Don't even know where to begin on this one

View previous topic View next topic Go down

Don't even know where to begin on this one

Post by Flapjacks on 13th December 2009, 6:14 am

First let me say hello to everyone Smile Seems like a great place to reach out for a little help. This one might be a a little difficult to explain so if you have any questions, ask away.

I'm going to give as much information as I can: Yesterday I was at my buddy's house and needed to check my email. I jumped on his computer and it was running very slow. Checked his disk space and he had 0% space so the first thing I did was run the windows clean up. He has windows XP with something called Vistart a program to make XP look like vista. ran the clean up tool and like 6 hours later he called me and told me he gained like 5GB of space with compressed files. Cool its a good start. He was going to reboot to tell me if it booted faster and then start a defrag. Today he called me and said he cant get into anything, so I went over to his house and found all kinds of issues.

First thing I noticed is his wallpaper has been replaced with a green background an a huge Virus alert in a white box. If you need to know what it says I can get it for you, just ask.
Seems like he has a crap load of the "virus" infection problems...my best guess is three different ones. The first one I know for sure is the "internet security 2010"which pops up with virus warnings. EDIT: another one for sure Antivirus Live There are two more that I don't know the name of. One shows up at, least I believe its one, in the tray as a big red circle with a white X in it. I get at least three different looking Virus alerts nȯne are from his virus protection which is AVG. One alert says Spyware Alert! worm.win32.netsky.
I booted in safe mode with networking and ran the AVG from there. Safe mode came up but it wouldnt let me online and was still getting the alerts in safe mode. AVG found two viruses and I rebooted. Didn't help at all. Still had all the other problems. I tried rebooting in safe mode again and now it stops at MUP.SYS line in safe mode and will no longer boot. I brought his computer to my house and have it here with me now except I forgot his power cord to the tower and am sharing the power cord between the two monitors....pain in the.... LOL

His computer won't let me do anything. Open any programs, task manager, AVG...nothing. I tried running task manager as soon as XP starts loading but I cant catch it in time. I tried installing adaware and malaware bytes and it lets me start to install it but the viruses catch it and stop the install. I have logged into other users on the computer and tried all of this from there and the same thing. It seems like the users on there that dont log into the compuer were fine at first but slowly all these problems ended up on there log in also. His son's account let me get into task manager, and I got all the way through the install for adaware but when I tried to set it up he didnt have admin rights...RATS!!!!!!!!!!!!

I tried to install hijackthis on all three accts but the viruses stop it. I really need some help or atleast a starting point. I promised I would do everything I could for him. He has pictures he cant replace and alot of information for his daughters college apps. I know, I warned him too but if you guys can think of anything that might help please help me Smile

Thanks in advance!!!!!
Flapjacks (Dan)


Last edited by Flapjacks on 13th December 2009, 6:25 am; edited 1 time in total (Reason for editing : More information)

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 14th December 2009, 12:39 am

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 14th December 2009, 12:47 am

I'm going to do that right now. Plus just got to the point to install hijackthis so hope this log helps also. Still having issues with Malawarebytes tho. Will not install/run MBAM.EXE . I will get that other log to you in a few if it lets me Smile thanks belahzur

hijackthis:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 7:39:49 PM, on 12/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winupdate86.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.127 browser-security.microsoft.com
O1 - Hosts: 91.212.65.127 spywareprotector-2009.com
O1 - Hosts: 91.212.65.127 [You must be registered and logged in to see this link.]
O1 - Hosts: 91.212.65.127 secure.spywareprotector-2009.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {2c187a72-1dd2-11b2-990a-c0d1fd9ee47e} - C:\WINDOWS\system32\gZpZINTq.dll (file missing)
O2 - BHO: (no name) - {4BDE3302-C530-57EF-8052-125505832F3D} - C:\WINDOWS\System32\byucwk.dll (file missing)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {afe0e58e-1dd1-11b2-8bc9-c7c6ef421cd9} - C:\WINDOWS\system32\qu1dTdST.dll (file missing)
O2 - BHO: (no name) - {bd90b796-1dd1-11b2-bb79-fff6b1626bd9} - C:\WINDOWS\system32\mswerqwd.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [yeyubimuy] Rundll32.exe "c:\windows\system32\vuvuwofi.dll",a
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\Policies\Explorer\Run: [Ci0434QY1t] C:\Documents and Settings\All Users.WINDOWS\Application Data\nexyhqnm\zkbgpqru.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {BFA64208-1FA4-447B-BBEE-03162630B982} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: Support - {D2AD3490-AEE5-4140-BC6C-82C334021EEB} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {F8755D68-29C8-4316-98B3-9385E6E316C5} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{9199A183-4C21-441A-B238-AE653E14D6E5}: NameServer = 193.104.110.38,4.2.2.1,192.168.1.1
O20 - AppInit_DLLs: hoganova.dll c:\windows\system32\vuvuwofi.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O21 - SSODL: firesoloj - {e29012c4-1262-4182-a1dd-4c29f7d5c7a0} - c:\windows\system32\vuvuwofi.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: gahurihor - {e29012c4-1262-4182-a1dd-4c29f7d5c7a0} - c:\windows\system32\vuvuwofi.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe

--
End of file - 8635 bytes

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 14th December 2009, 12:50 am

and here is the exehelper log Smile

exeHelper by Raktor
Build 20091204
Run at 19:49:03 on 12/13/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Killed process winupdate86.exe
Checking for bad files...
Deleting file C:\WINDOWS\system32\~.exe
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\winupdate86.exe
Checking for bad registry entries...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 14th December 2009, 1:23 am

Hello.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.65.127 browser-security.microsoft.com
    O1 - Hosts: 91.212.65.127 spywareprotector-2009.com
    O1 - Hosts: 91.212.65.127 [You must be registered and logged in to see this link.]
    O1 - Hosts: 91.212.65.127 secure.spywareprotector-2009.com
    O2 - BHO: (no name) - {2c187a72-1dd2-11b2-990a-c0d1fd9ee47e} - C:\WINDOWS\system32\gZpZINTq.dll (file missing)
    O2 - BHO: (no name) - {4BDE3302-C530-57EF-8052-125505832F3D} - C:\WINDOWS\System32\byucwk.dll (file missing)
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: (no name) - {afe0e58e-1dd1-11b2-8bc9-c7c6ef421cd9} - C:\WINDOWS\system32\qu1dTdST.dll (file missing)
    O2 - BHO: (no name) - {bd90b796-1dd1-11b2-bb79-fff6b1626bd9} - C:\WINDOWS\system32\mswerqwd.dll (file missing)
    O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
    O4 - HKLM\..\Run: [yeyubimuy] Rundll32.exe "c:\windows\system32\vuvuwofi.dll",a
    O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
    O4 - HKLM\..\Policies\Explorer\Run: [Ci0434QY1t] C:\Documents and Settings\All Users.WINDOWS\Application Data\nexyhqnm\zkbgpqru.exe
    O20 - AppInit_DLLs: hoganova.dll c:\windows\system32\vuvuwofi.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O21 - SSODL: firesoloj - {e29012c4-1262-4182-a1dd-4c29f7d5c7a0} - c:\windows\system32\vuvuwofi.dll
    O22 - SharedTaskScheduler: gahurihor - {e29012c4-1262-4182-a1dd-4c29f7d5c7a0} - c:\windows\system32\vuvuwofi.dll



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 14th December 2009, 2:19 am

I'm having a really hard time getting malwarebytes to work. MBAM not being installed.
found a work around for malwarebyet's, and its scanning now.....I love feeling like progress is being made Smile

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 14th December 2009, 4:24 am

Malwarebytes' Anti-Malware 1.42
Database version: 3356
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/13/2009 11:14:29 PM
mbam-log-2009-12-13 (23-14-29).txt

Scan type: Quick Scan
Objects scanned: 261941
Time elapsed: 1 hour(s), 7 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 18
Registry Values Infected: 4
Registry Data Items Infected: 7
Folders Infected: 3
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\hoganova.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\kavunize.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\vuvuwofi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{e29012c4-1262-4182-a1dd-4c29f7d5c7a0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\VCLSDCompression.class (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoaccessactivex.Chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\VideoAXObject.Chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yeyubimuy (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{e29012c4-1262-4182-a1dd-4c29f7d5c7a0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\firesoloj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: kavunize.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vuvuwofi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vuvuwofi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9199a183-4c21-441a-b238-ae653e14d6e5}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,192.168.1.1 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Dad\Application Data\Ultimate Cleaner (Rogue.Ultimate.Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\Ultimate Cleaner\logs (Rogue.Ultimate.Cleaner) -> Quarantined and deleted successfully.
C:\Program Files\Ultimate Cleaner (Rogue.Ultimate.Cleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\hoganova.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\kavunize.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\movezisa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pikusuba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vuvuwofi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\wokozupi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\pdvwd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\ryiasu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winlogon86.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xm1985.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\vftgbjdbuyt.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\8G2EXI1X\m[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\GIW4VH33\ad0d4cc0deabb8d6a7fc53c6a83f4144[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alicia M. Kowalski\Application Data\tvmknwrd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bryan G. Sheftz\Application Data\tvmknwrd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winhelper86.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 14th December 2009, 9:17 am

just wanted to let you know that I am still getting Interent Security 2010. Malwarebytes did not pick it up. I have it turned off in startup in msconfig. also there is other stuff still coming up in startup I have stopped. vuvuwofi for one. is there a way I can tell for sure whats supposed to be listed in the start up?

I'm going to run malwarebyte and then hijackthis again and post the logs so you can take a second look at them.

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 14th December 2009, 4:51 pm

Hey Belahzur,

Here are the updated log files. Still showing IS2010 in the msconfig also one called vuvuwofi is still in msconfig. Nothing is showing up on malwarebyte as infected:
Malwarebytes' Anti-Malware 1.42
Database version: 3356
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/14/2009 11:29:52 AM
mbam-log-2009-12-14 (11-29-52).txt

Scan type: Quick Scan
Objects scanned: 261801
Time elapsed: 58 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and here is the newest Hijackthis:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:32:50 AM, on 12/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Malwarebytes' Anti-Malware\EmtVNVpj6.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {BFA64208-1FA4-447B-BBEE-03162630B982} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: Support - {D2AD3490-AEE5-4140-BC6C-82C334021EEB} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {F8755D68-29C8-4316-98B3-9385E6E316C5} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe

--
End of file - 6806 bytes

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 14th December 2009, 7:33 pm

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code:
@echo off
echo The log can be found at %systemdrive%\startup.txt if Notepad doesn't open automatically.
if exist %systemdrive%\peek*.txt del /q %systemdrive%\peek*.txt
if exist %systemdrive%\startup.txt del /q %systemdrive%\startup.txt
regedit /e %systemdrive%\peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e %systemdrive%\peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
regedit /e %systemdrive%\peek3.txt "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services"
type %systemdrive%\peek*.txt >> %systemdrive%\startup.txt
echo End >> %systemdrive%\startup.txt
del /q %systemdrive%\peek*.txt
notepad %systemdrive%\startup.txt

Click on File > Save As....

In the File Name box, copy and paste in msconfig.bat

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on msconfig.bat to run it. Command Prompt will open, followed by Notepad shortly afterwards. Please post the contents of this Notepad file in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 14th December 2009, 8:03 pm

Here you go:

indows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG8_TRAY]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgtray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BCMSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BCMSMMSG"
"hkey"="HKLM"
"command"="BCMSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Cosmi Firewall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="firewall"
"hkey"="HKLM"
"command"="C:\\Program Files\\Cosmi\\Firewall\\firewall.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EzPrint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ezprint"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark 5400 Series\\ezprint.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Hsafowuraf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ekotanek"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\ekotanek.dll\",e"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Security 2010]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IS2010"
"hkey"="HKCU"
"command"="C:\\Program Files\\InternetSecurity2010\\IS2010.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LClock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LClock"
"hkey"="HKCU"
"command"="C:\\Program Files\\LClock\\LClock.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Lexmark 5400 Series Fax Server]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fm3032"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark 5400 Series\\fm3032.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lxctmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxctmon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark 5400 Series\\lxctmon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LyraHD2TrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LYRAHD2TrayApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Thomson\\Lyra Jukebox\\LyraHDTrayApp\\LYRAHD2TrayApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsWerr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xm1985"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\xm1985.dll,w"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nlvexgxp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="amtgsysguard"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Dad\\Local Settings\\Application Data\\tjagic\\amtgsysguard.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VerizonServicepoint.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VerizonServicepoint"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Verizon\\VSP\\VerizonServicepoint.exe\" /AUTORUN"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Verizon_McciTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McciTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Verizon\\McciTrayApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViOrb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViOrb"
"hkey"="HKCU"
"command"="C:\\Program Files\\ViOrb\\ViOrb.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViStart]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViStart"
"hkey"="HKCU"
"command"="C:\\Program Files\\ViStart\\ViStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winupdate86.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winupdate86"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\winupdate86.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\yeyubimuy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vuvuwofi"
"hkey"="HKLM"
"command"="Rundll32.exe \"c:\\windows\\system32\\vuvuwofi.dll\",a"
"inimapping"="0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

End

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 14th December 2009, 8:06 pm

Time to remove those leftovers.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Hsafowuraf]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Security 2010]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsWerr]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nlvexgxp]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winupdate86.exe]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\yeyubimuy]


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 14th December 2009, 8:13 pm

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Hsafowuraf\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Security 2010\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsWerr\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nlvexgxp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winupdate86.exe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\yeyubimuy\ deleted successfully.

OTM by OldTimer - Version 3.1.2.2 log created on 12142009_151106

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 14th December 2009, 9:39 pm

Computer seems to be working really good now. Only one last issue that I can see on start up I get a
Windows cannot find c:\windows\system32\scrnrdr.exe
when I hit ok I get a second scrnrdr error but can't remember what exactly it says. Doing a little reserch this is left over from a virus that came when he installed the vista transformation pack and now doesnt see the file associated with it since we got rid of the transformation pack and the virus. What should I use to remove this guy. Last obvious problem to me unless you see something in the logs that bother you.

Thanks again for all your help, from me and my Buddy who owns this thing. Smile

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 15th December 2009, 12:52 am

Please post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 15th December 2009, 1:50 am

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:50:27 PM, on 12/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vista Rainbar] C:\Program Files\Vista Rainbar\launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {28DB43C5-1097-4881-ADD7-697712F1839F} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {9DA76B33-68C6-4895-AACB-2145A6907F44} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: Support - {E72C164C-02CF-4C5E-8427-08B84B54E45F} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {b7227d53-036c-4df0-9a34-ae8978f6f3eb} - C:\WINDOWS\system32\mst123.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe

--
End of file - 7171 bytes

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 15th December 2009, 8:26 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 20th December 2009, 8:14 pm

Sorry about the delay in getting back to you. Just to update on what has happened since I last updated, something came back that was acting just like the internet security 2010 issue I had but was working under a different name. Nothing .exe would open. I was able to open msconfig if I did it while windows was still loading so I was able to stop the issue and I believe malwarebytes found and deleted once I was able to run it. But there is something we are missing because it only took two days from the time I gave the computer back to him to the morning he called and said it was doing the same thing. Anyway here is the new mbam and hijackthis logs I just ran:

Time elapsed: 54 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

hijack this:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 3:06:19 PM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vista Rainbar] C:\Program Files\Vista Rainbar\launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {28DB43C5-1097-4881-ADD7-697712F1839F} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {9DA76B33-68C6-4895-AACB-2145A6907F44} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: Support - {E72C164C-02CF-4C5E-8427-08B84B54E45F} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {b7227d53-036c-4df0-9a34-ae8978f6f3eb} - C:\WINDOWS\system32\mst123.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe

--
End of file - 7145 bytes

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 20th December 2009, 9:31 pm

Hello.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
    O18 - Filter hijack: text/html - {b7227d53-036c-4df0-9a34-ae8978f6f3eb} - C:\WINDOWS\system32\mst123.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 20th December 2009, 9:49 pm

um mbam just crashed the computer to blue screen.
"a problem has been detected and windows has been shut down to prevent damage to your computer.
the problem seems to be caused by the following file: mbamswissarmy.sys

PAGE_FAULT_IN_NONPAGED_AREA

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 20th December 2009, 9:51 pm

re starting machine and going to try again.

Edit: seems to be running now. Very clunky tho. scan seems to slow down and the time elapsed will stop for a few seconds and then starts again jumping ahead in time. I don't remember it doing this before.

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 20th December 2009, 10:11 pm

Post a new Hijack This log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 20th December 2009, 10:16 pm

Here is the new hijack this log. I paused the mbam and ran hijackthis. hope that was ok. going to coninue with mbam.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 5:13:32 PM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vista Rainbar] C:\Program Files\Vista Rainbar\launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {28DB43C5-1097-4881-ADD7-697712F1839F} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {9DA76B33-68C6-4895-AACB-2145A6907F44} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O9 - Extra button: Support - {E72C164C-02CF-4C5E-8427-08B84B54E45F} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {b7227d53-036c-4df0-9a34-ae8978f6f3eb} - C:\WINDOWS\system32\mst123.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe

--
End of file - 6798 bytes

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 20th December 2009, 10:47 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O18 - Filter hijack: text/html - {b7227d53-036c-4df0-9a34-ae8978f6f3eb} - C:\WINDOWS\system32\mst123.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

PC should be a little faster now. Running scans does slow down the machine, MBAM has made a few changes to the program though. They use more resources in order to cut down scan time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 20th December 2009, 11:05 pm

mbam log

Malwarebytes' Anti-Malware 1.42
Database version: 3398
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/20/2009 5:59:32 PM
mbam-log-2009-12-20 (17-59-32).txt

Scan type: Quick Scan
Objects scanned: 265122
Time elapsed: 59 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 20th December 2009, 11:07 pm

Nice one. How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 20th December 2009, 11:26 pm

computer is still sluggish but mainly due to hard drive being almost full. I don't thing it has anything to do with malware at this point. I do have some issues still with his computer I could use some help with but again I don't believe they are malware related. I will list them here and if you can help me great if you need or want me to start a new thread in hardware or software forum I can do that also. I have three issues.

1) I can't boot up in safe mode. Last file it either loads or gets stuck on is mup.sys
2) Upon booting up I get two error messages about scrnrdr.exe, I have no idea what file this is for the first message is:
Windows cannot find 'C:\WINDOWS\SYSTEM32\scrnrdr.exe' make sure you typed the name correctly etc....
It does have the red circle with the white X in it on the left side so it maybe associated with the Internet Security 2010 but not sure.
I hit ok
then this message comes up:
Error
could not execute the external program C:\\WINDOWS\SYSTEM32\scrnrdr.exe

last issue
3) I'm trying to get rid of all traces of the Vista Transformation pack he had on here. Somethings still show as Vista items, The first page that shows the users on here, then the splash screen as loading has the circle with the wavy windows icon in it. Some of the icons are still vista such as the drive icons etc. looks like xp now once everything loads except for a couple items like some icons.

Other than these three I think I'm fine. A little nervous about giving his computer back to him, because it was not showing anything last time and only took two days for it to come back....but you have been VERY helpful.

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 20th December 2009, 11:40 pm

Lets go deeper then.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 20th December 2009, 11:45 pm

edit: woops read wrong post Smile will get combo fix logs for you here in a few

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 12:13 am

thought I had avg stopped but I guess not. Going to finish installing microsoft recovery then log it over again after I get AVG to quit.

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 21st December 2009, 12:20 am

You have to go into UI (user interface) to stop the guard.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 12:38 am

it is running now, stage 32 Smile should have log for you here shortly.

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 21st December 2009, 12:38 am

Okay, good work.
Standing by.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 12:43 am

its at deleting folders and seems to have stopped......but no message saying its finished

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 21st December 2009, 12:47 am

Let it keep going, it usually seems to have "frozen" but it's actually doing something, especially if it's having to disinfect patched files.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 12:54 am

still not showing progress. Deleted files from a couple users which is listed and now and below that juat a blinking cursor. Normal?

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 12:56 am

nevermind says rebooting windows now Smile lol I was getting scared haha

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 21st December 2009, 12:57 am

Told ya. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 12:58 am

LOL yes you did hahaha

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 1:13 am

still waiting on combofix here, not worried just passing along info for ya Ahahaha

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 21st December 2009, 1:17 am

No one ever said malware removal was a quick task. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 1:21 am

success Smile

ComboFix 09-12-19.04 - Dad 12/20/2009 19:27:09.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.9 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alicia M. Kowalski\Local Settings\Temporary Internet Files\Tvm.log
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Bryan G. Sheftz\Cookies\Copy (2) of INDEX.DAT
c:\documents and settings\Bryan G. Sheftz\Cookies\Copy (3) of INDEX.DAT
c:\documents and settings\Bryan G. Sheftz\Cookies\Copy (4) of INDEX.DAT
c:\documents and settings\Bryan G. Sheftz\Local Settings\Temporary Internet Files\Tvm.log
c:\documents and settings\Dad\Start Menu\Internet Security 2010.lnk
c:\documents and settings\Stacey L. Sheftz\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
c:\program files\Common Files\SLMSS
c:\program files\Common
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-1006
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-1007
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-1008
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-1009
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-500
C:\setup.exe
C:\Thumbs.db
c:\windows\bundles
c:\windows\system32\drivers\fad.sys
c:\windows\system32\P2P Networking
c:\windows\system32\pcs
c:\windows\system32\setup.ini

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-20 23:58 . 2009-12-21 00:12 -------- d-----w- C:\Combo-Fix
2009-12-18 06:17 . 2009-12-18 06:17 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\hcrruu
2009-12-14 20:43 . 2009-12-14 20:43 -------- d-----w- c:\program files\CCleaner
2009-12-14 20:11 . 2009-12-14 20:11 -------- d-----w- C:\_OTM
2009-12-14 06:44 . 2009-12-14 06:44 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-12-14 03:01 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 03:01 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 02:04 . 2008-04-11 12:52 722432 ----a-r- c:\windows\system32\drivers\ZD1211BU.sys
2009-12-14 00:35 . 2009-12-14 00:35 -------- d-----w- c:\program files\TrendMicro
2009-12-13 23:40 . 2009-12-13 23:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-13 05:32 . 2009-12-13 05:32 -------- d-sh--w- c:\documents and settings\Mom\PrivacIE
2009-12-13 04:54 . 2009-12-13 04:54 -------- d-sh--w- c:\documents and settings\Mom\IETldCache
2009-12-13 04:12 . 2009-12-13 04:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-12-13 04:11 . 2009-12-20 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 02:27 . 2009-12-13 02:27 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-12-13 02:06 . 2009-12-13 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\5400 Series
2009-12-13 02:06 . 2009-12-13 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Verizon
2009-12-13 02:05 . 2009-12-13 02:05 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-12-12 05:55 . 2009-12-15 10:19 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\tjagic
2009-11-22 16:46 . 2009-11-22 16:46 18616 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-14 20:32 . 2003-07-10 05:34 -------- d-----w- c:\program files\Lavasoft
2009-12-14 06:35 . 2008-12-13 18:47 -------- d-----w- c:\program files\ViStart
2009-12-13 05:46 . 2004-12-05 16:11 17528 -c--a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 01:22 . 2005-07-23 15:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kodak
2009-12-12 01:05 . 2008-12-27 23:34 -------- d-----w- c:\program files\U.B. Funkeys
2009-12-11 17:18 . 2005-07-23 15:02 -------- d-----w- c:\program files\Kodak
2009-12-11 16:08 . 2008-02-19 20:03 -------- d-----w- c:\documents and settings\Dad\Application Data\5400 Series
2009-12-10 06:31 . 2008-02-19 19:49 -------- d-----w- c:\program files\Lx_cats
2009-12-07 00:16 . 2008-03-25 21:49 -------- d-----w- c:\program files\Safari
2009-12-06 23:53 . 2008-01-16 02:51 -------- d-----w- c:\program files\Common Files\Apple
2009-11-22 16:22 . 2005-03-29 17:05 -------- d-----w- c:\documents and settings\Dad\Application Data\Apple Computer
2009-10-29 07:45 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-09-03 16:50 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2002-09-03 16:55 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-09-03 16:54 79872 ----a-w- c:\windows\system32\raschap.dll
2008-08-01 03:20 . 2008-08-01 03:20 5271552 -c--a-w- c:\program files\PStory.msi
2008-08-01 01:31 . 2008-08-01 01:31 4853424 -c--a-w- c:\program files\InstallPhotoJam3DL.EXE
2007-09-17 00:26 . 2007-09-17 00:25 25755448 -c--a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2004-10-04 03:52 . 2004-10-04 03:52 490608 -c--a-w- c:\program files\ie6setup.exe
2004-08-30 03:52 . 2004-08-30 03:52 10135688 -c--a-w- c:\program files\MPSetupXP.exe
2003-07-03 06:20 . 2003-07-03 06:20 1856 -c--a-w- c:\program files\Microsoft Word (2).lnk
2003-03-07 02:17 . 2003-03-07 02:17 2765 -c--a-w- c:\program files\Common Files\AutoUpdate.rtf
2003-01-27 16:50 . 2003-01-27 16:50 1000448 -c--a-w- c:\program files\Common Files\AutoUpdate.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vista Rainbar"="c:\program files\Vista Rainbar\launcher.exe" [2008-11-15 131778]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-16 03:53 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 08:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-03-19 12:58 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 12:59 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
2004-09-20 06:27 65536 ----a-w- c:\program files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2007-03-19 12:59 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2007-03-19 12:58 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp]
2004-05-13 15:48 286720 ----a-w- c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\riktaqgj]
2009-12-18 06:14 250624 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\hcrruu\vnkosysguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 19:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-06-06 23:52 936960 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]
2008-11-14 15:33 69632 ----a-w- c:\program files\ViOrb\ViOrb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
2008-11-12 16:28 602112 ----a-w- c:\program files\ViStart\ViStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxctcoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\Directcd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/6/2008 8:43 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/6/2008 8:42 PM 297752]
R3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\SYSTEM32\DRIVERS\ZD1211BU.sys [12/13/2009 9:04 PM 722432]
S0 hmxntxw;hmxntxw;c:\windows\system32\drivers\fhvsqfow.sys --> c:\windows\system32\drivers\fhvsqfow.sys [?]
S2 Ca533av;DV Series Video Capture;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S2 ZKUVGFVV;ZKUVGFVV;\??\c:\windows\system32\zkuvgfvv.shx --> c:\windows\system32\zkuvgfvv.shx [?]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\SYSTEM32\dllhost.exe [9/3/2002 11:31 AM 5120]
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Cosmi Firewall - c:\program files\Cosmi\Firewall\firewall.exe
MSConfigStartUp-VisualTooltip - c:\program files\VisualTooltip\VisualToolTip.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-20 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ZKUVGFVV]
"ImagePath"="\??\c:\windows\system32\zkuvgfvv.shx"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,d9,ea,8b,f5,b1,f2,48,b3,14,84,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,d9,ea,8b,f5,b1,f2,48,b3,14,84,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2680)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\system32\lxctcoms.exe
c:\windows\System32\snmp.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-20 20:17:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 01:17

Pre-Run: 5,829,853,184 bytes free
Post-Run: 6,772,195,328 bytes free

- - End Of File - - E36164EF85DB1D9EC4D85CE1DAEDB41D

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 21st December 2009, 1:23 am

Hello.
Bit more to do.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Folder::
    c:\documents and settings\Dad\Local Settings\Application Data\hcrruu

    Driver::
    hmxntxw
    Ca533av
    ZKUVGFVV

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\riktaqgj]
    [-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ZKUVGFVV]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 1:48 am

aaahhhhh after I dropped the CFScript on combo fix it was doing its thing then I blew a fuse at my house. Re did it now and its at rebooting windows should have new log here for you shortly. After I got this computer back up it wouldn't let me log back in here I had to reset password for some reason...very strange, but I'm back Goofy

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 2:08 am

ComboFix 09-12-19.04 - Dad 12/20/2009 20:36:12.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.101 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dad\Local Settings\Application Data\hcrruu
c:\documents and settings\Dad\Local Settings\Application Data\hcrruu\vnkosysguard.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CA533AV
-------\Legacy_ZKUVGFVV
-------\Service_Ca533av
-------\Service_hmxntxw


((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-20 23:58 . 2009-12-21 01:18 -------- d-----w- C:\Combo-Fix
2009-12-14 20:43 . 2009-12-14 20:43 -------- d-----w- c:\program files\CCleaner
2009-12-14 20:11 . 2009-12-14 20:11 -------- d-----w- C:\_OTM
2009-12-14 06:44 . 2009-12-14 06:44 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-12-14 03:01 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 03:01 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 02:04 . 2008-04-11 12:52 722432 ----a-r- c:\windows\system32\drivers\ZD1211BU.sys
2009-12-14 00:35 . 2009-12-14 00:35 -------- d-----w- c:\program files\TrendMicro
2009-12-13 23:40 . 2009-12-13 23:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-13 05:32 . 2009-12-13 05:32 -------- d-sh--w- c:\documents and settings\Mom\PrivacIE
2009-12-13 04:54 . 2009-12-13 04:54 -------- d-sh--w- c:\documents and settings\Mom\IETldCache
2009-12-13 04:12 . 2009-12-13 04:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-12-13 04:11 . 2009-12-20 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 02:27 . 2009-12-13 02:27 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-12-13 02:06 . 2009-12-13 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\5400 Series
2009-12-13 02:06 . 2009-12-13 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Verizon
2009-12-13 02:05 . 2009-12-13 02:05 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-12-12 05:55 . 2009-12-15 10:19 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\tjagic
2009-11-22 16:46 . 2009-11-22 16:46 18616 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-14 20:32 . 2003-07-10 05:34 -------- d-----w- c:\program files\Lavasoft
2009-12-14 08:51 . 2009-12-14 08:51 388096 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-14 06:35 . 2008-12-13 18:47 -------- d-----w- c:\program files\ViStart
2009-12-14 00:35 . 2009-12-14 00:35 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-13 05:46 . 2004-12-05 16:11 17528 -c--a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 20:23 . 2009-12-16 03:53 1143064 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.exe
2009-12-12 20:23 . 2009-12-16 03:53 1478936 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.dll
2009-12-12 20:23 . 2009-12-16 03:53 759064 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avginet.dll
2009-12-12 01:22 . 2005-07-23 15:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kodak
2009-12-12 01:05 . 2008-12-27 23:34 -------- d-----w- c:\program files\U.B. Funkeys
2009-12-11 17:18 . 2005-07-23 15:02 -------- d-----w- c:\program files\Kodak
2009-12-11 16:08 . 2008-02-19 20:03 -------- d-----w- c:\documents and settings\Dad\Application Data\5400 Series
2009-12-10 06:31 . 2008-02-19 19:49 -------- d-----w- c:\program files\Lx_cats
2009-12-07 00:16 . 2008-03-25 21:49 -------- d-----w- c:\program files\Safari
2009-12-06 23:53 . 2008-01-16 02:51 -------- d-----w- c:\program files\Common Files\Apple
2009-12-06 23:48 . 2009-12-06 23:48 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-26 13:24 . 2009-12-16 03:57 2063640 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgcorex.dll
2009-11-26 13:24 . 2009-12-16 03:57 3514648 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgui.exe
2009-11-26 13:24 . 2009-12-16 03:57 2029336 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgtray.exe
2009-11-22 16:22 . 2005-03-29 17:05 -------- d-----w- c:\documents and settings\Dad\Application Data\Apple Computer
2009-10-29 07:45 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-09-03 16:50 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2002-09-03 16:55 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-09-03 16:54 79872 ----a-w- c:\windows\system32\raschap.dll
2008-08-01 03:20 . 2008-08-01 03:20 5271552 -c--a-w- c:\program files\PStory.msi
2008-08-01 01:31 . 2008-08-01 01:31 4853424 -c--a-w- c:\program files\InstallPhotoJam3DL.EXE
2007-09-17 00:26 . 2007-09-17 00:25 25755448 -c--a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2004-10-04 03:52 . 2004-10-04 03:52 490608 -c--a-w- c:\program files\ie6setup.exe
2004-08-30 03:52 . 2004-08-30 03:52 10135688 -c--a-w- c:\program files\MPSetupXP.exe
2003-07-03 06:20 . 2003-07-03 06:20 1856 -c--a-w- c:\program files\Microsoft Word (2).lnk
2003-03-07 02:17 . 2003-03-07 02:17 2765 -c--a-w- c:\program files\Common Files\AutoUpdate.rtf
2003-01-27 16:50 . 2003-01-27 16:50 1000448 -c--a-w- c:\program files\Common Files\AutoUpdate.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-16 03:53 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 08:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-03-19 12:58 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 12:59 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
2004-09-20 06:27 65536 ----a-w- c:\program files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2007-03-19 12:59 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2007-03-19 12:58 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp]
2004-05-13 15:48 286720 ----a-w- c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 19:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-06-06 23:52 936960 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]
2008-11-14 15:33 69632 ----a-w- c:\program files\ViOrb\ViOrb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
2008-11-12 16:28 602112 ----a-w- c:\program files\ViStart\ViStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxctcoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\Directcd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/6/2008 8:43 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/6/2008 8:42 PM 297752]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\SYSTEM32\dllhost.exe [9/3/2002 11:31 AM 5120]
S3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\SYSTEM32\DRIVERS\ZD1211BU.sys [12/13/2009 9:04 PM 722432]
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-20 20:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,d9,ea,8b,f5,b1,f2,48,b3,14,84,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,d9,ea,8b,f5,b1,f2,48,b3,14,84,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\system32\lxctcoms.exe
c:\windows\System32\snmp.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-20 21:04:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 02:04
ComboFix2.txt 2009-12-21 01:17

Pre-Run: 6,817,300,480 bytes free
Post-Run: 6,778,875,904 bytes free

- - End Of File - - 45C64E252E0B32F29BA23BF189759D3D

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 21st December 2009, 2:12 am

also after I got the log from combofix and the computer rebooted I got a Handle license agreement from Sysinternals.....not sure what I'm supposed to do with this or what it is. I think its microsoft related but I dont know for sure. I dont want to hit agree if its not Smile

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on 21st December 2009, 7:10 pm

Click yes, a licenses agreement isn't really anything to work about, just a legal thing. Goofy

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on 22nd December 2009, 12:09 am

Thanks man!!!! The computer is much quicker than before and it let me boot in safe mode also. Still have the two scrnrdr.exe errors during windows load, and a lot of left over Vista transformation pack stuff. He can live with those thought Smile

bonus: ended up with about an extra gig of space on hard drive Smile

thanks again man, you were a HUGE help!!!!!!!!

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 26034
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum