to kevin2m4
kevin2m4   07-16-2009 at 05:57:41 AM
- 0 +

while running the super anti spyware i got the BSOD and it dumped physical mem and rebooted

also i physically went into system32 folder, and those dll files are not there.

Reply to kevin2m4
kevin2m4   07-16-2009 at 06:00:02 AM
- 0 +

on a good note, the hdd not availavble popup is gone, and i can now change things in msconfig

Message quoted 1 times
Reply to kevin2m4
kevin2m4   07-16-2009 at 06:11:37 AM
- 0 +

nvm the hd not availabe popup is still there. and doesnt matter what scan on super anti spyware i run, i get BSOD 'page fault in non paged area'

Reply to kevin2m4
blackhawk1928   07-16-2009 at 02:09:26 PM
- 0 +

I might have missed where you said it, but make sure you update malwarebytes, boot into safe mode and do a full scan there, its your only chance, also try system restore but I am almost sure its been disabled as soon as the virus infected you!

-Here is an import note to consider: With viruses, lets say you get infected okay and i am not talking about a specific virus, just an average virus that i made up thats very popular, so the virus goes into your windows files and registry and disables system restore, next it makes it so everything is redirected to a certain website, next it edits your windows to make sure you cant get to any security sites like microsoft, next it disables many of your anti-virus programs and etc....it basically elimates all threats to its existence on your computer. what its doing is actually importing files and editing/adding registry keys to do all this, remember a virus is no different from normal file, infact a virus is just a program, humans call these programs viruses becuase they do what you dont want them to do. And that my friend is why even if you do remove the virus, the "Damage" has already been done, the files have been put inside, the registry has already been edited, your anti-virus is not going to undo these changes, its only going to undo the source, so once the damage has been its been done. Its like lets say a bullet is a virus, and somebody shoots another person with a gun, the bullet enters right through thier kidney lets say, a docter (the anti-virus) can take out the bullet, however the damage to the kidney(your computer) has already been done. And that brings to the next point it that its better to prevent having viruses in the first place then to hunt them down when they already infect you. And that is why you are very likley going to have to demolish your system and reinstall xp.

Reply to blackhawk1928
btk1w1   07-16-2009 at 03:23:20 PM
- 0 +

Let's see if we can get SAS to run.

Open the program and click on Configuration and Preferences, click the Preferences button.
Click on the Scanning Control tab and under scanner options uncheck
Use Kernel Direct File Access (recommended)
and
Use Kernel Direct Registry Access (recommended)

Now try running the scanner.

Reply to btk1w1
kevin2m4   07-16-2009 at 04:15:38 PM
- 0 +

:(


well it looks like disabling those 2 options are working, sas is finding some things

i have to go to work ill let it scan and see when i come back (12 hours :'( )

Reply to kevin2m4
kevin2m4   07-17-2009 at 04:58:02 AM
- 0 +

ok i came home and my computer wasnt off. which is good, cause usually id set a scan and it would shutdown on me. but it had rebooted.
i ran the scan again, and cleared the items.

now even if i am clear of viri -which i am sure im not, how do i get administrator access back, how do i get internet back for msn icq and msie, and how do i get back my dvd burner

Reply to kevin2m4
blackhawk1928   07-17-2009 at 05:22:01 AM
- 0 +

read my last post on this board and thats your answer, you might very well be clear of the viruses by as i said in my post, the damage has been done. I gave a good analogy in the post read it and it will be clear that your only way most likley is to demolish xp, full format, and rebuild xp.

-I am sure you can fix it but, there are many millions of windows files and registry keys and you need to find certain ones, and correctly tweak them back to what they were, which you probably dont know, and wont be able to do, a professional service for this will cost you a lot, so rebuilding is the easiest way out.


Message edited by blackhawk1928 on 07-17-2009 at 05:23:29 AM
Reply to blackhawk1928
blackhawk1928   07-17-2009 at 05:25:06 AM
- 0 +

If you dont want to rebuild after virus in the future spend some money on a program called ghost (its worth it) and after you install updates, vital programs and drivers, make a mirror image of your system on a cD so if a virus infects you can format and restore that image under and hour and be well on way enjoying your system ;)

Reply to blackhawk1928
btk1w1   07-17-2009 at 05:26:47 AM
- 0 +

As blackhawk stated in his post, the malware can take out vital processes and services. It gives itself administrator privileges so it can do this and it also prevents other users gaining admin rights (which is the case with yours at the moment).

Often disinfecting the system will restore the PC. But it not a guarantee. There are many fixes available though, so all is not lost.

Have you got the SAS log handy? There were multiple infections on your pc. ZLOB was one, it is one of the most well known DNS changers (likely the reason you have trouble letting MS apps access the net). I need to see if there are others which may interfere with the next step.

Reply to btk1w1
btk1w1   07-17-2009 at 05:34:21 AM
- 0 +

kevin2m4 wrote :

on a good note, the hdd not availavble popup is gone, and i can now change things in msconfig



This is a good sign. It indicates the malware was wounded, but it restored itself, probably after a reboot.

I really need to see the SAS log before we continue.

Reply to btk1w1
btk1w1   07-17-2009 at 05:48:38 AM
- 0 +

I need to go to work, so I have provided further instructions. Please follow them very carefully, and if you are unsure about anything, discontinue and ask a question.

Run combofix and post the log.

Disable any realtime protection. AV or resident spyware apps.

Here are the instructions:

Download Combofix to your desktop.

Note: It is important that it is saved directly to your desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Close any open browsers and windows except for Combofix

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note: Do not mouseclick combofix's window while it's running it can cause the program to freeze/hang.

In some cases your Antivirus or other realtime scanner will display an alert after you downloaded Combofix or while you use Combofix, please disable your scanners, delete the copy off the desktop and download Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them. There's nothing wrong with Combofix, heuristic detection can report this false positive because of combofixs removal technique.

Reply to btk1w1
kevin2m4   07-17-2009 at 01:28:01 PM
- 0 +

I ran combofix last night, i was a little tipsy, when i woke up this morning, msn was connected, i rebooted, the window telling me i didnt have admin access was gone, and i burned a cd to listen to for the drive to work.
it looks like it is fixed,
i will post the sas log and combo fix log when i get home tonight

Reply to kevin2m4
btk1w1   07-17-2009 at 01:31:46 PM
- 0 +

That's good news.

Can you also include a fresh HiJackThis log too please.

Reply to btk1w1
blackhawk1928   07-17-2009 at 05:35:49 PM
- 0 +

ZLOB!!! ITS THE WORST VIRUS! I have had Zlob is and it was just something unbelievable, malware wounded it but couldn't get it out. I spent 2 weeks literally hunting its keys and traces down in my own registry and finally I just gave up and rebuiled my OS. Zlob is like a level 9-10 virus which is one of the worst and hardest to get rid of. And its a russian-made virus I am pretty sure. My people are up to no good.

Reply to blackhawk1928
kevin2m4   07-18-2009 at 12:20:44 AM
- 0 +

ComboFix 09-07-14.08 - kev 07/17/2009 0:22:44.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2623 [GMT -4:00]
Running from: C:\Documents and Settings\kev\My Documents\Hentede filer\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\kev\Application Data\bcrypt.html
C:\Documents and Settings\kev\Application Data\inst.exe
C:\Program Files\sFX
C:\Program Files\WinPCap
C:\Program Files\WinPCap\rpcapd.exe
C:\RECYCLER\S-1-5-21-5223466556-8096075262-254021249-8367
C:\WINDOWS\010112010146118114.dat
C:\WINDOWS\system32\ATIODCLI.exe
C:\WINDOWS\system32\ATIODE.exe
C:\WINDOWS\system32\drivers\hjgruimugohrfu.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\hjgruiakwuisux.dat
C:\WINDOWS\system32\hjgruinqtacyvt.dll
C:\WINDOWS\system32\hjgruinwovsuab.dll
C:\WINDOWS\system32\hjgruiycxmjqnm.dat
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\uuddc32.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiyfvxjeao
-------\Legacy_acpi32
-------\Legacy_npf
-------\Legacy_sfx
-------\Legacy_sfxdrv
-------\Service_npf
-------\Service_sfx


((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-17 04:22:44 . 2009-07-17 04:22:44 0 d-----w- C:\Documents and Settings\kev\Local Settings\Application Data\ESET
2009-07-16 04:30:21 . 2009-07-16 07:11:23 0 d-----w- C:\Program Files\Trillian
2009-07-16 03:48:51 . 2009-07-17 09:55:13 117760 ----a-w- C:\Documents and Settings\kev\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 03:44:25 . 2009-07-16 03:44:25 0 d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-16 03:43:31 . 2009-07-16 03:43:34 0 d-----w- C:\Program Files\SUPERAntiSpyware
2009-07-16 03:43:31 . 2009-07-16 03:43:31 0 d-----w- C:\Documents and Settings\kev\Application Data\SUPERAntiSpyware.com
2009-07-16 03:34:37 . 2009-07-16 03:34:37 0 d-----w- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-07-16 00:16:38 . 2009-07-16 00:16:38 0 d-----w- C:\WINDOWS\system32\config\systemprofile\Tracing
2009-07-15 14:25:31 . 2009-07-15 14:25:31 8224 ----a-w- C:\Documents and Settings\Administrator.PIMP-6BVMACV9YE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 14:25:27 . 2009-07-15 14:25:27 0 d-----w- C:\Documents and Settings\Administrator.PIMP-6BVMACV9YE\Application Data\Ahead
2009-07-15 14:25:14 . 2009-07-15 14:25:14 0 d-----w- C:\Documents and Settings\Administrator.PIMP-6BVMACV9YE\Local Settings\Application Data\Ahead
2009-07-15 04:26:54 . 2009-07-15 04:26:40 102664 ----a-w- C:\WINDOWS\system32\drivers\tmcomm.sys
2009-07-15 04:26:36 . 2009-07-15 04:27:06 0 d-----w- C:\Documents and Settings\kev\.housecall6.6
2009-07-15 04:19:41 . 2009-07-15 04:19:41 0 d-----w- C:\Program Files\Trend Micro
2009-07-14 05:55:41 . 2009-07-14 05:55:41 0 d-----w- C:\Program Files\ESET
2009-07-14 05:55:41 . 2009-07-14 05:55:41 0 d-----w- C:\Documents and Settings\All Users\Application Data\ESET
2009-07-14 05:44:07 . 2009-07-14 05:44:07 0 ----a-w- C:\WINDOWS\nsreg.dat
2009-07-14 05:44:01 . 2009-07-14 05:44:01 0 d-----w- C:\Documents and Settings\kev\Local Settings\Application Data\Mozilla
2009-07-13 04:53:33 . 2009-07-13 04:53:33 40960 --sh--r- C:\WINDOWS\system32\flashd32.dll
2009-07-13 04:51:33 . 2009-07-13 05:49:32 0 ----a-w- C:\WINDOWS\system32\drivers\cbdf3c78.sys
2009-07-13 04:50:48 . 2009-07-13 04:50:48 22627 ----a-w- C:\vfjmbvbg.exe
2009-07-13 04:30:08 . 2009-07-14 02:42:59 0 d-----w- C:\Program Files\Easy-Hide-IP
2009-07-07 06:06:25 . 2009-07-07 06:06:38 0 d-----w- C:\WINDOWS\system32\NtmsData
2009-06-28 00:21:16 . 2009-06-28 00:21:16 0 d-----w- C:\Documents and Settings\kev\Report Files
2009-06-28 00:12:55 . 2009-06-28 00:15:47 1024 ---h--r- C:\WINDOWS\system32\NTIBUN4.dll
2009-06-28 00:12:50 . 2009-06-28 00:12:50 6144 ----a-w- C:\WINDOWS\system32\drivers\NTIDrvr.sys
2009-06-24 01:53:37 . 2009-06-24 01:55:45 0 d-----w- C:\Documents and Settings\kev\Application Data\Winamp
2009-06-24 01:53:37 . 2009-06-24 01:55:43 0 d-----w- C:\Program Files\Winamp
2009-06-21 04:47:02 . 2009-06-21 04:47:32 0 d-----w- C:\Program Files\QuickTime
2009-06-21 04:47:01 . 2009-06-21 04:47:01 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-06-18 03:19:19 . 2009-07-17 01:51:46 0 d-----w- C:\Program Files\SpeedFan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 09:55:26 . 2009-02-01 19:31:06 0 d-----w- C:\Program Files\Steam
2009-07-17 08:06:44 . 2009-04-10 18:40:08 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-07-17 04:27:07 . 2004-08-04 15:00:00 182656 ----a-w- C:\WINDOWS\system32\drivers\ndis.sys
2009-07-17 04:20:11 . 2009-06-11 05:49:58 0 d-----w- C:\Program Files\FreeRapid-0.82
2009-07-16 03:53:08 . 2009-01-24 05:59:58 0 d-----w- C:\Documents and Settings\All Users\Application Data\McAfee
2009-07-16 03:43:12 . 2009-01-24 03:44:46 0 d-----w- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-16 03:37:32 . 2008-07-01 16:47:44 0 d-----w- C:\Program Files\Common Files\Symantec Shared
2009-07-16 01:21:41 . 2008-09-13 15:37:34 0 d-----w- C:\Program Files\FlashFXP
2009-07-15 04:11:41 . 2008-08-16 02:10:15 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-15 04:11:23 . 2009-01-24 06:17:33 0 d-----w- C:\Documents and Settings\LocalService\Application Data\SACore
2009-07-14 12:53:21 . 2008-07-01 15:02:11 70064 ----a-w- C:\Documents and Settings\kev\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-14 04:56:04 . 2008-07-01 15:04:27 0 d--h--w- C:\Program Files\InstallShield Installation Information
2009-07-14 02:41:14 . 2009-01-24 03:33:07 0 d-----w- C:\Program Files\Total Video Converter
2009-07-14 02:37:58 . 2009-01-18 22:42:46 0 d-----w- C:\Program Files\Garena
2009-07-14 01:49:33 . 2009-01-31 22:52:13 1324 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2009-07-13 05:59:28 . 2009-01-29 02:54:21 0 d-----w- C:\Program Files\Hard Disk Sentinel
2009-07-10 21:56:50 . 2009-04-05 06:03:43 0 d-----w- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2009-07-07 05:48:09 . 2009-07-07 05:47:51 0 d-----w- C:\Program Files\C-Media USB Sound
2009-06-16 14:36:30 . 2004-08-04 15:00:00 81920 ----a-w- C:\WINDOWS\system32\fontsub.dll
2009-06-16 14:36:30 . 2004-08-04 15:00:00 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
2009-06-16 02:31:50 . 2008-07-18 18:04:42 0 d-----w- C:\Documents and Settings\kev\Application Data\Image Zone Express
2009-06-09 06:40:29 . 2009-06-09 06:40:24 0 d-----w- C:\Program Files\Motherboard Monitor 5
2009-06-05 23:37:15 . 2009-04-27 02:59:58 8673792 ----a-w- C:\Documents and Settings\All Users\Application Data\atscie.msi
2009-06-05 23:36:34 . 2009-06-05 23:36:34 0 d-----w- C:\Program Files\Common Files\Pure Networks Shared
2009-06-05 22:54:29 . 2009-06-05 22:54:29 0 d-----w- C:\Documents and Settings\All Users\Application Data\Maxtor
2009-06-05 22:54:24 . 2009-06-05 22:51:18 44384 ----a-w- C:\WINDOWS\system32\drivers\tifsfilt.sys
2009-06-05 22:54:24 . 2009-06-05 22:51:18 441760 ----a-w- C:\WINDOWS\system32\drivers\timntr.sys
2009-06-05 22:54:21 . 2009-06-05 22:51:11 132224 ----a-w- C:\WINDOWS\system32\drivers\snapman.sys
2009-06-05 22:54:17 . 2009-06-05 22:51:06 368480 ----a-w- C:\WINDOWS\system32\drivers\tdrpman.sys
2009-06-05 22:54:15 . 2009-06-05 22:50:29 0 d-----w- C:\Program Files\Common Files\Seagate
2009-06-05 22:51:26 . 2009-06-05 22:51:26 0 d-----w- C:\Documents and Settings\All Users\Application Data\Seagate
2009-06-05 22:50:29 . 2009-06-05 22:50:29 0 d-----w- C:\Program Files\Seagate
2009-06-03 19:09:37 . 2004-08-04 15:00:00 1291264 ----a-w- C:\WINDOWS\system32\quartz.dll
2009-05-31 07:31:02 . 2009-04-25 21:12:43 0 d-----w- C:\Documents and Settings\kev\Application Data\Nokia
2009-05-31 03:28:49 . 2009-05-31 03:28:37 0 d-----w- C:\Program Files\AGEIA Technologies
2009-05-31 03:28:07 . 2009-05-31 03:28:07 413696 ----a-w- C:\WINDOWS\system32\wrap_oal.dll
2009-05-31 03:28:07 . 2009-05-31 03:28:07 110592 ----a-w- C:\WINDOWS\system32\OpenAL32.dll
2009-05-31 03:28:07 . 2009-05-31 03:28:07 0 d-----w- C:\Program Files\OpenAL
2009-05-14 03:04:30 . 2009-05-14 03:04:30 552 ----a-w- C:\WINDOWS\system32\d3d8caps.dat
2009-05-07 15:32:35 . 2004-08-04 15:00:00 345600 ----a-w- C:\WINDOWS\system32\localspl.dll
2009-04-29 04:56:02 . 2004-08-04 15:00:00 827392 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-04-29 04:55:56 . 2004-08-04 15:00:00 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll
2009-04-25 21:28:50 . 2009-04-25 21:28:50 8192 ----a-w- C:\Documents and Settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-25 21:28:50 . 2009-04-25 21:28:50 61440 ----a-w- C:\Documents and Settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-25 21:28:50 . 2009-04-25 21:28:50 10240 ----a-w- C:\Documents and Settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-25 21:28:36 . 2009-04-25 21:29:03 34396584 ----a-w- C:\Documents and Settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-04-20 04:18:07 . 2009-04-20 04:18:07 161352 ----a-w- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-24 14:22:26 . 2009-07-16 02:14:26 137208 ----a-w- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2009-03-08 18:50:38 3885408]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12:28 1695232]
"RocketDock"="C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 22:05:02 630784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 15:01:38 1830128]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 01:03:29 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 21:45:32 279912]
"VX6000"="C:\WINDOWS\vVX6000.exe" [2007-04-10 21:46:43 996712]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 17:56:32 1406024]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 19:05:24 1410304]
"Maxtor Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 23:56:52 136472]
"MaxBlastMonitor.exe"="C:\Program Files\Seagate\DiscWizard\MaxBlastMonitor.exe" [2008-06-27 21:01:28 1325800]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 01:52:38 49152]
"Hard Disk Sentinel"="C:\Program Files\Hard Disk Sentinel\HDSentinel.exe" [2009-01-29 04:41:55 3407360]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 11:00:48 33648]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 23:52:18 1325848]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 00:06:22 904768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2009-03-08 18:50:38 3885408]

C:\Documents and Settings\kev\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-18 630784]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-5-21 180224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [2009-1-20 29310]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{38101905-D80F-4788-96F6-986A8186178A}"= "C:\WINDOWS\system32\flashd32.dll" [2009-07-13 04:53:33 40960]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 14:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05:34 356352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kev^Start Menu^Programs^Startup^Popup Ad Stopper.lnk]
path=C:\Documents and Settings\kev\Start Menu\Programs\Startup\Popup Ad Stopper.lnk
backup=C:\WINDOWS\pss\Popup Ad Stopper.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Sega\\OutRun2006 Coast 2 Coast\\OR2006C2C.EXE"=
"C:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"C:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\WINDOWS\\system32\\dwwin.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"C:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"C:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\drivers\epfwtdir.sys [11/14/2007 3:06:38 PM 30728]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01:40 AM 9968]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01:40 AM 72944]
R2 CachemanXPService;CachemanXP;C:\PROGRA~1\CACHEM~1\CachemanXP.exe [1/19/2009 2:48:02 AM 355840]
R2 ekrn;Eset Service;C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/14/2007 3:05:50 PM 455936]
R2 FLE5WNNT;FLE-5 WindowsNT Driver;C:\WINDOWS\system32\drivers\fle5wnnt.sys [10/1/2008 10:42:51 PM 33404]
R2 FLSIFACE;FLSIface;C:\WINDOWS\system32\drivers\flsiface.sys [10/1/2008 10:42:51 PM 13440]
R2 FLSPAR;FLSPar;C:\WINDOWS\system32\drivers\flspar.sys [10/1/2008 10:42:51 PM 16314]
R2 FLSSER;FLSSer;C:\WINDOWS\system32\drivers\flsser.sys [10/1/2008 10:42:51 PM 8344]
R2 FLSVCOM;FLSVCom;C:\WINDOWS\system32\drivers\flsvcom.sys [10/1/2008 10:42:51 PM 32544]
R2 fssfltr;FssFltr;C:\WINDOWS\system32\drivers\fssfltr_tdi.sys [2/17/2009 11:42:54 PM 55152]
R2 MaxSch2Svc;Maxtor Scheduler2 Service;C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56:38 PM 431384]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;C:\WINDOWS\system32\TUProgSt.exe [2/12/2009 9:58:44 AM 603904]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22:52 PM 11776]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\drivers\l151x86.sys [7/1/2008 11:13:35 AM 36864]
R3 cmudau32;C-Media USB UDA Sound Interface;C:\WINDOWS\system32\drivers\cmudaxu.sys [7/7/2009 1:48:35 AM 1414528]
R3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01:42 AM 7408]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\drivers\UltraMonMirror.sys [9/24/2006 9:23:14 PM 3584]
R3 VX6000;Microsoft LifeCam VX-6000;C:\WINDOWS\system32\drivers\VX6000Xp.sys [7/1/2008 2:59:06 PM 2385896]
S1 cbdf3c78;cbdf3c78;C:\WINDOWS\system32\drivers\cbdf3c78.sys [7/13/2009 12:51:33 AM 0]
S2 AODService;AODService;C:\Program Files\AMD\OverDrive\AODAssist --> C:\Program Files\AMD\OverDrive\AODAssist [?]
S2 SgtSch2Svc;Seagate Scheduler2 Service;C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56:38 PM 431384]
S3 fsssvc;Windows Live Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 7:08:58 PM 533360]
S3 TempLog;TempLog;C:\Program Files\Hard Disk Sentinel\HDSentinel.sys [1/28/2009 10:54:21 PM 3897]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-07-17 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 20:36:18 . 2008-12-11 20:36:18]

2009-07-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34:12 . 2008-07-30 17:34:12]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 192.168.0.1:80
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
FF - ProfilePath - C:\Documents and Settings\kev\Application Data\Mozilla\Firefox\Profiles\diijkrzm.default\
FF - plugin: C:\Program Files\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess" );
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35" );
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35" );
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".dk" );
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~" );
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror" );
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json" );
.

Reply to kevin2m4
kevin2m4   07-18-2009 at 12:22:13 AM
- 0 +

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:47 PM, on 7/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hard Disk Sentinel\HDSentinel.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\program files\steam\steam.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\analyze.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Maxtor Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Seagate\DiscWizard\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Hard Disk Sentinel] "C:\Program Files\Hard Disk Sentinel\HDSentinel.exe" /AUTORUN
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: UltraMon.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuit [...] plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/control [...] oader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr [...] NPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/bina [...] b56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mi [...] 4961248968
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ol [...] uncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ [...] wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Scheduler2 Service (MaxSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 11105 bytes

Reply to kevin2m4
btk1w1   07-18-2009 at 01:38:05 AM
- 0 +

I'm just looking over your logs, there are a couple of suspicious entries.

Upload them to VirusTotal for analysis.

http://www.virustotal.com/

Click the browse button and navigate to:

C:\vfjmbvbg.exe

then

C:\WINDOWS\system32\drivers\cbdf3c78.sys

You may to have hidden files and folders made visible.

Can you post the logs from VirusTotal please.

Reply to btk1w1
blackhawk1928   07-18-2009 at 05:37:38 AM
- 0 +

C:\WINDOWS\System32\svchost.exe

-Svhost can potentially be a virus, it mimics its name.
-If you can try doing a boot-scan for viruses if you have software to do that...very suspicious. In boot-time scan, it can scan all processes, giving a much higher chance of catching a malware/virus

- HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
-Many viruses can be called anti-virus be really be viruses, i am not saying it is one but looks suspicious to me

-O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
-Okay i know what punkbuster is but the fact that it says unkown owner tells me it might not be verified and have the real punkbuster's digital signiture...very suspicious

-Can you please organize the running processes by thier NAME from A-Z and repost, it will be easier for my to notice potential malware.

Reply to blackhawk1928
kevin2m4   07-18-2009 at 07:08:40 AM
- 0 +

MD5: b42f06bb21d598a834ae4739a10fd34f
First received: 2009.07.13 05:40:27 UTC
Date: 2009.07.16 09:30:56 UTC [+1D]
Results: 23/41
Permalink: analisis/0b6fd9711b2706d97c1b125a67a5ed11a5339b8b11bb43c62222ab5146c95143-1247736656


File fdhjbl.exe received on 2009.07.16 09:30:56 (UTC)
Current status: finished
Result: 23/41 (56.10%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.16 Trojan.Win32.Rabbit!IK
AhnLab-V3 5.0.0.2 2009.07.16 -
AntiVir 7.9.0.215 2009.07.16 TR/Dropper.Gen2
Antiy-AVL 2.0.3.7 2009.07.16 Trojan/Win32.Agent.gen
Authentium 5.1.2.4 2009.07.16 W32/Kobcka.B.gen!Eldorado
Avast 4.8.1335.0 2009.07.16 Win32:Wigon-G
AVG 8.5.0.387 2009.07.16 Win32/Heur
BitDefender 7.2 2009.07.16 -
CAT-QuickHeal 10.00 2009.07.16 TrojanDownloader.Agent.ciiv
ClamAV 0.94.1 2009.07.16 -
Comodo 1668 2009.07.16 -
DrWeb 5.0.0.12182 2009.07.16 Trojan.DownLoad.38937
eSafe 7.0.17.0 2009.07.15 Win32.Wigon.Kt
eTrust-Vet 31.6.6617 2009.07.15 -
F-Prot 4.4.4.56 2009.07.16 W32/Kobcka.B.gen!Eldorado
F-Secure 8.0.14470.0 2009.07.16 Trojan-Downloader.Win32.Agent.ciiv
Fortinet 3.120.0.0 2009.07.16 W32/Agent.CIIV!tr.dldr
GData 19 2009.07.16 Win32:Wigon-G
Ikarus T3.1.1.64.0 2009.07.16 Trojan.Win32.Rabbit
Jiangmin 11.0.800 2009.07.16 TrojanDownloader.Agent.bofg
K7AntiVirus 7.10.793 2009.07.15 Trojan-Downloader.Win32.Agent.ciiv
Kaspersky 7.0.0.125 2009.07.16 Trojan-Downloader.Win32.Agent.ciiv
McAfee 5677 2009.07.15 -
McAfee+Artemis 5677 2009.07.15 Artemis!B42F06BB21D5
McAfee-GW-Edition 6.8.5 2009.07.16 Heuristic.LooksLike.Win32.Cutwail.A
Microsoft 1.4803 2009.07.16 TrojanDownloader:Win32/Cutwail.AS
NOD32 4249 2009.07.16 a variant of Win32/Wigon.KT
Norman 6.01.09 2009.07.15 -
nProtect 2009.1.8.0 2009.07.16 -
Panda 10.0.0.14 2009.07.15 -
PCTools 4.4.2.0 2009.07.15 -
Prevx 3.0 2009.07.16 -
Rising 21.38.31.00 2009.07.16 -
Sophos 4.43.0 2009.07.16 -
Sunbelt 3.2.1858.2 2009.07.16 Trojan.Win32.Unidentified.VS
Symantec 1.4.4.12 2009.07.16 -
TheHacker 6.3.4.3.368 2009.07.15 -
TrendMicro 8.950.0.1094 2009.07.16 -
VBA32 3.12.10.8 2009.07.15 -
ViRobot 2009.7.16.1838 2009.07.16 -
VirusBuster 4.6.5.0 2009.07.15 Trojan.DR.Pandex.Gen.13
Additional information
File size: 22627 bytes
MD5 : b42f06bb21d598a834ae4739a10fd34f
SHA1 : ee97e5164ad4ac3879c60e6ee68f6267abaaca62
SHA256: 0b6fd9711b2706d97c1b125a67a5ed11a5339b8b11bb43c62222ab5146c95143
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x11E4
timedatestamp.....: 0x4A5A6E2E (Mon Jul 13 01:13:50 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xBBC 0xBC0 6.46 3c6d167c3aee0e59f7d55fa0cdfe3d28
.rdata 0x2000 0x362 0x364 4.88 01ba01f2a0b9619a8df22cfa8c6217e7
.data 0x3000 0xD4 0x8F 3.55 c65aaf09d706efb2b8d98183b762aaca
.rsrc 0x4000 0x4260 0x4263 7.98 e3f83fbc9c8cdcfa2d334d8dc5e3dc3d

( 2 imports )

> kernel32.dll: GetModuleHandleA, GetSystemInfo, GetVersionExA, LocalAlloc, Sleep, ExitProcess
> user32.dll: BeginPaint, BlockInput, CharLowerA, CharUpperA, CreateDialogParamA, CreateWindowExA, CreateWindowStationA, DefWindowProcA, DispatchMessageA, EndDialog, EndPaint, FindWindowA, FlashWindow, GetAsyncKeyState, GetClassInfoExA, GetTopWindow, GetUserObjectInformationA, MessageBoxA, RegisterWindowMessageA, SetDlgItemInt, SetFocus, SetWindowTextA, ShowWindow, TranslateMessage, UpdateWindow

( 0 exports )
TrID : File type identification
Win32 Executable Generic (38.3%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
ssdeep: 384:07oityqnQ7S+tZsJvcoH6oOB0GpFwrPP69DSUAxxaMF8ipnJymmiBZ:0cMu3sJp6AGcrnAm7aMOikmFBZ
PEiD : -
RDS : NSRL Reference Data Set

Reply to kevin2m4
kevin2m4   07-18-2009 at 07:08:58 AM
- 0 +

it let me delete it tho

Reply to kevin2m4
kevin2m4   07-18-2009 at 07:13:09 AM
- 0 +

C:\WINDOWS\system32\drivers\cbdf3c78.sys

0 bytes size received / Se ha recibido un archivo vacio

Reply to kevin2m4
blackhawk1928   07-18-2009 at 07:59:17 AM
- 0 +

I dont understand, is that results from a scan(s)?

--Can you please organize the running processes from task mananger by thier NAME from A-Z and repost, it will be easier for me to notice potential malware.

Reply to blackhawk1928
kevin2m4   07-18-2009 at 08:38:15 AM
- 0 +

those were the results of the files i submitted to virus total

Reply to kevin2m4
btk1w1   07-18-2009 at 09:12:32 AM
- 0 +

That's good, lets continue with the fix.

Step One

First create a batch file to delete a service

Open notepad.

Click start > run and type in:

notepad.exe

Copy and paste the bolded text below into notepad:

@ECHO OFF
sc stop hjgruiyfvxjeao
sc delete hjgruiyfvxjeao
exit

Select "File" then "Save as"
Save to the Desktop and make the File name:

delserv.bat

make sure that the "Save as type" says "All files"

Double click the newly created delserv file on your desktop. A black window should briefly appear.


Step Two

Open notepad.

Click start > run and type in:

notepad.exe

Copy and paste the bolded text below into notepad:

KillAll::

File::
c:\windows\system32\flashd32.dll
C:\vfjmbvbg.exe
C:\WINDOWS\system32\drivers\cbdf3c78.sys

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{38101905-D80F-4788-96F6-986A8186178A}"=-


Save this as a text file with name of:

CFScript

Select "All files" from Save as Type. Save to the desktop.

Now click and drag the CFScript file onto the combofix icon on your desktop.

Post the new combofix log in your next reply.

Reply to btk1w1
blackhawk1928   07-18-2009 at 05:59:02 PM
- 0 +

--Can you please organize the running processes from task mananger by thier NAME from A-Z and repost, it will be easier for me to notice potential malware. As you did in one of the posts above...

-Why are you ignoring me? I need to see them organized by name from A-Z, it will let me notice and see anything fishy.

Reply to blackhawk1928
kevin2m4   07-18-2009 at 06:06:40 PM
- 0 +

how do i do that
hijack this arranges them how it wants

Reply to kevin2m4
kevin2m4   07-18-2009 at 07:27:55 PM
- 0 +

ohh i see i used everest for that one post ok gimme a sec

Reply to kevin2m4
kevin2m4   07-18-2009 at 07:29:39 PM
- 0 +

--------[ Processes ]---------------------------------------------------------------------------------------------------

aawservice.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe 32-bit 1504 KB 11524 KB
Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe 32-bit 3820 KB 2108 KB
Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe 32-bit 3300 KB 1904 KB
CachemanXP.exe C:\PROGRA~1\CACHEM~1\CachemanXP.exe 32-bit 1520 KB 2232 KB
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe 32-bit 4772 KB 1340 KB
devldr32.exe C:\WINDOWS\system32\devldr32.exe 32-bit 3976 KB 2364 KB
egui.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe 32-bit 3312 KB 8064 KB
ekrn.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe 32-bit 43200 KB 40172 KB
everest.exe C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe 32-bit 24284 KB 21764 KB
Explorer.EXE C:\WINDOWS\Explorer.EXE 32-bit 32792 KB 35556 KB
firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe 32-bit 167 MB 158 MB
frd.exe C:\Program Files\Java\jre6\launch4j-tmp\frd.exe 32-bit 35004 KB 71768 KB
GrooveMonitor.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe 32-bit 7252 KB 2748 KB
HDSentinel.exe C:\Program Files\Hard Disk Sentinel\HDSentinel.exe 32-bit 16308 KB 13700 KB
HPWuSchd2.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe 32-bit 2904 KB 952 KB
ICQ.exe C:\Program Files\ICQ6.5\ICQ.exe 32-bit 49040 KB 46472 KB
InCDsrv.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe 32-bit 5272 KB 2228 KB
ipoint.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe 32-bit 14556 KB 8496 KB
jqs.exe C:\Program Files\Java\jre6\bin\jqs.exe 32-bit 1392 KB 2236 KB
lsass.exe C:\WINDOWS\system32\lsass.exe 32-bit 1604 KB 2800 KB
MaxBlastMonitor.exe C:\Program Files\Seagate\DiscWizard\MaxBlastMonitor.exe 32-bit 2304 KB 1812 KB
MSCamS32.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe 32-bit 2560 KB 760 KB
msmsgs.exe C:\Program Files\Messenger\msmsgs.exe 32-bit 1896 KB 1632 KB
MsnMsgr.Exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe 32-bit 59932 KB 40900 KB
PnkBstrA.exe C:\WINDOWS\system32\PnkBstrA.exe 32-bit 2528 KB 1764 KB
regmech.exe C:\Program Files\Registry Mechanic\regmech.exe 32-bit 22500 KB 21872 KB
RocketDock.exe C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe 32-bit 11840 KB 4972 KB
schedhlp.exe C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe 32-bit 3212 KB 996 KB
schedul2.exe C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe 32-bit 2388 KB 736 KB
SeaPort.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe 32-bit 8408 KB 5776 KB
services.exe C:\WINDOWS\system32\services.exe 32-bit 5404 KB 3696 KB
smss.exe C:\WINDOWS\System32\smss.exe 32-bit 416 KB 172 KB
speedfan.exe C:\Program Files\SpeedFan\speedfan.exe 32-bit 11640 KB 6304 KB
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe 32-bit 5876 KB 3920 KB
StarWindService.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe 32-bit 2140 KB 608 KB
steam.exe C:\program files\steam\steam.exe 32-bit 21712 KB 54396 KB
SUPERAntiSpyware.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe 32-bit 804 KB 100 MB
svchost.exe C:\WINDOWS\System32\svchost.exe 32-bit 1924 KB 532 KB
svchost.exe C:\WINDOWS\System32\svchost.exe 32-bit 1884 KB 520 KB
svchost.exe C:\WINDOWS\system32\svchost.exe 32-bit 4060 KB 2328 KB
svchost.exe C:\WINDOWS\System32\svchost.exe 32-bit 2492 KB 1116 KB
svchost.exe C:\WINDOWS\system32\svchost.exe 32-bit 6404 KB 3392 KB
svchost.exe C:\WINDOWS\system32\svchost.exe 32-bit 4788 KB 2884 KB
svchost.exe C:\WINDOWS\System32\svchost.exe 32-bit 36480 KB 20980 KB
svchost.exe C:\WINDOWS\system32\svchost.exe 32-bit 2260 KB 1720 KB
TimounterMonitor.exe C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe 32-bit 6220 KB 6684 KB
TUProgSt.exe C:\WINDOWS\System32\TUProgSt.exe 32-bit 2952 KB 1020 KB
UberIcon Manager.exe C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe 32-bit 4060 KB 1328 KB
UltraMon.exe C:\Program Files\UltraMon\UltraMon.exe 32-bit 4236 KB 3640 KB
UltraMonTaskbar.exe C:\Program Files\UltraMon\UltraMonTaskbar.exe 32-bit 3224 KB 1464 KB
vVX6000.exe C:\WINDOWS\vVX6000.exe 32-bit 4268 KB 1484 KB
WgaTray.exe C:\WINDOWS\system32\WgaTray.exe 32-bit 416 KB 2256 KB
winamp.exe C:\Program Files\Winamp\winamp.exe 32-bit 71068 KB 60396 KB
winlogon.exe C:\WINDOWS\system32\winlogon.exe 32-bit 5016 KB 7296 KB
wlcomm.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe 32-bit 32860 KB 20512 KB
WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe 32-bit 1384 KB 380 KB
WMP54Gv4.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe 32-bit 7720 KB 8188 KB


Reply to kevin2m4
btk1w1   07-19-2009 at 12:17:35 AM
- 0 +

Hi Kevin,

How are you going with the scripts?

We are at the business end of the process.

Reply to btk1w1
kevin2m4   07-19-2009 at 12:22:18 AM
- 0 +

that report is after i ran those scripts. they rocked. chug a beer.

are you some kind of computer magician or wizard?

Reply to kevin2m4
btk1w1   07-19-2009 at 12:27:09 AM
- 0 +

LOL.... I do enjoy a chug o' beer.

Can you grab the combofix log from C:\ComboFix.txt, it will be updated from the previous combofix run.

Reply to btk1w1
kevin2m4   07-19-2009 at 04:45:48 AM
- 0 +

ox dibhjj js,,,rt yr i is hammeeref anf i dont ghink ti abnk thrtihkkk

Reply to kevin2m4
btk1w1   07-19-2009 at 04:49:24 AM
- 0 +

Everything all good?

We can continue the fix when you're ready, just let me know.

Reply to btk1w1
blackhawk1928   07-19-2009 at 07:38:09 AM
- 0 +

Thanks, I checked out your processes and it looks pretty clean to me, however just be safe since svhost really looks suspicious to me, just go to this link:
http://www.processlibrary.com/search/?q=svhost
and run the scan to check for svhost related errors, becuase everything might be fine but I smell fish from that processes.

-Also services.exe looks fishy,
http://www.processlibrary.com/search/?q=services.exe
-run the scan

-And lastly msmsgs.exe looks like it might be something
http://www.processlibrary.com/search/?q=msmsgs.exe

*Note* in the links I sent you, there might be more then one of the same processes listed, run the scan under the one that is colored red, not green.

Reply to blackhawk1928
blackhawk1928   07-19-2009 at 07:42:46 AM
- 0 +

Sorry for double post, but give me some time and I will give a closer look to those processes and will try to find a software for you to get rid of process-related malware. I will stay focused on just the *"running processes and services"* to look into that cause i dont really know much about the scripts you and the other poster are doing and other stuff.

Reply to blackhawk1928
Previous
1 2
Next
Ask the community Add a reply
Tom's Hardware > Forum > Windows XP > Windows XP General Discussion > MSN MSIE Wont connect, virus. OH NOES!
Go to:

There are 517 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 2.791 seconds
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
  • 01:00 raulkm won the Uniformed badge
  • 01:00 letus won the Uniformed badge
  • 01:00 pmiddy won the Uniformed badge
  • 01:00 MarcieMark won the Uniformed badge
  • 01:00 kaypeezee won the Uniformed badge
  • 04:06 xyz001 won the Sophmore badge
  • 01:00 scione won the Freshman badge
  • 01:32 aford10 won the Home Brew badge
  • 01:00 Kevinator won the Uniformed badge
  • 01:00 adis won the Uniformed badge