Question

Help, I have been attacked - Virus/Maleware! Need help finding and curing!

Asked by: GiforGOD

Help! My PC has been attacked. Yesterday several shortcuts were popping up on my desktop and (VIP Casino, Cheap Software, Cheap Pharmacy On-Line, Search On-line, SMS Trap) and then good ol Spyware Protect 2000 and Windowsclick took over (along with I am sure a host of nieces and nephews).

I am currently posting this using my laptop.

Anyway, here is what it has caused:

In IE 6, which I dont use much, windows just pop open over and over and I cant stop them. I have to shut down the computer.

In Mozilla Firefox, my default browser, the following is happening, but not limited to:

1. Slow loads on pages.

2. Unable to access help sites such as mybleepingcomputer.com, Maleware.org, or places used to download such things as ComboFix, Hijack This, etc&&page opens up and says :Mozilla Firefox cannot open web page&.

3. I cannot access certain websites past the Login page such as Experts-Exchange and others. The page times out after entering my username and password. Sometimes when I do click on a site that I am trying to get help from, then Windowsclick takes over and redirects me to where they want me to go! Another site that is hijacking me is mobilreads.com&.another re-directing site/problem

And in general:
4. When trying to run ComboFix, Spybot, Ewido anti-spy, Smitfraud, Ad-Aware&the programs will not launch. I DID get ComboFix to run (and have attached my most current log below) only by changing its name. I tried that with the others, however, Spybot still wont launch, Ewido starts and then gives an error message, Ad-Aware starts and then I get the error message that says: System Error: 1810 has occurred. Description: Service is not on line. Application Terminates.&then when I try to go to their site for support&..SEE # 2 above! The Ad-Aware logo stays up on my bottom tool bar and I cant close it&.I have to go to Task Manager which shows its still running&but it aint!

5. I ran AVG Anti-Virus overnight and it found a Trojan as follows:
 C:\WINNT\System32|wpv 361235072128.cpx. Says it was a Trojan Horse 5Heur2.RLK. Anyway, it took care of it, but nothing I can see has changed.

6. I noticed in my Task Manager that svchost.exe is running 6 different times and using from 4200k to 19,000 k in memory. Also, services.exe (shown just like that&all lower case) is running around 3800k. I know I read somewhere that a virus or something under that name exists, but I cant tell it between the normal services.exe&.does any of the above here in number 5 have any bearing?

Below are both my most current Log Files from A.) Hijack This and B.) ComboFix

Any help with this would be greatly appreciated!!!!!

Greg

LOG FILE HIJACK THIS:
 
Logfile of HijackThis v1.99.1
Scan saved at 3:31:42 PM, on 02/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINNT\explorer.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Documents and Settings\Owner\My Documents\Greg\ComputerPrograms\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINNT\iehost.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
 
END
 
LOG FILE COMBOFIX:
 
"Owner" - 2009-02-20 15:36:06    Service Pack 3  
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner\Desktop\"
 
 
(((((((((((((((((((((((((((((((   Files Created from 2009-01-20 to 2009-02-20  ))))))))))))))))))))))))))))))))))
 
 
2009-02-19 22:49	49,152	--a------	C:\WINNT\nircmd.exe
2009-02-19 22:26	1,244	--a------	C:\WINNT\system32\tmp.reg
2009-02-19 21:46	11,254	--a------	C:\WINNT\system32\locate.com
2009-02-19 21:45	<DIR>	d--------	C:\MGtools
2009-02-19 21:38	<DIR>	d--------	C:\Program Files\RogueRemover FREE
2009-02-19 21:35	<DIR>	d--------	C:\Deckard
2009-02-19 16:38	<DIR>	d--------	C:\Program Files\XPPoliceAntivirus
2009-02-19 16:37	15,360	--a------	C:\WINNT\iehost.dll
2009-02-19 16:36	<DIR>	d--hs----	C:\WINNT\system32\twain32
2009-02-19 16:35	21,505	--ah-----	C:\WINNT\system32\digeste.dll
2009-02-19 12:39	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2009-02-19 12:30	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-02-19 12:09	<DIR>	d--------	C:\Program Files\Common Files\Macrovision Shared
2009-02-16 15:44	815,104	--a------	C:\WINNT\system32\xvidcore.dll
2009-02-16 15:44	180,224	--a------	C:\WINNT\system32\xvidvfw.dll
2009-02-16 15:44	<DIR>	d--------	C:\Program Files\Xvid
2009-02-15 17:42	41,472	--a------	C:\WINNT\Dkilecuguv.dll
2009-02-15 17:36	<DIR>	d--------	C:\Program Files\uTorrent
2009-02-15 17:36	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2009-02-09 11:51	111,020	--ah-----	C:\WINNT\system32\mlfcache.dat
2009-02-09 11:36	9,200	---------	C:\WINNT\system32\drivers\cdralw2k.sys
2009-02-09 11:36	9,072	---------	C:\WINNT\system32\drivers\cdr4_xp.sys
2009-02-09 11:35	<DIR>	d--------	C:\WINNT\system32\IOSUBSYS
2009-02-09 11:24	991,232	--a------	C:\WINNT\vuesav32.scr
2009-02-08 18:21	<DIR>	d--h-----	C:\$AVG8.VAULT$
2009-02-08 18:12	325,128	--a------	C:\WINNT\system32\drivers\avgldx86.sys
2009-02-08 18:12	107,272	--a------	C:\WINNT\system32\drivers\avgtdix.sys
2009-02-08 18:12	10,520	--a------	C:\WINNT\system32\avgrsstx.dll
2009-02-08 18:12	<DIR>	d--------	C:\WINNT\system32\drivers\Avg
2009-02-08 18:12	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\AVGTOOLBAR
2009-02-08 18:11	<DIR>	d--------	C:\Program Files\AVG
2009-02-08 18:11	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
2009-02-08 17:09	1,048,576	--a------	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2009-02-08 13:52	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2009-02-08 12:46	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\Move Networks
 
 
((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))
 
2009-02-20 21:04:22	--------	d-----w	C:\Program Files\Mozilla Firefox 3 Beta 5
2009-02-20 02:12:14	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\ComcastToolbar
2009-02-19 05:13:26	--------	d-----w	C:\Program Files\Incomplete
2009-02-19 04:02:32	--------	d-----w	C:\Program Files\LimeWire
2009-02-18 19:26:32	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\Arcsoft
2009-02-10 23:26:56	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2009-02-09 17:35:45	--------	d-----w	C:\Program Files\Google
2009-01-12 19:36:39	60,808	----a-w	C:\WINNT\system32\S32EVNT1.DLL
2009-01-12 19:36:39	124,464	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2009-01-05 22:33:03	3,751,995	----a-w	C:\WINNT\system32\GPhotos.scr
2009-01-02 03:31:18	--------	d-----w	C:\Program Files\Coupons
2008-12-22 15:51:52	809	----a-w	C:\WINNT\eReg.dat
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{12c7290a-157b-4f43-b109-97e792c598ed}=C:\WINNT\iehost.dll [2009-02-19 16:37]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}=C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 21:33]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}=C:\Program Files\AVG\AVG8\avgssie.dll [2009-02-08 18:11]
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}=C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL [2006-11-07 13:21]
{A057A204-BACC-4D26-9990-79A187E2698E}=C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-02-08 18:12]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 00:03]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-02-08 18:11]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 18:12]
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" /L*v C:\WINNT\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
"RunNarrator"=Narrator.exe
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
avgrsstx.dll
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
"C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINNT\System32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
"C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINNT\System32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe" /background
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
photoshop2.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WudfSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SCardSvr"=3 (0x3)
"SAVScan"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"ImapiService"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"FastTrakSvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"CryptSvc"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"WinDefend"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"SNDSrvc"=3 (0x3)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs	eaphost
dot3svc	dot3svc
 
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent
	
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
 
Contents of the 'Scheduled Tasks' folder
2008-10-09 01:20:55  C:\WINNT\tasks\AppleSoftwareUpdate.job
2008-10-15 06:47:22  C:\WINNT\tasks\MP Scheduled Scan.job
2005-12-24 21:45:34  C:\WINNT\tasks\XoftSpy.job
 
********************************************************************
 
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 15:41:55
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...
 
scanning hidden autostart entries ...
 
scanning hidden files ...
 
disk error: C:\WINNT\
 
please note that you need administrator rights to perform deep scan
 
********************************************************************
 
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACwelnnxel.sys"
 
Completion time: 2009-02-20 15:43:27
C:\ComboFix-quarantined-files.txt ... 2009-02-20 15:42
C:\ComboFix2.txt ... 2009-02-20 00:16
C:\ComboFix3.txt ... 2009-02-19 23:12
 
	--- E O F ---

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-02-20 at 14:12:29ID24163522
Tags

Windows XP Home Edition

,

Service Pack 3

Topics

Anti-Virus

,

Anti-Spyware

,

Internet Security

Participating Experts
7
Points
500
Comments
98

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Spyware?
    My computer has several pieces of spyware, including but not limited to "Aurora - part of the ABI Network" I tried to remove Aurora by booting into savemode runing nailfix.exe and scanning with ewido but it still came back. here are the results from my HiJackThis Lo...
  2. as it relates to SVCHOST.EXE
    hello, i have performed multiple malaware and virus checks with leading software programs and still get this message popping up. --------------------------- Microsoft Visual C++ Debug Library --------------------------- Debug Assertion Failed! Program: C:\WINDOWS\system32\sv...
  3. Spyware
    Spyware on Computer cannot find a solution: on Desktop: Warning Spyware destected on your computer Install an Antivirus or Spyware remover to clran your computer> Thsi is contained in a box with yellow at the top and blue on the bottom. I have run Spybot to no avail.
  4. services.exe problem
    Hi guys, im having a bit of an annoying problem with a Services.exe error. just recently we recovered from a pretty big virus infection, we ended up getting the PC cleaned and did a system restore to about 6 weeks previous. ever since then ive been getting this error report ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: David-HowardPosted on 2009-02-20 at 14:28:46ID: 23696963

Prior to running any anti-virus/malware suite disable System Restore. Directions can be found here:
http://support.microsoft.com/kb/310405
If you are unable to view the above link follow these steps.
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
Reboot into Safe Mode (F8 at startup) and run your antimalware/antivirus scans.
When you have finished running your scans and the threats have been removed enable System Restore.
Steps to turn on System Restore:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
Click OK.
After a few moments, the System Properties dialog box closes.
If you can get into Safe Mode and run your scans Combofix and another trusted suite (Malwarebytes) should remove the threat.
www.malwarebytes.org
The program is small enough that you can copy it from another system and install on your own via a thumbdrive.
If you can copy malwarebytes from another location, download HiJackThis as well.
 http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Once you run the utility save the log file.
You can post it for free analysis here or at
www.hijackthis.de

 

by: Dirtpatch-JenkinsPosted on 2009-02-20 at 14:35:07ID: 23697001

Davids recommendations will do the job, but i would suggest that while your already in safe mode to go ahead and go to control panel add remove programs and remove anything suspicious or unused.
Also go to start - run - type in msconfig  then select the startup tab and unclick anything you dont want to run at start up.

Then when you have a chance, if you dont have one, create a limited user account and use that for your everyday usage.

good luck too you.

 

by: brawneyPosted on 2009-02-20 at 14:38:19ID: 23697014

I had this happen to me recently as well as to a friend of mine.  I ran various anti-virus products (AVG for example - http://free.avg.com/) and Spy Bot Search and Destroy (http://www.safer-networking.org/en/index.html) - both are free.  This took forever but was able to clean all the junk off the system.

These attacks are so annoying.  It makes the machine unusable.  It is so frustrating.  These people should be castrated.

I got attacked by this virus / malware while running FireFox 3 one day.  I thought FF was less prone to these attacks.  I believe the attacks are coming in via Java applets, not javascript, so I have since disabled Java in both FF and IE.  In FF the setting is in Tools - Options - Content (button) and its a check box named "Enable Java".  Have not had the problem since.  This won't help you clean your system, but it may help you in the future.

Good luck.

 

by: antangPosted on 2009-02-20 at 14:58:21ID: 23697147

I had a couple of computers (one here at my office and another a friends) that even after running different anti-virus products (AVG, Ad-ware, Spy Bot, Clam) and cleaning the systems, they still could not recover the changes they did to browsers and system.

I got an external drive and copied all the user data, formatted hard drive and reinstalled Windows.  I then made sure Windows was updated and installed anti-virus software and made sure to scan the files again that I saved to the external drive before coping back to computer.

You may want to try doing this if you have the time and all your programs that you had installed available.

Good luck,

 

by: GiforGODPosted on 2009-02-20 at 15:23:15ID: 23697293

Okay, did as David said...disabled System Restore and started back in safe mode. The following occurred:
1. Still could not run Ad-Aware and got new error message: Exception EAccesViolation in module AD-Aware 2007.exe at 001DD084
2. Spybot would not launch.
3. Rogue Remover says I'm clean (won't count on it anymore).
4. Combofix started to run and then said it found a ReTool something or other and wanted to restart the computer....I didn't want to take a chance so I clicked out of it.
5. I ran HiJack This again and have log posted below.
6. I ran AVG and it detected and cleaned 16 infections and have also posted that log below
7. I went through Control Panel in Safe Mode as Dirtpatch-Jenkins said to, however, didn't see anything there that I didn't recognize.

Here is log from AVG and the Hijack This log from scan in Safe Mode.

I now have to log off this computer and re-connect my PC to the internet. I will get bac to you and let you know if these things worked, albiet, limited in ability to run some of the programs that David suggested.

Back in a bit and thanks so far!

AVG 8.0 Anti-Virus command line scanner
Copyright (c) 1992 - 2008 AVG Technologies
Program version 8.0.228, engine 8.0.237
Virus Database: Version 270.11.1/1962  2009-02-20
 
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\system32\winlogon.exe (212) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\system32\services.exe (256) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\system32\lsass.exe (268) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\system32\svchost.exe (560) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\explorer.exe (772) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\Program Files\AVG\AVG8\avgui.exe (1328) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\Program Files\AVG\AVG8\avgscanx.exe (1308) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\Program Files\AVG\AVG8\avgcsrvx.exe (1296) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
 
------------------------------------------------------------
Objects scanned     : 146437
Found infections    :   16
Found PUPs          :    0
Healed infections   :   16
Healed PUPs         :    0
Warnings            :    0
------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:44:33 PM, on 2/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\hijackthis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINNT\iehost.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:

Select allOpen in new window

 

by: David-HowardPosted on 2009-02-20 at 15:42:40ID: 23697369

Okay, your system is hammered. The following entries state that they were moved to a virus vault and are listed as Trojans.
 
?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\system32\winlogon.exe (212) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\system32\services.exe (256) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\system32\lsass.exe (268) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\system32\svchost.exe (560) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\explorer.exe (772) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\Program Files\AVG\AVG8\avgui.exe (1328) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\Program Files\AVG\AVG8\avgscanx.exe (1308) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\Program Files\AVG\AVG8\avgcsrvx.exe (1296) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
--------------------------------------
Unknown application. Remove if you cannot determine it's origin.
O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINNT\iehost.dll
Unncessary entries. Can be removed.
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
Your log file is clean minus the entries I listed.
Please run Combofix and allow it to finish running.
Restart your computer and test your internet connection.
If it does not work, then click Start ->Settings and Control Panel.
Select Network connections. Locate your connection and right click on it.
In the menu click the Repair option. When the repair proccess has finished, your connection should be working again. Reboot to test.



 

by: adamant40Posted on 2009-02-20 at 15:48:49ID: 23697399

I have been having really good results running Malwarebytes' Anti-Malware software. It's free, it doesn't add any running tasks, and it has fixed 3 systems that I spent hours on with other utilities. Worth trying
The website is www.malwarebytes.org and you can download it from download.com

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button</A>  

 

by: David-HowardPosted on 2009-02-20 at 15:57:02ID: 23697443

Adman,
Thank you for the input but he's tried your suggestions. At this point he's fighting just to get applications to launch.

 

by: GiforGODPosted on 2009-02-20 at 15:58:59ID: 23697450

David and everyone else: Here is where I am at since your last posting David....

Okay, after running AVG in safe mode and getting 16 items cleaned, I then downloaded Malware on my thumbdrive from the conncetion I have on my laptop. Upon restarting computer, ComboFix came up and ran its scan (a log from it is below). The computer then started up. The system restore was already in the "on" position.

When I went to install the Malware....it wouldn'tlaunch the install...until I changed its name. It then installed but when I went to run it...it wouldn't launch.

I then restarted again in Safe Mode and tried to run the Malware....but it wouldn't run in Safe Mode either.....

Going to reconnect PC and internet, follow David's newest steps and see. I will be back.

Thanks in advance - See Attached Combofix log from last run out of Safe Mode:

ComboFix 08-08-27.06 - Owner 2009-02-20 17:33:44.4 - NTFSx86
 
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
- REDUCED FUNCTIONALITY MODE -
.
 
(((((((((((((((((((((((((   Files Created from 2009-01-20 to 2009-02-20  )))))))))))))))))))))))))))))))
.
 
2009-02-19 23:29 . 2009-02-19 23:29	262,144	--a------	C:\Documents and Settings\PRC656~1
2009-02-19 23:27 . 2009-02-19 23:27	262,144	--a------	C:\Documents and Settings\PROFIL~4
2009-02-19 22:49 . 2005-11-09 00:26	38,400	--a------	C:\WINNT\system32\moveex.exe
2009-02-19 22:26 . 2009-02-19 22:29	1,244	--a------	C:\WINNT\system32\tmp.reg
2009-02-19 22:01 . 2009-02-19 22:03	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2009-02-19 21:46 . 2005-01-13 21:41	11,254	--a------	C:\WINNT\system32\locate.com
2009-02-19 21:45 . 2009-02-19 21:48	<DIR>	d--------	C:\MGtools
2009-02-19 21:45 . 2009-02-19 21:48	51,086	--a------	C:\MGlogs.zip
2009-02-19 21:38 . 2009-02-19 21:39	<DIR>	d--------	C:\Program Files\RogueRemover FREE
2009-02-19 21:35 . 2009-02-19 21:35	<DIR>	d--------	C:\Deckard
2009-02-19 21:13 . 2009-02-19 21:13	262,144	--a------	C:\Documents and Settings\PROFIL~3
2009-02-19 21:09 . 2009-02-19 21:09	262,144	--a------	C:\Documents and Settings\PROFIL~2
2009-02-19 16:38 . 2009-02-20 02:30	<DIR>	d--------	C:\Program Files\XPPoliceAntivirus
2009-02-19 16:37 . 2009-02-19 16:37	15,360	--a------	C:\WINNT\iehost.dll
2009-02-19 16:36 . 2009-02-19 16:36	<DIR>	d--hs----	C:\WINNT\system32\twain32
2009-02-19 16:36 . 2009-02-19 16:36	21,446	--a------	C:\WINNT\system32\sf.ico
2009-02-19 16:36 . 2009-02-19 16:36	13,942	--a------	C:\WINNT\system32\m3.ico
2009-02-19 16:36 . 2009-02-19 16:36	13,942	--a------	C:\WINNT\system32\c.ico
2009-02-19 16:36 . 2009-02-19 16:36	11,062	--a------	C:\WINNT\system32\p.ico
2009-02-19 16:36 . 2009-02-19 16:36	7,662	--a------	C:\WINNT\system32\m.ico
2009-02-19 16:36 . 2009-02-19 16:36	4,286	--a------	C:\WINNT\system32\s.ico
2009-02-19 16:35 . 2009-02-19 16:35	364,044	--a------	C:\WINNT\system32\wpv091234555431.cpx
2009-02-19 16:35 . 2009-02-19 16:35	21,505	--ah-----	C:\WINNT\system32\digeste.dll
2009-02-19 12:39 . 2009-02-19 12:39	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ALM
2009-02-19 12:30 . 2009-02-19 12:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-02-19 12:09 . 2009-02-19 12:09	<DIR>	d--------	C:\Program Files\Common Files\Macrovision Shared
2009-02-16 15:44 . 2009-02-16 15:44	<DIR>	d--------	C:\Program Files\Xvid
2009-02-16 15:44 . 2008-12-04 21:42	815,104	--a------	C:\WINNT\system32\xvidcore.dll
2009-02-16 15:44 . 2008-12-04 21:46	180,224	--a------	C:\WINNT\system32\xvidvfw.dll
2009-02-16 15:44 . 2008-12-13 20:01	77,824	--a------	C:\WINNT\system32\xvid.ax
2009-02-15 17:42 . 2009-02-20 00:23	41,472	--a------	C:\WINNT\Dkilecuguv.dll
2009-02-15 17:36 . 2009-02-15 17:36	<DIR>	d--------	C:\Program Files\uTorrent
2009-02-15 17:36 . 2009-02-19 21:37	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\uTorrent
2009-02-09 11:51 . 2009-02-09 11:51	111,020	--ah-----	C:\WINNT\system32\mlfcache.dat
2009-02-09 11:36 . 2008-07-31 16:17	9,200	---------	C:\WINNT\system32\drivers\cdralw2k.sys
2009-02-09 11:36 . 2008-07-31 16:17	9,072	---------	C:\WINNT\system32\drivers\cdr4_xp.sys
2009-02-09 11:35 . 2009-02-09 11:35	<DIR>	d--------	C:\WINNT\system32\IOSUBSYS
2009-02-09 11:27 . 2009-02-09 11:28	16,826	--ah-----	C:\WINNT\vuepro32.GID
2009-02-09 11:24 . 2003-03-29 09:32	991,232	--a------	C:\WINNT\vuesav32.scr
2009-02-09 11:24 . 2003-03-29 09:32	258,007	--a------	C:\WINNT\vuesav32.hlp
2009-02-09 11:24 . 2009-02-09 11:33	135	--a------	C:\WINNT\vuesav32.ini
2009-02-08 18:21 . 2009-02-20 16:56	<DIR>	d--h-----	C:\$AVG8.VAULT$
2009-02-08 18:12 . 2009-02-20 08:30	<DIR>	d--------	C:\WINNT\system32\drivers\Avg
2009-02-08 18:12 . 2009-02-08 18:15	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2009-02-08 18:12 . 2009-02-08 18:12	325,128	--a------	C:\WINNT\system32\drivers\avgldx86.sys
2009-02-08 18:12 . 2009-02-08 18:12	107,272	--a------	C:\WINNT\system32\drivers\avgtdix.sys
2009-02-08 18:12 . 2009-02-08 18:12	10,520	--a------	C:\WINNT\system32\avgrsstx.dll
2009-02-08 18:11 . 2009-02-08 18:11	<DIR>	d--------	C:\Program Files\AVG
2009-02-08 18:11 . 2009-02-19 23:29	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\avg8
2009-02-08 18:10 . 2009-02-08 18:12	8,192	--a------	C:\Documents and Settings\PROFIL~1
2009-02-08 17:09 . 2003-04-11 06:31	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2009-02-08 17:09 . 2003-04-11 06:27	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\InterTrust
2009-02-08 17:09 . 2008-01-28 20:07	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Apple Computer
2009-02-08 17:09 . 2009-02-08 18:12	<DIR>	d--------	C:\Documents and Settings\Administrator
2009-02-08 13:52 . 2009-02-08 14:20	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\McAfee
2009-02-08 12:46 . 2009-02-08 12:48	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\Move Networks
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 21:04	---------	d-----w	C:\Program Files\Mozilla Firefox 3 Beta 5
2009-02-20 04:03	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-20 02:12	---------	d-----w	C:\Documents and Settings\Owner\Application Data\ComcastToolbar
2009-02-19 18:20	---------	d-----w	C:\Program Files\Common Files\Adobe
2009-02-19 05:13	---------	d-----w	C:\Program Files\Incomplete
2009-02-19 04:02	---------	d-----w	C:\Program Files\LimeWire
2009-02-18 19:26	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Arcsoft
2009-02-18 19:23	20	---h--w	C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2009-02-10 23:26	---------	d-----w	C:\Documents and Settings\Owner\Application Data\WeatherBug
2009-02-09 17:35	---------	d-----w	C:\Program Files\Google
2009-01-17 03:35	3,594,752	----a-w	C:\WINNT\system32\dllcache\mshtml.dll
2009-01-12 19:36	806	----a-w	C:\WINNT\system32\drivers\SYMEVENT.INF
2009-01-12 19:36	60,808	----a-w	C:\WINNT\system32\S32EVNT1.DLL
2009-01-12 19:36	124,464	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2009-01-12 19:36	10,635	----a-w	C:\WINNT\system32\drivers\SYMEVENT.CAT
2009-01-05 22:33	3,751,995	----a-w	C:\WINNT\system32\GPhotos.scr
2009-01-02 03:31	---------	d-----w	C:\Program Files\Coupons
2008-12-19 09:10	70,656	------w	C:\WINNT\system32\dllcache\ie4uinit.exe
2008-12-19 09:10	13,824	------w	C:\WINNT\system32\dllcache\ieudinit.exe
2008-12-19 05:25	634,024	------w	C:\WINNT\system32\dllcache\iexplore.exe
2008-12-19 05:23	161,792	----a-w	C:\WINNT\system32\dllcache\ieakui.dll
2008-12-11 10:57	333,952	------w	C:\WINNT\system32\dllcache\srv.sys
2004-01-23 02:39	35,942,843	----a-w	C:\Program Files\NIS2004.exe
2008-09-03 20:37	32,768	--sha-w	C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.
[code]<pre>
----a-w           579,072 2008-01-22 18:03:54  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           256,576 2008-01-27 01:10:57  C:\Program Files\iTunes\iTunesHelper .exe
</pre>[/code]
 
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12c7290a-157b-4f43-b109-97e792c598ed}]
2009-02-19 16:37	15360	--a------	C:\WINNT\iehost.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 18:12 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-02-08 18:11 1601304]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-07-13 15:19 95352]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" [2008-04-13 18:12 78848]
"RunNarrator"="Narrator.exe" [2008-04-13 18:12 53760 C:\WINNT\system32\narrator.exe]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-08 18:12 10520 C:\WINNT\system32\avgrsstx.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I263"= i263_32.drv
"vidc.mpng"= C:\Program Files\VideoEditing\[u]0[/u].947\686\tabdec.dll
"vidc.mvjp"= C:\Program Files\VideoEditing\[u]0[/u].947\686\tabdec.dll
"vidc.444p"= C:\Program Files\VideoEditing\[u]0[/u].947\686\tabdec.dll
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2008-04-24 12:25 202560 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
--a------ 2002-08-06 13:24 53248 C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-07-10 03:13 114688 C:\WINNT\system32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
--a------ 2006-05-18 17:23 65536 C:\Program Files\Photo Toolkit\IvBar\phototoolkitmem.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-07-10 03:25 155648 C:\WINNT\system32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
--a------ 2005-08-09 02:27 401408 C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:21 1694208 C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-10-06 18:10 208941 C:\Program Files\Real\RealPlayer\realplay.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-05-03 01:56 36975 C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-06 18:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 22:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 15:02 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
--a------ 2004-11-05 01:17 1372160 C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2004-03-18 08:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
--a------ 2002-08-06 13:24 90112 C:\WINNT\GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2004-03-03 11:50 19968 C:\WINNT\LOGI_MWX.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
photoshop2.exe [N/A]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WudfSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SCardSvr"=3 (0x3)
"SAVScan"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"ImapiService"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"FastTrakSvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"CryptSvc"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"WinDefend"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"SNDSrvc"=3 (0x3)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="1"
"UpdatesDisableNotify"="1"
"AntiVirusOverride"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
 
 
*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
 
2008-10-09 C:\WINNT\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
 
2008-10-15 C:\WINNT\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
 
2005-12-24 C:\WINNT\Tasks\XoftSpy.job
- C:\Program Files\XoftSpy\XoftSpy.exe []
.
- - - - ORPHANS REMOVED - - - -
 
BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
 
 
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p1m658x0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.foodnetwork.com/
FF -: plugin - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p1m658x0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - C:\Program Files\Google\Picasa3\npPicasa3.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\np32dsw.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npCouponPrinter.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.
 
**************************************************************************
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 17:34:42
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACwelnnxel.sys"
.
Completion time: 2009-02-20 17:40:19
ComboFix-quarantined-files.txt  2009-02-20 23:40:15
ComboFix2.txt  2009-02-20 21:43:27
 
Pre-Run: 35,990,200,320 bytes free
Post-Run: 35,978,903,552 bytes free
 
315	--- E O F ---	2009-02-12 09:04:36
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:

Select allOpen in new window

 

by: David-HowardPosted on 2009-02-20 at 16:16:44ID: 23697510

Okay, we have some progress.
If you are running into brick walls with my latest suggestions then can you log on as a different user? There is no doubt that the system is infected. However, you may have better success under a new profile or one that is not corrupted. Please see if you can log on with a new profile (create one if you must). If you can log on in that manner (Safe Mode) please test your antimalware applications. They may run under that profile vice your current one.
David

 

by: David-HowardPosted on 2009-02-20 at 16:27:05ID: 23697549

It doesn't look like you installed the Combofix Recovery Console installed.
Combofix works in reduced mode unless it is installed.
If you didn't have any success with my last post then please install the Recovery Console and scan again.
I am going to be away from this post for about 1.5 hours. I will check back in around 6PM PST.
David

 

by: GiforGODPosted on 2009-02-20 at 16:41:21ID: 23697622

David, I must have run a different ComboFix that I found in safe mode. I have run another along with Hijack This and have posted the logs below.

I deleted those files you suggested from the previous HJ log, have restarted in regular mode under my profile and tested the internet.......again, can't get into some sites (like Experts-Exchange) once I enter my username and pass.
btw, I am on the internet on both my pc and laptop now....you helped me fix an unrelated problem on my laptop...thanks....I'll give some points on that too!

Logfile of HijackThis v1.99.1
Scan saved at 6:21:27 PM, on 02/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Owner\My Documents\Greg\ComputerPrograms\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
 
***************************
"Owner" - 2009-02-20 18:22:02    Service Pack 3  
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner\Desktop\"
 
 
(((((((((((((((((((((((((((((((   Files Created from 2009-01-21 to 2009-02-21  ))))))))))))))))))))))))))))))))))
 
 
2009-02-20 17:45	38,496	--a------	C:\WINNT\system32\drivers\mbamswissarmy.sys
2009-02-20 17:45	15,504	--a------	C:\WINNT\system32\drivers\mbam.sys
2009-02-20 17:45	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2009-02-20 17:45	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-02-19 22:49	28,672	--a------	C:\WINNT\nircmd.exe
2009-02-19 22:26	1,244	--a------	C:\WINNT\system32\tmp.reg
2009-02-19 21:46	11,254	--a------	C:\WINNT\system32\locate.com
2009-02-19 21:45	<DIR>	d--------	C:\MGtools
2009-02-19 21:38	<DIR>	d--------	C:\Program Files\RogueRemover FREE
2009-02-19 21:35	<DIR>	d--------	C:\Deckard
2009-02-19 16:38	<DIR>	d--------	C:\Program Files\XPPoliceAntivirus
2009-02-19 16:36	<DIR>	d--hs----	C:\WINNT\system32\twain32
2009-02-19 16:35	21,505	--ah-----	C:\WINNT\system32\digeste.dll
2009-02-19 12:39	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2009-02-19 12:30	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-02-19 12:09	<DIR>	d--------	C:\Program Files\Common Files\Macrovision Shared
2009-02-16 15:44	815,104	--a------	C:\WINNT\system32\xvidcore.dll
2009-02-16 15:44	180,224	--a------	C:\WINNT\system32\xvidvfw.dll
2009-02-16 15:44	<DIR>	d--------	C:\Program Files\Xvid
2009-02-15 17:42	41,472	--a------	C:\WINNT\Dkilecuguv.dll
2009-02-15 17:36	<DIR>	d--------	C:\Program Files\uTorrent
2009-02-15 17:36	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2009-02-09 11:51	111,020	--ah-----	C:\WINNT\system32\mlfcache.dat
2009-02-09 11:36	9,200	---------	C:\WINNT\system32\drivers\cdralw2k.sys
2009-02-09 11:36	9,072	---------	C:\WINNT\system32\drivers\cdr4_xp.sys
2009-02-09 11:35	<DIR>	d--------	C:\WINNT\system32\IOSUBSYS
2009-02-09 11:24	991,232	--a------	C:\WINNT\vuesav32.scr
2009-02-08 18:21	<DIR>	d--h-----	C:\$AVG8.VAULT$
2009-02-08 18:12	325,128	--a------	C:\WINNT\system32\drivers\avgldx86.sys
2009-02-08 18:12	107,272	--a------	C:\WINNT\system32\drivers\avgtdix.sys
2009-02-08 18:12	10,520	--a------	C:\WINNT\system32\avgrsstx.dll
2009-02-08 18:12	<DIR>	d--------	C:\WINNT\system32\drivers\Avg
2009-02-08 18:12	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\AVGTOOLBAR
2009-02-08 18:11	<DIR>	d--------	C:\Program Files\AVG
2009-02-08 18:11	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
2009-02-08 17:09	1,310,720	--a------	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2009-02-08 13:52	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2009-02-08 12:46	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\Move Networks
 
 
((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))
 
2009-02-21 00:06:51	--------	d-----w	C:\Program Files\Mozilla Firefox 3 Beta 5
2009-02-20 02:12:14	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\ComcastToolbar
2009-02-19 05:13:26	--------	d-----w	C:\Program Files\Incomplete
2009-02-19 04:02:32	--------	d-----w	C:\Program Files\LimeWire
2009-02-18 19:26:32	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\Arcsoft
2009-02-10 23:26:56	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2009-02-09 17:35:45	--------	d-----w	C:\Program Files\Google
2009-01-12 19:36:39	60,808	----a-w	C:\WINNT\system32\S32EVNT1.DLL
2009-01-12 19:36:39	124,464	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2009-01-05 22:33:03	3,751,995	----a-w	C:\WINNT\system32\GPhotos.scr
2009-01-02 03:31:18	--------	d-----w	C:\Program Files\Coupons
2008-12-22 15:51:52	809	----a-w	C:\WINNT\eReg.dat
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}=C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 21:33]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}=C:\Program Files\AVG\AVG8\avgssie.dll [2009-02-08 18:11]
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}=C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL [2006-11-07 13:21]
{A057A204-BACC-4D26-9990-79A187E2698E}=C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-02-08 18:12]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 00:03]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-02-08 18:11]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 18:12]
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" /L*v C:\WINNT\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
"RunNarrator"=Narrator.exe
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
avgrsstx.dll
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
"C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINNT\System32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
"C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINNT\System32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe" /background
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
photoshop2.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WudfSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SCardSvr"=3 (0x3)
"SAVScan"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"ImapiService"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"FastTrakSvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"CryptSvc"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"WinDefend"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"SNDSrvc"=3 (0x3)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs	eaphost
dot3svc	dot3svc
 
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent
	
*Newly Created Service* - NMSSVC
 
Contents of the 'Scheduled Tasks' folder
2008-10-09 01:20:55  C:\WINNT\tasks\AppleSoftwareUpdate.job
2008-10-15 06:47:22  C:\WINNT\tasks\MP Scheduled Scan.job
2005-12-24 21:45:34  C:\WINNT\tasks\XoftSpy.job
 
********************************************************************
 
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 18:27:43
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...
 
scanning hidden autostart entries ...
 
scanning hidden files ...
 
disk error: C:\WINNT\
 
please note that you need administrator rights to perform deep scan
 
********************************************************************
 
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACwelnnxel.sys"
 
Completion time: 2009-02-20 18:29:10
C:\ComboFix-quarantined-files.txt ... 2009-02-20 18:28
C:\ComboFix2.txt ... 2009-02-20 17:40
C:\ComboFix3.txt ... 2009-02-20 00:16
 
	--- E O F ---
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:

Select allOpen in new window

 

by: GiforGODPosted on 2009-02-20 at 16:54:10ID: 23697684

Okay, I started computer up under my daughters old profile. Malware still would not launch. Started Firefox and went to several web sites that I have been having the trouble getting past the login page, Experts-Excahnge included, and still unable to get past it. Note that there are no error messages, the page just wont load and it times out. I can get on other sites such as facebook, my banking, some sites that I pay bills on, etc..

I'm at a loss. Just can't figure it out. Perhaps with those last log files I sent you, you may see something that I don't see.

Thanks in advance and we will keep trying
Greg

 

by: Dirtpatch-JenkinsPosted on 2009-02-20 at 17:17:17ID: 23697767

First thing - from a SAFE computer - log on to any banking sites etc and change your passwords.

You are being attacked with who knows what... maybe a keylogger or anything in there.

 

by: GiforGODPosted on 2009-02-20 at 17:20:39ID: 23697773

I have done that several that I can get into...thanks..plan to do that to the one's I can't get into once I get this mess fixed.

 

by: GiforGODPosted on 2009-02-20 at 17:36:01ID: 23697826

Problem is.....I can't access any web pages in safe mode, regardless of what profile I am on.....

 

by: Dirtpatch-JenkinsPosted on 2009-02-20 at 17:37:18ID: 23697829

im working on getting a bootdisk on my server for you to download,, it has recent virus definitions loaded..

do you have a comp you can download it from and burn to cd?

 

by: GiforGODPosted on 2009-02-20 at 17:50:49ID: 23697866

Yes. Remember, I can only seem to run AVG, ComboFix and Hijack This. All others, such as Ad-Aware, Spybot, and the newly dowloaded and installed, Malware-Anti-Malware will not launch. Please instruct me on what to do with this bootdisk.....and am I to trust you?!? (J/K)

 

by: Dirtpatch-JenkinsPosted on 2009-02-20 at 17:58:30ID: 23697886

The boot disk is in iso format, burn it to cd - put the cd in the drive and reboot the comp... if you get a boot from cd window press a button..

It will run from the cd - you will run the virus scan from the menu - it takes a while running from cd -
after the virus scan is complete highlight all the found viri and right click and set to delete.

You can then run the registry cleaner - same thing just about. lots faster though.

after its done take the disk out and reboot.

i am remote controlling my server right now trying to get the file up for you,, will put a link in when its done,

as far as the trusting me part... youve already been over-ridden,, what can it hurt? lol.

 

by: David-HowardPosted on 2009-02-20 at 18:03:26ID: 23697903

Greg, can you go to the other system (the one that you can get on the internet with) and try this? It's a small download and it designed to correct and repair Winsock 2 settings, caused by buggy or improperly removed Internet software, and that results in the loss of Internet access.
It's worth a shot.
http://www.download.com/LSPFix/3000-2085_4-10417026.html
David

 

by: David-HowardPosted on 2009-02-20 at 18:07:49ID: 23697915

Just thinking. About once a month someone posts a question about a system that is absolutely hammered. Looks like it's your turn Greg. No worries. We'll get you through it. If Jenkins can get that antimalware/virus ISO to you that will be huge.
David

 

by: GiforGODPosted on 2009-02-20 at 18:26:03ID: 23697964

David, I am downloading from the link you sent on my PC (the infected one)....please note, I am able to get on the internet.....that's not the problem. It's what I am unale to do on it when I get there. I am going to run the program and will get back with you as soon as its complete.
Thanks

 

by: David-HowardPosted on 2009-02-20 at 18:27:22ID: 23697969

Great. And I understand about the sites you cannot visit. Good luck!

 

by: Dirtpatch-JenkinsPosted on 2009-02-20 at 18:31:04ID: 23697981

Sorry for the delay - i couldnt find my thumb drive - lol... a friend uploaded it to rapidshare, you can get it here -

http://rapidshare.com/files/200600592/avtbart.rar.html

 

by: David-HowardPosted on 2009-02-20 at 18:31:09ID: 23697982

Greg, just out of curiosity can you locate and then copy/paste your Host file for me?
It's located at:
My Computer > C: (or whatever drive Windows is on) > WINDOWS > system32 > drivers > etc > hosts
Or you can just go to Start and Search For Files and Folders
Then type in Hosts and select Search.
david

 

by: GiforGODPosted on 2009-02-20 at 18:36:06ID: 23697997

David, I just ran the program and am restarting the computer so we will see in a second if that helped at this point.

I wanted to point something out to you....below is a small section of code from ComboFix that I noticed while analyzing it. The entries shown are some things that were created around the hour or so that I began getting those shortcuts popping up on my desktop. None of the items you see in this code are things I downloaded or wanted, let alone installed. Could any of these be causing some problems?

2009-02-19 16:38	<DIR>	d--------	C:\Program Files\XPPoliceAntivirus
2009-02-19 16:36	<DIR>	d--hs----	C:\WINNT\system32\twain32
2009-02-19 16:35	21,505	--ah-----	C:\WINNT\system32\digeste.dll
 
and:
 
2009-02-16 15:44	815,104	--a------	C:\WINNT\system32\xvidcore.dll
2009-02-16 15:44	180,224	--a------	C:\WINNT\system32\xvidvfw.dll
2009-02-16 15:44	<DIR>	d--------	C:\Program Files\Xvid

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:

Select allOpen in new window

 

by: David-HowardPosted on 2009-02-20 at 18:39:50ID: 23698013

Outstanding catch Greg.
Remove this file:
XPPoliceAntivirus
You can read about the above file here:
http://www.spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.XPPoliceAntivirus.htm
It's fake antivirus.
Remove this file:
digeste.dll
The above file is Trojan.Downloader.Bredolab.
Remove them, reboot and test please.
David

 

by: GiforGODPosted on 2009-02-20 at 18:39:57ID: 23698014

David, I am checking for the Hosts now

 

by: David-HowardPosted on 2009-02-20 at 18:40:50ID: 23698019

Remove this file too.
twain32
David

 

by: David-HowardPosted on 2009-02-20 at 18:41:15ID: 23698022

Safe Mode Greg, make sure you're in Safe Mode when you pull those three files.
David

 

by: GiforGODPosted on 2009-02-20 at 18:42:10ID: 23698026

David, before I "remove" those files. How should I go about that. I've tred uninstalls on these fakes before and made more of a mess...what's your take. (I'm still searching Hosts...what info do you need from that?

 

by: GiforGODPosted on 2009-02-20 at 18:45:27ID: 23698046

David, there are no Hosts in Windows, System 32, however, after doing Search, I found the following in WINNT:
hosts
hosts.20031227-175815.backup
Imhosts.sam

 

by: David-HowardPosted on 2009-02-20 at 18:47:35ID: 23698056

Do a search for the files I listed and rename their extensions.
As an example:
Locate digeste.dll and rename it to digeste.123
Reboot and test.
Do this one at a time on the three I listed.

 

by: David-HowardPosted on 2009-02-20 at 18:48:40ID: 23698061

You may need to enable Hidden Files.
To see hidden files:
1.
 On the Tools menu in Windows Explorer, click Folder Options.
 2.
 Click the View tab.
 3.
 Under Hidden files and folders, click Show hidden files and folders.
To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.

 

by: GiforGODPosted on 2009-02-20 at 18:53:13ID: 23698072

Okay, I have always had view hidden files, so I will do one at a time and reboot each time. I'll let you know.
Dirtpatch, I haven't forgotten you. I am gonna try these easier routes first and then see what happens.

Thanks guys...hang on

 

by: GiforGODPosted on 2009-02-20 at 18:58:17ID: 23698092

David, how should I delete the XPPolice program in Program Files. And, if there are any other links to it found in the search?

 

by: David-HowardPosted on 2009-02-20 at 19:06:15ID: 23698112

Yes. It's bogus software.

 

by: GiforGODPosted on 2009-02-20 at 19:11:36ID: 23698126

How do I remove it though. Inside the folder there is no .exe file but there are the following:
There are two .dll files, s .dat file. a .cfg file and then a folder with plugins with 3 .dat files and a folder with three .wav files.

How would you go about this. Rename them all or drag the whole XPPoliceAntivirus folder to the trash? Its not in Add and Remove.....

 

by: David-HowardPosted on 2009-02-20 at 19:13:04ID: 23698131

Sorry...I had two things going on at a once.
See if you can locate the file here and then rename it.
C:\Program Files\XPPoliceAntivirus\xppolice.exe
To perform manual removal of XP Police Antivirus rogue anti-spyware, you should do the following:

Delete XP Police Antivirus corrupt files:

%Program Files%\XPPoliceAntivirus
%Program Files%\XPPoliceAntivirus\AVCoreFn.dll
%Program Files%\XPPoliceAntivirus\bdconf.cfg
%Program Files%\XPPoliceAntivirus\Core.dll
%Program Files%\XPPoliceAntivirus\setup.dat
%Program Files%\XPPoliceAntivirus\xppolice.exe
%Program Files%\XPPoliceAntivirus\Plugins
%Program Files%\XPPoliceAntivirus\Plugins\ceva_dll.cvd
%Program Files%\XPPoliceAntivirus\Plugins\ceva_emu.cvd
%Program Files%\XPPoliceAntivirus\Plugins\ceva_vfs.cvd
%Program Files%\XPPoliceAntivirus\Plugins\ceva_vfs.ivd
%Program Files%\XPPoliceAntivirus\Plugins\cevakrnl.cvd
%Program Files%\XPPoliceAntivirus\Plugins\cevakrnl.ivd
%Program Files%\XPPoliceAntivirus\Plugins\cevakrnl.rvd
%Program Files%\XPPoliceAntivirus\sounds
%Program Files%\XPPoliceAntivirus\sounds\alert.wav
%Program Files%\XPPoliceAntivirus\sounds\click.wav
%Program Files%\XPPoliceAntivirus\sounds\fire.wav
%UserProfile%\Desktop\XP Police Antivirus.lnk
%UserProfile%\Start Menu\XP Police Antivirus.lnk

Remove XP Police Antivirus registry entries:

HKEY_CURRENT_USER\Software\XP Police Antivirus

 

by: David-HowardPosted on 2009-02-20 at 19:15:04ID: 23698132

To enter the Registry select Start>Run and then type in Regedit
Then drill to HKEY_CURRENT_USER\Software\XP Police Antivirus
Delete this Registry entry.
Reboot and test.

 

by: GiforGODPosted on 2009-02-20 at 19:21:45ID: 23698154

Okay, I have done all that and will now reboot.

 

by: GiforGODPosted on 2009-02-20 at 19:34:28ID: 23698197

Have rebooted....still can't launch Malware Anti-Malware, still can't log in to Experts-Exchange or another site that I use, and some others.

I also noted that when I go to the official Malwarebyte.org site I am redirected to a site that "looks" like it, but its just a search portal.......that has a header that says Malewarebytes.org...what you need, when you need it....but its fake.

 

by: Dirtpatch-JenkinsPosted on 2009-02-20 at 19:39:22ID: 23698215

Get the disk image... its not hard to do. just boot from the cd,, it has a user interface...easy peasy

 

by: David-HowardPosted on 2009-02-20 at 19:39:27ID: 23698216

Okay Greg, at this point I'm going to recommend that you download a suite. If you can get there.
I've used it for one year and it works.
http://www.pctools.com/spyware-doctor/?ref=afl_nenextech
You will have to purchase it but the license is for one year.
This is the first time I've recommended a paid for suite. However, your system seems that is so badly infected this may be one of about three recourses that we have. The other two are a boot and scan ISO that was recommended earlier or an XP Repair (or at the worst an XP Reinstall).

 

by: David-HowardPosted on 2009-02-20 at 19:41:16ID: 23698221

Hey Jenkins. Did you post the link for Greg? I would love to have him download and try your ISO instead of paying for a suite. But I don't see the link for the ISO.

 

by: GiforGODPosted on 2009-02-20 at 19:47:21ID: 23698235

Guys,  I work nights at FedEx and have to go in in a few minutes. Please reply to this post as soon as you can.

I will download the infor that Jankins has for me and try it in the morning.
I have Spyware Doctor on my laptop. Don't know if I can get it over to my PC. I thinks its a trial version, but have used it before.

Will either of you be on tomorrow?
Thanks SO MUCH for your help so far! I will get back to it as soon as I can. Thanks!!!

 

by: David-HowardPosted on 2009-02-20 at 20:00:02ID: 23698271

I will be around after 1PM and no later than 6PM.
David

 

by: Dirtpatch-JenkinsPosted on 2009-02-20 at 20:06:13ID: 23698286

 

by: rpggamergirlPosted on 2009-02-21 at 04:24:56ID: 23699658


[code]<pre>
----a-w           579,072 2008-01-22 18:03:54  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           256,576 2008-01-27 01:10:57  C:\Program Files\iTunes\iTunesHelper .exe
</pre>[/code


The above section of the CF log shows sign of a vundo file infector.

Your Combofix.exe has expired, please update it before running a scan or delete that one you have and download a fresh copy of Combofix.

And the log from AVG shows file patcher which could be virut or sality. If it's virut, I would usually recommend a reformat as virut infected files are uncleanable, but if the infection has just started you can still remove the infection and just replaced all corrupted/deleted files.
Dr Web CureIt does a good job deleting all infected files.

Virut:
http://www.freedrweb.com/

Sality:
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889

 

by: XChangingITPosted on 2009-02-21 at 06:11:23ID: 23700004

 

by: GiforGODPosted on 2009-02-21 at 12:17:36ID: 23701467

The cf log indicates dates of January 2008, doesn't it? How would that be effecting me now?

XChaningIT, look further up in post....been there, done that, can't launch it.

Thanks though!

David, Jenkins, I am back on and am going to try the reboot disc once I get it. I'll be in touch.

 

by: XChangingITPosted on 2009-02-21 at 13:07:21ID: 23701771

Sorry about that!  long post lol

try this...boot in safe mode, rename the malwarebytes install file (to anything) and try to install it then....that should get it to run.

 

by: GiforGODPosted on 2009-02-21 at 13:46:21ID: 23701989

I had to do that initially and it did not work, however, I did not do that in safe mode...would that make a diff?

 

by: XChangingITPosted on 2009-02-21 at 13:52:03ID: 23702021

yes of course....it doesnt load a lot of startup files, etc...

i would do this IN THIS ORDER (important)

If you are transferring these files from another computer via USB stick make sure you WRITE-PROTECT it..cause the virus you have will most likely jump onto your USB drive and keep infecting your machine.

1) Safe Mode
2) (rename the downloaded file) ComboFix- http://download.bleepingcomputer.com/sUBs/ComboFix.exe
3) (rename the downloaded file) Malwarebytes- http://www.malwarebytes.org/mbam/program/mbam-setup.exe
4) Avast- www.avast.com (boot-time scan)

let me know how you make out.

 

by: David-HowardPosted on 2009-02-21 at 14:02:07ID: 23702090

Were you able to download Spyware Detector Greg?

 

by: GiforGODPosted on 2009-02-21 at 14:15:34ID: 23702196

Xchanging - I have a good copy of combofix. The one you read was an old combofix that I found in Safe Mode and ran...I since posted a log with the newer version.

As for the others, I will download them on my laptop, write protect (although I am not sure how you do that) and put them on my thumb drive. Then you say to install on my infected computer in SAFE mode?

DAVID, I was able to download and run. It is the "Free" version. While it doesn't fix anything in that version, it gives me all the details that I need to delete files, registry keys, etc. Is that okay?

I haven't done Jenkins fix yet cause I downloaded the file and it is 68 megs...unfortunately, my thumb drive is only 60 megs and my laptop doesnt burn CD's. My daughter's does and we are going to do it later. I really want to try that.

Any thoughts on the above?

 

by: GiforGODPosted on 2009-02-21 at 14:17:24ID: 23702200

David, I am currently doing a FULL SCAN with Spyware Doctor. Like I said, on the smart scan, I was able to get good info on some things we hadn't seen before. Now I see in the active log that there are some other things popping up, including another Trojan downloader...man, what a mess!

 

by: XChangingITPosted on 2009-02-21 at 14:18:46ID: 23702206

yes def in safe mode.

the link i sent you should be the latest version...if you boot in Safe Mode with networking it will as you if you want to download the latest version if there is a newer one available.

certain USB drives have little switches on them to write protect kinda like an old cassette tape.

Dont forget to rename the files before running them.

 

by: GiforGODPosted on 2009-02-21 at 14:23:25ID: 23702228

Mine is a Lexar...it doesn't have that switch. Can I download the files, put them on the thumb drive and rename them there, before I load them on my PC? Would that be the same>

Also, what do I rename? If I just do the setup file name, is that enough? It seems as if I may need to rename the .exe as well?

 

by: XChangingITPosted on 2009-02-21 at 14:27:06ID: 23702241

just rename the setup file once you copy them to your computer from the USB drive.  Some will not run if they are only on the thumb drive.

name them anything....a series of numbers, etc...anything.  The setup files only..that should do it.  Leave the extension (.exe)...you cant remove that or the file will not work at all.

 

by: David-HowardPosted on 2009-02-21 at 14:42:32ID: 23702325

Yeah, Greg it sure seems like a mess. Any chance of you just getting your data off of that system and reinstalling XP? There is no telling what is lurking. Keyloggers, etc. If you do any type of banking, etc. on this system your information could very well be at risk.

 

by: GiforGODPosted on 2009-02-21 at 14:49:08ID: 23702351

Wow, that would have to be my last resort. It can be done, and actually can be refreshing at the same time. My fear there is losing something, or not bein able to save it like it should be. All my Outlook stuff.....certain programs that have data saved like Family Tree (my wife's project).....I have no problem saving downloaded programs and re-installing them, but I am not so sure about other things. What do you suggest....

 

by: GiforGODPosted on 2009-02-21 at 14:54:22ID: 23702368

Xchanging...the link to ComboFix through bleeping...is invalid. Do you have another?

 

by: David-HowardPosted on 2009-02-21 at 15:05:35ID: 23702416

You can always do a search for *.doc *.jpeg, etc. The * is a wildcard and will search for all files with whatever extension it is attached to. An example of this would be a search for *.doc
That will search for and list all documents (From Word) that reside on the system.
The same would hold true for jpegs, Excel files (*.xls), etc.
Another option would be to copy each profile to removeable media (CDR, etc.)
You would simply right click Start, select Explore and then locate say your profile. Right click on Greg (as an example) and select Copy. Then copy that profile to removeable media. Repeat as necessary with all profiles.

 

by: XChangingITPosted on 2009-02-21 at 15:08:57ID: 23702436

That link seems to work fine for me.

Try this.. http://www.forospyware.com/sUBs/ComboFix.exe

 

by: GiforGODPosted on 2009-02-21 at 15:19:05ID: 23702489

David, if I do the Profile copy, then after I reload XP, how do I get the copied profiles back on the clean version?

 

by: XChangingITPosted on 2009-02-21 at 15:21:48ID: 23702498

"paste" it back into the new installation.

Before you do that i would make scan your profile with your antivirus....its most likely very infected.

 

by: David-HowardPosted on 2009-02-21 at 15:22:02ID: 23702500

You would simply access or open the folder (Profile) and then select what you want to copy (My documents, photos, etc.) If you copy the entire profile it will bring over My Documents, My Favorites, etc. The problem can be when people create folders on C: outside of their profile. Like if your wife created a Family Tree folder on root (C:) it would not automatically copy over. You have to search or look for created folders of this type and manually copy them.

 

by: GiforGODPosted on 2009-02-21 at 16:20:25ID: 23702666

David, I have Jenkins file. When I put it in either my DVD or CD drive, and reboot, windows XP starts up to my profile page. I thought it was supposed to run before windows starts? Do I just start and then run the CD software?

 

by: David-HowardPosted on 2009-02-21 at 16:44:08ID: 23702718

If the XP CD is in your drive on boot watch for Boot from CD message. Hit any key and the XP CD will start to load.
http://support.microsoft.com/kb/316941

 

by: GiforGODPosted on 2009-02-21 at 16:51:41ID: 23702740

Okay, call me stupid, but I am really confused. I burned the file Jenkins had on a CD. I put it in both the CD and DVD drive, however, when I rebooted each time, it went right to the normal start up.

Are you saying that i have to have my original XP reboot disc in?
If I do what you say, and the XP CD starts to load, where does the CD with Jenkins file come into play?

Forgive my ignorance on this one.......

 

by: Dirtpatch-JenkinsPosted on 2009-02-21 at 16:52:29ID: 23702742

You may have to change the boot order in bios... set it to cd/dvd first

 

by: Dirtpatch-JenkinsPosted on 2009-02-21 at 16:53:48ID: 23702746

OH wait a minute... it was a rar file.. compressed,, you need to unrar and then burn the iso file.

do you have nero or a similar burning app?

 

by: XChangingITPosted on 2009-02-21 at 16:55:41ID: 23702751

First of all Is this 'Jenkin's' file your profile??  If so thats only data NOT a bootable CD.

yes you need your Windows XP CD to boot off if you're trying to reinstall WIndows after backing up your profile.

 

by: Dirtpatch-JenkinsPosted on 2009-02-21 at 16:56:20ID: 23702754

if you dont have burner software here is a free one...
http://infrarecorder.org/

once you unrar the iso, burn the image(iso) with infrarecorder.

That cd will boot directly

 

by: Dirtpatch-JenkinsPosted on 2009-02-21 at 16:58:20ID: 23702763

XChangingIT, a friend of mine put a bart cd image with up to date virus definitions on rapidshare for him to use. thats what hes talking about.

 

by: GiforGODPosted on 2009-02-21 at 17:22:52ID: 23702830

Ugh....I downloaded the CD burning file. I then extracted the ISO file. When I go to burn it with the CD burning software, I get the following message:

ERROR: Unable to parse project file, it may be corrupt. The XML processor returned: 2

?????
Next question....what do I do if I can't find my friggin XP recovery disc?  I am at a total loss here.

 

by: XChangingITPosted on 2009-02-21 at 17:25:44ID: 23702837

did you try booting into safe mode and removing the malware??

do you have a Dell?

 

by: Dirtpatch-JenkinsPosted on 2009-02-21 at 17:26:18ID: 23702839

DId the rar file extract with no errors?

 

by: GiforGODPosted on 2009-02-21 at 17:28:54ID: 23702848

Yes, as far as I can tell it did. It shows as "avast! BART CD 2009.iso" in a file on my desktop called Jenkins. But when I try to burn it to a CD, I get that error message.

 

by: Dirtpatch-JenkinsPosted on 2009-02-21 at 17:30:33ID: 23702855

heres a link with a short list of burning apps...

http://www.petri.co.il/how_to_write_iso_files_to_cd.htm

if the rar file extracted with no errors then it will burn, i just used the same image this afternoon

 

by: GiforGODPosted on 2009-02-21 at 17:30:45ID: 23702856

Xch, I have a Gateway

 

by: GiforGODPosted on 2009-02-21 at 17:45:18ID: 23702890

Thanks Jenkins....it is now recording. Once finished, what do I do>

 

by: GiforGODPosted on 2009-02-21 at 17:58:23ID: 23702930

Never mind....I rebooted and the Avast is scanning now. I set it on thorough and it is running now. I will run several things on it and then get back to everyone.

I asked the question earlier,......if this doesn't work.....and I can't find my Windows XP recovery disc.....what then????

 

by: Dirtpatch-JenkinsPosted on 2009-02-21 at 17:58:25ID: 23702931

put it in the cd and reboot... it will load,, bart cd's take a while,, but once its loaded its pretty straight forward.. run the antivirus let it scan,, will take awhile... when its done right click the stuff it finds and select delete... then run the registry cleaner...

 

by: GiforGODPosted on 2009-02-21 at 18:02:46ID: 23702938

gotcha

 

by: David-HowardPosted on 2009-02-21 at 19:02:04ID: 23703097

If you don't have your OS CD you will need to hit Ebay, etc. and buy one.  You should have an OS cd no matter what the case. It's the only way you can run SFC SCANNOW, a Repair or an OS reload.

 

by: David-HowardPosted on 2009-02-21 at 19:02:27ID: 23703098

Legally.

 

by: GiforGODPosted on 2009-02-22 at 07:48:42ID: 23705169

Okay, here is what took place overnight. I ran the boot disc and the Avast found and deleted the following:
WIN32:Agent-QZQ (Trojan)
WIN32:DNSChanger-VJ (Trojan)
WIN32:Downloader-AVS (Spy)
WIN32: ADWARE-GEN (ASW)
WIN32:Trojano-214 (Trojan

I then ran the registry cleaner. It was able to perform 6 of 7 functions but couldn't run the second one (Registry File Types) and came up with the error message "Can't Enumerate Subeys"

I finished everything, removed Boot CD and restarted. Tries to get on Experts-Exchange and a couple other sites that I use for my job, and again....no entry once I try to log in. ON Facebook, my daughter can get on, however, just trying to launch her friends chat, or to update her profile....the page just bogs down and won't load.

I then tried to download and launch Malwarebytes program. Even renamed it. THe program installed, but when I wne to launch it....nothing.

I am truly stumped. AVG and AVAST combined have removed over 20 viruses, spyware, or adware and I am faced with the same thing.......What now?

 

by: Dirtpatch-JenkinsPosted on 2009-02-22 at 07:57:53ID: 23705208

I cant remember if i had sent you this link yet,,
http://safecomputing.umn.edu/guides/scan_unhackme.html

You could try that... i had a buddy with a NASTY rootkit and followed their advice and was at least able to save his personal files. he decided for a reinstall even though it seemed to have removed everything...which is what i would suggest for you just as soon as you can find/get disks.

 

by: GiforGODPosted on 2009-02-22 at 08:45:16ID: 23705406

Thanks Jenkins, I will try this and will let you know. I think this is my last step, and depending on the outcome, will either save me, or have to re-install. Right now, I am leaving to get some divine intervention. Beats the heck out of me.....Jesus rose from the dead in three days, I can't even get my computer to resurrect in three.......I'll get back to you in a bit. THANKS!!!

 

by: GiforGODPosted on 2009-02-22 at 12:31:51ID: 23706311

JENKINS!!!!!!!!!!!!!!!!!!!!

IT WORKED!!!!!!

I HAVE BEEN FREED FROM THE BONDAGE OF THE TROJAN ARMY!

Everything is working normally now and all the sites that I could not get into or work on are now operating properly, INCLUDING EXPERTS-EXCHANGE which I am accessing on my PC AS WE SPEAK!

I am ever grateful to ALL OF YOU who walked me through this absolute mess:

David, Jenkins, XCHangingIT, your tips, your patience, and most of all, your absolute and amazing EXPERTISE has made my day (and life a lot easier for now).

As I am somewhat new to this, I am not sure how to reward points in a case like this. I am certain that Jenkins last program suggestion could probably not have cleaned me up entirely. I believe that it was a host of suggestions and recommendations that got me through.....so my next questions, and don't be shy, how do I award the points. You are all deserving!

 

by: Dirtpatch-JenkinsPosted on 2009-02-22 at 12:36:20ID: 23706334

My reward is the thanks youve already given... divy them up as you see fit, its all good here.

Glad your back in pc action, keep an alert eye out for anything weird for awhile though, rootkits are sneaky.

 

by: GiforGODPosted on 2009-02-22 at 12:43:28ID: 23706360

Jenkins and David, as I am hoping that I can download and now run several of the programs you all have suggested (i.e. Malware, Hackme, etc....what would you suggest I download and/or use on a regular basis to monitor these things. Also, I am using AGV as my anti-virus....and I am not too confident with it. I just downloaded and started using it a week ago, with updates, and all this stuff got through.....any suggestions...after all, you guys are the EXPERTS!

 

by: Dirtpatch-JenkinsPosted on 2009-02-22 at 12:50:42ID: 23706395

Nothing is going to stop everything, but ive had very good success with avast.. free for home use.

A good real time scanner and some safe internet usage will go a far way.

Create a limited user account to use... if you need to install something you can right click and "run as" your admin account.

 

by: GiforGODPosted on 2009-02-22 at 15:48:51ID: 31549453

Amazing help and patience!

 

by: antangPosted on 2009-02-23 at 07:05:11ID: 23711878

GiforGOD, sorry wasn't able to follow thread of weekend.  Please make sure to monitor your bank accounts and credit.  I had a co-worker that had his personal infected with same type and right after had his identity stolen.  Apparently his had a keylogger and was able to due purchases using info from his online banking and card purchases.

 

 

by: GiforGODPosted on 2009-02-23 at 07:23:39ID: 23712063

Thanks for the advice. I have not seen any unusual activity as of yet, however, I did change passwords, etc.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...