Trojans failed to disinfect?
My PC Hell Forum
November 22, 2008, 07:18:38 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Moving to New Location Soon! Watch out for notification. 14th Dec 2007.
 
   Home   Help Search Calendar Login Register  
Pages: [1] 2
« previous next »
  Print  
Author Topic: Trojans failed to disinfect?  (Read 1126 times)
xxxxmoogle
New FixmyXP Member
*
Posts: 9


View Profile
« on: April 05, 2008, 04:37:25 AM »
The following were failed to disinfect in Comodo AntiVirus:

Trojan.Win32.Inject.wn
Trojan-Downloader.Win32.INService.gen
not-a-virus:AdWare.Win32.Softomate.u
not-a-virus:AdWare.Win32.EZula.u
Trojan-Downloader.Win32.Small.cws
UnKnown
Trojan-Dropper.Win32.Agent.mu
Trojan-Downloader.Win32.IstBar.pb


Would there be any other way to have them deleted?
Logged
Squeezebox
Administrator
******
Posts: 2756



View Profile
« Reply #1 on: April 05, 2008, 05:55:46 AM »
I'm not familiar with Comodo, but are these trojans being detected in a System Restore point? Try turning off System Restore, then reboot and turn it back on again.

Alternatively, try scanning with Comodo in Safe Mode.
Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #2 on: April 06, 2008, 09:42:48 AM »
Or failing that I can remove them 

Download & Run HijackThis.exe

  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
xxxxmoogle
New FixmyXP Member
*
Posts: 9


View Profile
« Reply #3 on: April 09, 2008, 09:57:18 PM »
Also...my taskbar is being a bit odd...It only shows the quicklaunch toolbar on it but no windows,
and I have to navigate by pressing Alt+Tab instead.

And the Security Center would pop up and say "There is no firewall detected" and when I would click to change it, it's already on.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:12 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MOOGLE\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://*.asiafinest.com
O15 - Trusted Zone: http://*.glitter-graphics.net
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c46.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139615377250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9AAF2361-DA02-43C4-AD5A-BCE5B363DC0D} (Register Class) - http://web.spaceillusion.com/help/WebRegister1013.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BCA9A936-F557-408E-8301-D5B2B302EFD6} (SiUpdaterCtrl Class) - http://web.spaceillusion.com/help/iDanceUpdater1020.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D69969D6-C2CB-42EE-9651-E8B6663E88A5} (myBeatMDCTL Class) - http://web.spaceillusion.com/help/myBeatMD1159.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{234BFBB6-07BD-48AF-92E0-800FCBFB33D2}: NameServer = 209.244.0.3 209.244.0.4
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: haofjbmj.dll   
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O21 - SSODL: System - {61CBBCF4-B817-4A29-B74A-26F08810FD24} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8069 bytes


(By the way PeoplePC is my ISP)
Logged
Kabith
Rising Star
***
Posts: 109



View Profile
« Reply #4 on: April 10, 2008, 02:00:11 AM »
EDIT:  I removed your comments Kabith, it's best not to offer any advice when Essexboy is on the case. (Even I don't 'interfere' while he's still at the analysis stages).
« Last Edit: April 10, 2008, 11:09:22 AM by Squeezebox » Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #5 on: April 10, 2008, 03:53:57 PM »
OK then lets go kill it

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c46.cab
O16 - DPF: {9AAF2361-DA02-43C4-AD5A-BCE5B363DC0D} (Register Class) - http://web.spaceillusion.com/help/WebRegister1013.cab
O16 - DPF: {BCA9A936-F557-408E-8301-D5B2B302EFD6} (SiUpdaterCtrl Class) - http://web.spaceillusion.com/help/iDanceUpdater1020.cab
O16 - DPF: {D69969D6-C2CB-42EE-9651-E8B6663E88A5} (myBeatMDCTL Class) - http://web.spaceillusion.com/help/myBeatMD1159.cab
O20 - AppInit_DLLs: haofjbmj.dll   
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O21 - SSODL: System - {61CBBCF4-B817-4A29-B74A-26F08810FD24} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.   


NEXT

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
C:\WINDOWS\SYSTEM32\monln.dll
C:\WINDOWS\SYSTEM32\haofjbmj.dll 
Purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTMoveit and Combofix
« Last Edit: April 10, 2008, 03:56:25 PM by Essexboy » Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
xxxxmoogle
New FixmyXP Member
*
Posts: 9


View Profile
« Reply #6 on: April 10, 2008, 06:36:34 PM »
Thank you very much for the help.  ylaugh

Here is the OTMoveIt2 log:

DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\monln.dll
C:\WINDOWS\SYSTEM32\monln.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\monln.dll moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\haofjbmj.dll not found.
< Purity >
C:\WINDOWS\Αdobe moved successfully.
C:\WINDOWS\Fοnts moved successfully.
C:\WINDOWS\Мicrosoft moved successfully.
C:\WINDOWS\system32\ΑppPatch moved successfully.
C:\WINDOWS\system32\Міcrosoft moved successfully.
C:\WINDOWS\system32\ѕecurity moved successfully.
C:\WINDOWS\system32\Ѕуmantec moved successfully.
C:\WINDOWS\system32\ѕуmbols moved successfully.
C:\WINDOWS\system32\Τasks moved successfully.
C:\WINDOWS\system32\Тasks moved successfully.
C:\WINDOWS\system32\WіnSxS moved successfully.
C:\Program Files\аѕsembly moved successfully.
C:\Program Files\Fоnts moved successfully.
C:\Program Files\Ѕуmantec moved successfully.
C:\Program Files\ѕystem moved successfully.
C:\Program Files\Common Files\Sуmantec moved successfully.
C:\Documents and Settings\MOOGLE\My Documents\Αdobe\New Folder (2) moved successfully.
C:\Documents and Settings\MOOGLE\My Documents\Αdobe\Brushes moved successfully.
C:\Documents and Settings\MOOGLE\My Documents\Αdobe moved successfully.
C:\Documents and Settings\MOOGLE\Application Data\АрpPatch moved successfully.
C:\Documents and Settings\MOOGLE\Application Data\ѕecurity moved successfully.
C:\Documents and Settings\MOOGLE\Application Data\ѕеcurity moved successfully.
C:\Documents and Settings\MOOGLE\Application Data\ѕуstem moved successfully.
 
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04102008_173339

ComboFix Log:

ComboFix 08-04-10.4 - MOOGLE 2008-04-10 18:13:30.2 - NTFSx86
Running from: C:\Documents and Settings\MOOGLE\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\MOOGLE\Application Data\macromedia\Flash Player\#SharedObjects\C2WTK59M\www.broadcaster.com
C:\Documents and Settings\MOOGLE\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\MOOGLE\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\cmsystem
C:\Program Files\cmsystem\cmappupdate.exe
C:\Program Files\cmsystem\sf.txt
C:\Program Files\cmsystem\Uninstall.exe
C:\Program Files\Helper
C:\Program Files\Helper\1206401299.dll
C:\Program Files\winupdates
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
C:\WINDOWS\pf78.exe
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tpuninstall.exe
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\wtsisu.exe
C:\WINDOWS\system32\wtssvsu.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_NwSapAgent
-------\Service_Windows Overlay Components


(((((((((((((((((((((((((   Files Created from 2008-03-10 to 2008-04-10  )))))))))))))))))))))))))))))))
.

2008-04-10 18:04 . 2008-04-10 18:26   0   --a------   C:\WINDOWS\system.ini
2008-04-10 17:33 . 2008-04-10 17:33   <DIR>   d--------   C:\_OTMoveIt
2008-04-10 14:34 . 2008-04-10 14:34   11,776   --a------   C:\Resume.wps
2008-04-10 12:31 . 2008-04-10 12:31   <DIR>   d--------   C:\Documents and Settings\Phoukham\Application Data\Template
2008-04-09 22:04 . 2008-04-09 22:04   <DIR>   d--------   C:\d808d1b0862c2ba06d
2008-04-08 15:50 . 2008-04-08 15:50   512   --a------   C:\sek
2008-04-08 02:50 . 2008-04-10 18:04   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-04-08 02:50 . 2008-04-08 02:50   1,409   --a------   C:\WINDOWS\QTFont.for
2008-04-08 02:45 . 2008-04-08 02:45   <DIR>   d--------   C:\Program Files\iPod
2008-04-08 02:39 . 2008-04-08 02:40   <DIR>   d--------   C:\Program Files\QuickTime
2008-04-04 23:11 . 2008-04-04 23:11   <DIR>   d--------   C:\Documents and Settings\Sam Supanhnapom\Application Data\Lavasoft
2008-03-31 20:02 . 2008-03-31 21:29   <DIR>   d--------   C:\Documents and Settings\MOOGLE\.SunDownloadManager
2008-03-28 23:37 . 2008-03-28 23:37   90,112   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37   57,344   --a------   C:\WINDOWS\system32\QuickTime.qts
2008-03-25 18:27 . 2007-09-05 23:22   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-03-25 18:27 . 2006-04-27 16:49   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-03-25 18:27 . 2008-03-22 15:49   86,528   --a------   C:\WINDOWS\system32\VACFix.exe
2008-03-25 18:27 . 2008-03-15 17:16   82,432   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-03-25 18:27 . 2003-06-05 20:13   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-03-25 18:27 . 2004-07-31 17:50   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-03-25 18:27 . 2007-10-03 23:36   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-03-25 18:03 . 2008-03-25 18:03   <DIR>   d--------   C:\Autoruns
2008-03-25 16:49 . 2008-03-25 16:49   276,316   --a------   C:\Pass2.cmd
2008-03-24 22:08 . 2008-03-25 18:36   1,828   --a------   C:\WINDOWS\system32\tmp.reg
2008-03-24 22:05 . 2008-03-24 22:09   <DIR>   d--------   C:\Documents and Settings\MOOGLE\SmitfraudFix
2008-03-24 21:39 . 2008-03-24 21:39   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Comodo
2008-03-24 21:39 . 2008-03-24 21:36   102,400   --a------   C:\WINDOWS\system32\drivers\cavasm.sys
2008-03-24 21:39 . 2008-03-24 21:36   73,728   --a------   C:\WINDOWS\system32\CavEmLSP.dll
2008-03-24 21:38 . 2008-03-24 21:37   434,252   --a------   C:\WINDOWS\system32\MSVCRTD.DLL
2008-03-20 23:56 . 2008-03-20 23:56   <DIR>   d--------   C:\Documents and Settings\MOOGLE\Application Data\Uniblue
2008-03-20 16:12 . 2008-03-24 22:00   <DIR>   d--------   C:\Program Files\Uniblue
2008-03-20 16:00 . 2008-03-24 21:39   <DIR>   d--------   C:\Program Files\comodo
2008-03-20 15:43 . 2008-03-20 15:43   <DIR>   d--------   C:\Program Files\Zamaan's Software
2008-03-20 15:43 . 1998-06-24 13:00   244,024   --a------   C:\WINDOWS\system32\MSFLXGRD.OCX
2008-03-20 15:43 . 2000-05-22 17:00   203,976   --a------   C:\WINDOWS\system32\richtx32.ocx
2008-03-20 15:43 . 2004-03-09 13:00   132,880   --a------   C:\WINDOWS\system32\MSINET.OCX
2008-03-20 15:39 . 2008-03-20 15:39   <DIR>   d--------   C:\Documents and Settings\MOOGLE\Application Data\WinPatrol
2008-03-20 15:37 . 2008-03-20 15:37   <DIR>   d--------   C:\Program Files\BillP Studios
2008-03-20 15:36 . 2008-03-20 16:06   <DIR>   d--hsc---   C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 15:35 . 2008-03-20 15:35   <DIR>   d--------   C:\Program Files\Windows Live
2008-03-20 15:35 . 2008-03-20 16:07   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 11:34 . 2007-10-27 23:46   2,400,784   --a------   C:\WLinstaller.exe
2008-03-16 14:20 . 2008-04-04 23:17   <DIR>   d--------   C:\Documents and Settings\Sam Supanhnapom\Application Data\Apple Computer
2008-03-13 12:24 . 2008-03-13 12:24   <DIR>   d--------   C:\Program Files\Clickincome Inc
2008-03-12 22:57 . 2008-03-25 15:45   <DIR>   d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-12 22:54 . 2008-03-12 22:54   <DIR>   d--------   C:\Program Files\KeePass Password Safe
2008-03-11 16:21 . 2008-03-11 16:21   <DIR>   d--------   C:\Program Files\Bonjour
2008-03-10 17:33 . 2008-03-10 17:33   <DIR>   d--------   C:\Program Files\Smart Projects

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 07:45   ---------   d-----w   C:\Program Files\iTunes
2008-04-08 06:16   ---------   d-----w   C:\Program Files\PeoplePC
2008-04-05 01:05   ---------   d-----w   C:\Program Files\CompuServe 7.0
2008-04-04 02:01   ---------   d-----w   C:\Program Files\YourSiteBar
2008-03-25 19:07   ---------   d-----w   C:\Program Files\ewido anti-malware
2008-03-25 18:36   ---------   d-----w   C:\Program Files\Lavasoft
2008-03-25 02:37   499,712   ----a-w   C:\WINDOWS\system32\msvcp71.dll
2008-03-25 02:37   348,160   ----a-w   C:\WINDOWS\system32\msvcr71.dll
2008-03-25 02:37   1,060,864   ----a-w   C:\WINDOWS\system32\MFC71.DLL
2008-03-22 06:05   0   ----a-w   C:\WINDOWS\system32\drivers\lvuvc.hs
2008-03-20 20:43   13,312   --s-a-w   C:\WINDOWS\system32\lvhjtsa.dll
2008-03-19 05:30   ---------   d-----w   C:\Program Files\MSN Messenger
2008-03-19 05:29   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-03-11 21:21   ---------   d-----w   C:\Program Files\MySpace
2008-03-01 13:06   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-02-28 01:36   ---------   d-----w   C:\Program Files\PeoplePC Accelerate
2008-02-28 01:35   ---------   d-----w   C:\Documents and Settings\MOOGLE\Application Data\PeoplePC Online
2008-02-21 02:45   ---------   d-----w   C:\Program Files\AIM6
2008-02-21 02:41   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-21 02:40   ---------   d-----w   C:\Program Files\Viewpoint
2008-02-21 02:40   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-21 02:39   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AOL
2008-02-20 05:32   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2008-02-11 00:59   ---------   d-----w   C:\Documents and Settings\MOOGLE\Application Data\GetRight
2008-02-10 16:35   ---------   d-----w   C:\Documents and Settings\Sam Supanhnapom\Application Data\MSN6
2008-01-29 17:02   107,368   ----a-w   C:\WINDOWS\system32\GEARAspi.dll
2007-02-01 23:11   582   ----a-w   C:\Program Files\readme.txt
2007-02-01 23:02   313,344   ----a-w   C:\Program Files\hjsplit.exe
2006-04-16 01:47   81   -c--a-w   C:\Program Files\MDMaker2_en.xml_.md5
2006-04-15 23:10   81   -c--a-w   C:\Program Files\MDMaker2_en.xml.md5
2006-04-15 23:10   217   -c--a-w   C:\Program Files\MDMaker2_en.xml
2006-04-15 22:33   88   -c--a-w   C:\Program Files\GayoList_MyDancer.xml.md5
2006-04-15 22:33   126   -c--a-w   C:\Program Files\GayoList_MyDancer.xml
2005-07-21 08:02   280,064   ----a-w   C:\Documents and Settings\MOOGLE\Application Data\tizhook.bin
2005-07-21 08:02   137,947   ----a-w   C:\Documents and Settings\MOOGLE\Application Data\tizupd.bin
2005-07-14 17:31   27,648   --sha-r   C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32   616,448   --sha-r   C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37   45,568   --sha-r   C:\WINDOWS\system32\cygz.dll
2005-07-28 05:13   56   -csh--r   C:\WINDOWS\system32\F036A267D9.sys
2006-05-03 09:06   163,328   --sh--r   C:\WINDOWS\system32\flvDX.dll
2005-07-28 05:13   5,852   -csha-w   C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 10:47   31,232   --sh--r   C:\WINDOWS\system32\msfDX.dll
2005-02-28 18:16   240,128   --sha-r   C:\WINDOWS\system32\x.264.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 14:41 68856]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-08-09 18:20 67128]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lao Keyboard Mapping.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lao Keyboard Mapping.lnk
backup=C:\WINDOWS\pss\Lao Keyboard Mapping.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader40pd1aKeOaPN]
C:\WINDOWS\system32\slecconf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-09-03 17:25 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-03-04 09:29 782336 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Paltalk\\paltalk.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\aim\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\comodo\\Comodo AntiVirus\\CMain.exe"=
"C:\\Program Files\\AC3Filter\\ac3config.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14253:TCP"= 14253:TCP:*:Disabled:BitComet 14253 TCP
"14253:UDP"= 14253:UDP:*:Disabled:BitComet 14253 UDP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
TermService
wuauserv
BITS
ShellHWDetection
helpsvc
xmlprov
wscsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 23:23:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-05 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-04-10 20:15:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-04-10 01:45:43 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D6DF32E0-270D-4B30-B048-5BA11D674BAF}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2007-09-15 07:53:29 C:\WINDOWS\Tasks\Windows Media Player.job"
- C:\PROGRA~1\WINDOW~2\wmplayer.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 18:26:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 18:34:20
ComboFix-quarantined-files.txt  2008-04-10 23:33:49
Pre-Run: 35,298,697,216 bytes free
Post-Run: 35,277,099,008 bytes free
.
2008-04-10 20:10:37   --- E O F --- 
« Last Edit: April 10, 2008, 07:38:39 PM by xxxxmoogle » Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #7 on: April 11, 2008, 01:10:16 PM »
How is it running now ?

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\lvhjtsa.dll
C:\WINDOWS\system32\slecconf.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader40pd1aKeOaPN]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
xxxxmoogle
New FixmyXP Member
*
Posts: 9


View Profile
« Reply #8 on: April 11, 2008, 09:48:01 PM »
So far, it's the same I guess.
But I'm sure with the help you've given me
it's going to be better, Thank you very much. :D


Oh I think I sort of recognized one of those files, the program
VirusHeat and NetProject were infesting my computer last month...
I don't think I completely deleted them...
But for some reason, everytime I log onto the computer, Something will always pop up and tell me that my Firewall has been turned off and I have no idea what is turning it off...

ComboFix 08-04-10.4 - MOOGLE 2008-04-11 21:13:59.3 - NTFSx86
Running from: C:\Documents and Settings\MOOGLE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MOOGLE\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\lvhjtsa.dll
C:\WINDOWS\system32\slecconf.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\lvhjtsa.dll

.
(((((((((((((((((((((((((   Files Created from 2008-03-12 to 2008-04-12  )))))))))))))))))))))))))))))))
.

2008-04-11 21:14 . 2008-04-11 21:14   6,736   --a------   C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-04-10 18:04 . 2008-04-10 18:26   0   --a------   C:\WINDOWS\system.ini
2008-04-10 17:33 . 2008-04-10 17:33   <DIR>   d--------   C:\_OTMoveIt
2008-04-10 14:34 . 2008-04-10 14:34   11,776   --a------   C:\Resume.wps
2008-04-10 12:31 . 2008-04-10 12:31   <DIR>   d--------   C:\Documents and Settings\Phoukham\Application Data\Template
2008-04-09 22:04 . 2008-04-09 22:04   <DIR>   d--------   C:\d808d1b0862c2ba06d
2008-04-08 15:50 . 2008-04-08 15:50   512   --a------   C:\sek
2008-04-08 02:50 . 2008-04-11 20:58   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-04-08 02:50 . 2008-04-08 02:50   1,409   --a------   C:\WINDOWS\QTFont.for
2008-04-08 02:45 . 2008-04-08 02:45   <DIR>   d--------   C:\Program Files\iPod
2008-04-08 02:39 . 2008-04-08 02:40   <DIR>   d--------   C:\Program Files\QuickTime
2008-04-04 23:11 . 2008-04-04 23:11   <DIR>   d--------   C:\Documents and Settings\Sam Supanhnapom\Application Data\Lavasoft
2008-03-31 20:02 . 2008-03-31 21:29   <DIR>   d--------   C:\Documents and Settings\MOOGLE\.SunDownloadManager
2008-03-28 23:37 . 2008-03-28 23:37   90,112   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37   57,344   --a------   C:\WINDOWS\system32\QuickTime.qts
2008-03-25 18:27 . 2007-09-05 23:22   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-03-25 18:27 . 2006-04-27 16:49   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-03-25 18:27 . 2008-03-22 15:49   86,528   --a------   C:\WINDOWS\system32\VACFix.exe
2008-03-25 18:27 . 2008-03-15 17:16   82,432   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-03-25 18:27 . 2003-06-05 20:13   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-03-25 18:27 . 2004-07-31 17:50   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-03-25 18:27 . 2007-10-03 23:36   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-03-25 18:03 . 2008-03-25 18:03   <DIR>   d--------   C:\Autoruns
2008-03-25 16:49 . 2008-03-25 16:49   276,316   --a------   C:\Pass2.cmd
2008-03-24 22:08 . 2008-03-25 18:36   1,828   --a------   C:\WINDOWS\system32\tmp.reg
2008-03-24 22:05 . 2008-03-24 22:09   <DIR>   d--------   C:\Documents and Settings\MOOGLE\SmitfraudFix
2008-03-24 21:39 . 2008-03-24 21:39   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Comodo
2008-03-24 21:39 . 2008-03-24 21:36   102,400   --a------   C:\WINDOWS\system32\drivers\cavasm.sys
2008-03-24 21:39 . 2008-03-24 21:36   73,728   --a------   C:\WINDOWS\system32\CavEmLSP.dll
2008-03-24 21:38 . 2008-03-24 21:37   434,252   --a------   C:\WINDOWS\system32\MSVCRTD.DLL
2008-03-20 23:56 . 2008-03-20 23:56   <DIR>   d--------   C:\Documents and Settings\MOOGLE\Application Data\Uniblue
2008-03-20 16:12 . 2008-03-24 22:00   <DIR>   d--------   C:\Program Files\Uniblue
2008-03-20 16:00 . 2008-03-24 21:39   <DIR>   d--------   C:\Program Files\comodo
2008-03-20 15:43 . 2008-03-20 15:43   <DIR>   d--------   C:\Program Files\Zamaan's Software
2008-03-20 15:43 . 1998-06-24 13:00   244,024   --a------   C:\WINDOWS\system32\MSFLXGRD.OCX
2008-03-20 15:43 . 2000-05-22 17:00   203,976   --a------   C:\WINDOWS\system32\richtx32.ocx
2008-03-20 15:43 . 2004-03-09 13:00   132,880   --a------   C:\WINDOWS\system32\MSINET.OCX
2008-03-20 15:39 . 2008-03-20 15:39   <DIR>   d--------   C:\Documents and Settings\MOOGLE\Application Data\WinPatrol
2008-03-20 15:37 . 2008-03-20 15:37   <DIR>   d--------   C:\Program Files\BillP Studios
2008-03-20 15:36 . 2008-03-20 16:06   <DIR>   d--hsc---   C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 15:35 . 2008-03-20 15:35   <DIR>   d--------   C:\Program Files\Windows Live
2008-03-20 15:35 . 2008-03-20 16:07   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 11:34 . 2007-10-27 23:46   2,400,784   --a------   C:\WLinstaller.exe
2008-03-16 14:20 . 2008-04-04 23:17   <DIR>   d--------   C:\Documents and Settings\Sam Supanhnapom\Application Data\Apple Computer
2008-03-13 12:24 . 2008-03-13 12:24   <DIR>   d--------   C:\Program Files\Clickincome Inc
2008-03-12 22:57 . 2008-03-25 15:45   <DIR>   d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-12 22:54 . 2008-03-12 22:54   <DIR>   d--------   C:\Program Files\KeePass Password Safe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 07:45   ---------   d-----w   C:\Program Files\iTunes
2008-04-08 06:16   ---------   d-----w   C:\Program Files\PeoplePC
2008-04-05 01:05   ---------   d-----w   C:\Program Files\CompuServe 7.0
2008-04-04 02:01   ---------   d-----w   C:\Program Files\YourSiteBar
2008-03-25 19:07   ---------   d-----w   C:\Program Files\ewido anti-malware
2008-03-25 18:36   ---------   d-----w   C:\Program Files\Lavasoft
2008-03-25 02:37   499,712   ----a-w   C:\WINDOWS\system32\msvcp71.dll
2008-03-25 02:37   348,160   ----a-w   C:\WINDOWS\system32\msvcr71.dll
2008-03-25 02:37   1,060,864   ----a-w   C:\WINDOWS\system32\MFC71.DLL
2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-03-19 05:30   ---------   d-----w   C:\Program Files\MSN Messenger
2008-03-19 05:29   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-03-11 21:21   ---------   d-----w   C:\Program Files\MySpace
2008-03-11 21:21   ---------   d-----w   C:\Program Files\Bonjour
2008-03-10 22:33   ---------   d-----w   C:\Program Files\Smart Projects
2008-03-01 13:06   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-02-28 01:36   ---------   d-----w   C:\Program Files\PeoplePC Accelerate
2008-02-28 01:35   ---------   d-----w   C:\Documents and Settings\MOOGLE\Application Data\PeoplePC Online
2008-02-21 02:45   ---------   d-----w   C:\Program Files\AIM6
2008-02-21 02:41   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-21 02:40   ---------   d-----w   C:\Program Files\Viewpoint
2008-02-21 02:40   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-21 02:39   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AOL
2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 17:02   107,368   ----a-w   C:\WINDOWS\system32\GEARAspi.dll
2007-02-01 23:11   582   ----a-w   C:\Program Files\readme.txt
2007-02-01 23:02   313,344   ----a-w   C:\Program Files\hjsplit.exe
2006-04-16 01:47   81   -c--a-w   C:\Program Files\MDMaker2_en.xml_.md5
2006-04-15 23:10   81   -c--a-w   C:\Program Files\MDMaker2_en.xml.md5
2006-04-15 23:10   217   -c--a-w   C:\Program Files\MDMaker2_en.xml
2006-04-15 22:33   88   -c--a-w   C:\Program Files\GayoList_MyDancer.xml.md5
2006-04-15 22:33   126   -c--a-w   C:\Program Files\GayoList_MyDancer.xml
2005-07-21 08:02   280,064   ----a-w   C:\Documents and Settings\MOOGLE\Application Data\tizhook.bin
2005-07-21 08:02   137,947   ----a-w   C:\Documents and Settings\MOOGLE\Application Data\tizupd.bin
2005-07-14 17:31   27,648   --sha-r   C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32   616,448   --sha-r   C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37   45,568   --sha-r   C:\WINDOWS\system32\cygz.dll
2005-07-28 05:13   56   -csh--r   C:\WINDOWS\system32\F036A267D9.sys
2006-05-03 09:06   163,328   --sh--r   C:\WINDOWS\system32\flvDX.dll
2005-07-28 05:13   5,852   -csha-w   C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 10:47   31,232   --sh--r   C:\WINDOWS\system32\msfDX.dll
2005-02-28 18:16   240,128   --sha-r   C:\WINDOWS\system32\x.264.exe
.

------- Sigcheck -------

2003-03-31 07:00  12800  0f7d9c87b0ce1fa520473119752c6f79   C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 02:56  14336  8f078ae4ed187aaabc0a305146de6716   C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 02:56  14336  8f078ae4ed187aaabc0a305146de6716   C:\WINDOWS\system32\svchost.exe
.
(((((((((((((((((((((((((((((   snapshot@2008-04-10_18.33.15.26   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:27   1,845,888   ----a-w   C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36   14,048   ----a-w   C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41   213,216   ----a-w   C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34   22,752   ----a-w   C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59   716,000   ----a-w   C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51   371,424   ----a-w   C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2008-02-20 06:52:43   282,624   ----a-w   C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36   14,048   ----a-w   C:\WINDOWS\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:41   213,216   ----a-w   C:\WINDOWS\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34   22,752   ----a-w   C:\WINDOWS\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:22:59   716,000   ----a-w   C:\WINDOWS\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:51   371,424   ----a-w   C:\WINDOWS\$hf_mig$\KB948590\update\updspapi.dll
- 2007-06-19 13:31:19   282,112   -c----w   C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05   282,624   -c----w   C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-03-08 13:47:48   1,843,584   -c----w   C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00   1,845,248   -c----w   C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-06-22 05:08:40   415,856   ----a-w   C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-12 01:56:36   415,856   ----a-w   C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-03-05 16:30:54   19,148,408   ----a-w   C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20   19,836,024   ----a-w   C:\WINDOWS\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 14:41 68856]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-08-09 18:20 67128]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lao Keyboard Mapping.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lao Keyboard Mapping.lnk
backup=C:\WINDOWS\pss\Lao Keyboard Mapping.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-09-03 17:25 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-03-04 09:29 782336 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Paltalk\\paltalk.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\aim\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\comodo\\Comodo AntiVirus\\CMain.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AC3Filter\\ac3config.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14253:TCP"= 14253:TCP:*:Disabled:BitComet 14253 TCP
"14253:UDP"= 14253:UDP:*:Disabled:BitComet 14253 UDP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
TermService
wuauserv
BITS
ShellHWDetection
helpsvc
xmlprov
wscsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 23:23:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-05 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-04-11 04:16:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-04-11 04:21:11 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D6DF32E0-270D-4B30-B048-5BA11D674BAF}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2007-09-15 07:53:29 C:\WINDOWS\Tasks\Windows Media Player.job"
- C:\PROGRA~1\WINDOW~2\wmplayer.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 21:25:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 21:27:37
ComboFix-quarantined-files.txt  2008-04-12 02:27:17
ComboFix2.txt  2008-04-10 23:34:21
Pre-Run: 36,249,337,856 bytes free
Post-Run: 36,226,281,472 bytes free
.
2008-04-12 01:49:52   --- E O F --- 
« Last Edit: April 11, 2008, 11:00:49 PM by xxxxmoogle » Logged
xxxxmoogle
New FixmyXP Member
*
Posts: 9


View Profile
« Reply #9 on: April 11, 2008, 11:01:40 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:03 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Documents and Settings\MOOGLE\Desktop\HiJackThis.exe
C:\Documents and Settings\MOOGLE\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://*.asiafinest.com
O15 - Trusted Zone: http://*.glitter-graphics.net
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139615377250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{234BFBB6-07BD-48AF-92E0-800FCBFB33D2}: NameServer = 209.244.0.3 209.244.0.4
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6388 bytes
Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #10 on: April 12, 2008, 06:31:27 AM »
Looks good now - we are getting there 

First I will sweep for orphan registry entries and then I will reset your shell

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete