Sign in to follow this  
edwardbill

Help, my computer is infected and unable to access the internet

Recommended Posts

Hello. I am running Windows XP, Avast, Ad-Aware 2008, Windows Defender, Spy Bot S&D and use Internet Explorer 8. After receiving a corupt file via FaceBook, my computer became infected. I attempted to clean using all of my tools and thought I had "Moved To Chest"using Avast. Now I am unable to access the internet but cna still use Outlook Express for email. Another strange caveat is that other users on the same computer can access the internet, so it must be isolated to my userprofile which is also the administrator. I have attached a Hijackthis log. Thank you for any help you can provide.

Sincerely,

Billy-boy

hijackthis.log

Share this post


Link to post
Share on other sites

Hi Billy-boy,

 

 

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode

  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer

Download ResetTeaTimer.bat to the Desktop

http://downloads.subratam.org/ResetTeaTimer.bat

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

 

 

Please visit this webpage for download links, and instructions for running ComboFix tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Please ensure you read this guide carefully and install the Recovery Console first.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should see a blue screen prompt that says:

 

The Recovery Console was successfully installed.

 

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
     
     
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

 

Please include the following reports for further review (don't use attachments, please), and so we may continue cleansing the system:

 

C:\ComboFix.txt

New HijackThis log.

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Share this post


Link to post
Share on other sites
Hi Billy-boy,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode

  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer

Download ResetTeaTimer.bat to the Desktop

http://downloads.subratam.org/ResetTeaTimer.bat

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

Please visit this webpage for download links, and instructions for running ComboFix tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Please ensure you read this guide carefully and install the Recovery Console first.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should see a blue screen prompt that says:

 

The Recovery Console was successfully installed.

 

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

 

Please include the following reports for further review (don't use attachments, please), and so we may continue cleansing the system:

 

C:\ComboFix.txt

New HijackThis log.

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

 

Hello Blade81. Thank you so much for your help. I did everything you advised although I did forget to disable my anti virus and anti malware programs. There were no error messages and ComboFix was able to provide a report. Hopefully this will help however if I need to rerun ComboFix again (disabling my anti virus/malware), that's no problem. Thanks again and I hoep this report enables you to continue to help me.

Sincerely,

Billy-boy

 

ComboFix 08-11-27.07 - Billy 2008-11-28 15:26:22.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.116 [GMT -5:00]

Running from: C:\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\program files\TinyProxy

c:\windows\fmark2.dat

c:\windows\system32\nonxsmhp.ini

c:\windows\system32\qpcvrteg.ini

c:\windows\tmark2.dat

 

.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))

.

 

2008-11-22 12:30 . 2008-11-22 12:30 7,508,624 --a------ C:\Firefox Setup 3.0.4.exe

2008-11-12 12:27 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-12 12:23 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 10:56 . 2008-11-12 11:06 1,346 ---h----- c:\windows\f49f4d98.dat

2008-11-12 10:53 . 2008-11-16 11:33 <DIR> d-------- c:\windows\system32\367770

2008-11-12 10:53 . 2008-11-12 11:06 1 ---h----- c:\windows\f49f4daa.dat

2008-11-03 12:40 . 2008-11-14 11:33 <DIR> d-------- c:\documents and settings\Nasrin\Application Data\ZoomBrowser EX

2008-11-03 10:47 . 2008-11-04 12:03 <DIR> d-------- c:\documents and settings\Nasrin\Application Data\OpenOffice.org2

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-28 20:40 --------- d-----w c:\documents and settings\Billy\Application Data\Skype

2008-11-28 20:33 0 ----a-w c:\windows\system32\drivers\lvuvc.hs

2008-11-28 20:33 0 ----a-w c:\windows\system32\drivers\logiflt.iad

2008-11-19 14:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-11-19 14:44 --------- d-----w c:\program files\SpywareBlaster

2008-11-17 20:26 --------- d-----w c:\documents and settings\Billy\Application Data\ZoomBrowser EX

2008-11-17 20:21 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2008-11-15 02:41 --------- d-----w c:\program files\Common Files\Adobe

2008-11-09 00:12 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-10-27 23:22 --------- d-----w c:\documents and settings\Billy\Application Data\OpenOffice.org2

2008-10-25 22:50 --------- d-----w c:\documents and settings\Nasrin\Application Data\Skype

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-23 12:12 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-20 02:45 --------- d-----w c:\program files\PC Connectivity Solution

2008-10-15 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-10-15 21:05 --------- d-----w c:\program files\iPod

2008-10-15 13:34 --------- d-----w c:\program files\XP Codec Pack

2008-10-12 14:24 --------- d-----w c:\documents and settings\Billy\Application Data\Canon

2008-10-06 16:49 --------- d-----w c:\program files\Creative

2008-10-06 16:43 --------- d-----w c:\program files\Yahoo!

2008-10-05 03:53 --------- d-----w c:\program files\AVAide

2008-10-01 15:26 --------- d-----w c:\program files\BSplayer Pro

2008-09-10 10:08 133,227,519 ----a-w C:\OOo_2.4.1_Win32Intel_install_wJRE_en-US.exe

2007-12-04 17:19 60,104 -c--a-w c:\documents and settings\Billy\Application Data\GDIPFONTCACHEV1.DAT

2007-04-01 00:22 87,608 ----a-w c:\documents and settings\Billy\Application Data\ezpinst.exe

2007-04-01 00:22 47,360 -c--a-w c:\documents and settings\Billy\Application Data\pcouffin.sys

2003-12-20 00:36 40,960 ----a-w c:\program files\Uninstall_CDS.exe

2001-08-29 08:46 294,979 -c--a-w c:\documents and settings\PIP\PISETUP.EXE

2001-03-20 04:12 44,544 -c--a-w c:\documents and settings\PIP\DSETUP.DLL

2001-03-20 04:12 1,772,544 -c--a-w c:\documents and settings\PIP\DSETUP32.DLL

2000-07-27 18:49 1,526,275 -c--a-w c:\documents and settings\PIP\INSTMSIW.EXE

2000-07-27 18:49 1,513,987 -c--a-w c:\documents and settings\PIP\INSTMSIA.EXE

2008-06-24 04:03 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062420080625\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"POINTER"="c:\program files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 176128]

"UMonit"="c:\windows\System32\umonit.exe" [2003-04-21 49152]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-12 29744]

"OE"="c:\program files\Trend Micro\Anti-Spam For OE\TMAS_OEMon.exe" [2007-12-25 176201]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-18 185896]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"iTunesHelper"="j:\my music\iTunesHelper.exe" [2008-10-01 289576]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"WD Button Manager"="WDBtnMgr.exe" [2007-02-01 c:\windows\system32\WDBtnMgr.exe]

"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

"Promon.exe"="Promon.exe" [2001-07-19 c:\windows\system32\PROMon.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-06 113664]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-07 577597]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-12 67128]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-04-15 155648]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Twonkyvision\\TwonkyMedia.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"j:\\My Music\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-04-15 9344]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-02 78416]

R2 agentcd;DriverAgent Class Driver;\??\c:\windows\System32\AgentCD.sys [2008-09-13 196096]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-02 20560]

R2 BCMNTIO;BCMNTIO;\??\c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-12-13 3744]

R2 MAPMEM;MAPMEM;\??\c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-12-13 3904]

R3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2004-04-09 6016]

R3 LVRS;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs.sys [2008-01-12 627864]

R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2008-09-13 6942]

S2 Mojave;Dazzle Mojave Device;c:\windows\system32\DRIVERS\Mojave.sys [2008-09-13 120352]

S3 PID_0920;Labtec WebCam(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2006-05-14 163328]

S4 hpt3xx;hpt3xx; []

 

*Newly Created Service* - NMSCFG

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

 

2008-11-28 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

 

2008-11-27 c:\windows\Tasks\User_Feed_Synchronization-{FA9CA42B-34DB-4CDB-8F4B-FB24CD460873}.job

- c:\windows\system32\msfeedssync.exe [2008-08-22 02:05]

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

HKCU-Run-PowerBar - (no file)

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Billy\Application Data\Mozilla\Firefox\Profiles\a39yc0bg.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll

FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF -: plugin - j:\my music\Mozilla Plugins\npitunes.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-28 15:36:15

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Windows Defender\MsMpEng.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\Nhksrv.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\CTSVCCDA.EXE

c:\windows\system32\DVDRAMSV.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Dantz\Retrospect\retrorun.exe

c:\progra~1\Dantz\RETROS~1\wdsvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Twonkyvision\TwonkyMedia.exe

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\system32\NMSSvc.Exe

c:\program files\Netropa\OSD.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\PC Connectivity Solution\NclBTHandler.exe

c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Completion time: 2008-11-28 15:51:06 - machine was rebooted

ComboFix-quarantined-files.txt 2008-11-28 20:50:57

 

Pre-Run: 28,838,035,456 bytes free

Post-Run: 28,797,886,464 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

 

212 --- E O F --- 2008-11-27 15:02:37

Share this post


Link to post
Share on other sites

Hi

 

Could you post a fresh hjt log too, please? B)

Share this post


Link to post
Share on other sites
Hi

 

Could you post a fresh hjt log too, please? :)

 

 

Hello. Here's a fresh HjackThis log. Also, after I ran the ComboFix scan, I was prompted with a Spybot S&D System Start Up User entry swg on C:\Program Flies\Google\Google ToobarNotififier.exe. As you're analyzign my situation, I was also wondering if I had any unwanted or unneeded Running Processes. Another point I didn't mention earlier was that recently, I have been gettign pop up messages on my bottom tool bar statign that my Virtual Memory is low. Does that factor into this?

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:27:21 PM, on 11/28/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\DVDRAMSV.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Twonkyvision\TwonkyMedia.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\umonit.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Trend Micro\Anti-Spam For OE\TMAS_OEMon.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\WINDOWS\system32\Promon.exe

C:\WINDOWS\MMKeybd.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

J:\My Music\iTunesHelper.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\NMSSvc.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\PC Connectivity Solution\NclBTHandler.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [uMonit] C:\WINDOWS\System32\umonit.exe

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [OE] "C:\Program Files\Trend Micro\Anti-Spam For OE\TMAS_OEMon.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [Promon.exe] Promon.exe

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [iTunesHelper] "J:\My Music\iTunesHelper.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15012/CTSUEng.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160572156171

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab

O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/components/ImageUploader3.cab

O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://D:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB

O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal...eck_1_0_0_4.cab

O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUniversal...0_15_Silent.cab

O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal...sal_1_0_0_3.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,38

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15012/CTPID.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: TwonkyVision MediaServer (TwonkyVision_Media_Server) - TwonkyVision GmbH - C:\Program Files\Twonkyvision\TwonkyMedia.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 14610 bytes

 

 

Thanks

Share this post


Link to post
Share on other sites

Hi

 

Yes, those virtual memory notifications may be related to this issue.

 

 

Disable TeaTimer as instructed in one of my previous posts.

 

Start hjt, do a system scan, check (if found):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Close browsers and fix checked.

 

 

Uninstall old Adobe Reader and get the latest one here or get Foxit Reader here.

 

 

Open notepad and copy/paste the text in the quotebox below into it:

 

File::
c:\windows\f49f4d98.dat
c:\windows\f49f4daa.dat

Folder:
c:\windows\system32\367770

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-

 

 

Save this as

CFScript

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

 

 

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

 

 

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

 

Double-click ATF Cleaner.exe to open it

 

Under Main choose:

Windows Temp

Current User Temp

All Users Temp

Cookies

Temporary Internet Files

Prefetch

Java Cache

*The other boxes are optional*

Then click the Empty Selected button.

 

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

Click Exit on the Main menu to close the program.

 

 

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

 

 

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Share this post


Link to post
Share on other sites

Hello and thank you again. I'm sorry about the Spybot S&D TeaTimer not being disabled. I really thought that I did as you instructed in the begining but I guess I did something wrong. By the way, was having to do all of my internet work on my laptop and then transfer files (hjt, combofix, Adobe 9.0, etc) between my infected desktop via my network because of the virus has rendered my desktop unable to access the internet.

Initially, I thought I wasn't going to be able to run the Kapersky scan because I was previously unable to access the internet, however that seems to be remidied but I'm still waiting on the Kaspersky scan to complete. It's very slow (only 6% complete so far) but has found 4 infected objects. I have included the new ComboFix log and will get the Kaspersky log whenever it finishes. Please let me know if there's other info I can give you while the Kaspersky scan is running?

 

When I ran ComboFix, it said there was a newer version. I selected OK to update but due to my lack of internet access at the time, the update was unsuccessful. ComboFix still ran and I hope it's alright that I used the older version. Here's the new ComboFix log:

Thanks again,

Billy-boy

 

ComboFix 08-11-28.03 - Billy 2008-11-29 13:31:03.6 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.126 [GMT -5:00]

Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Billy\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

c:\windows\f49f4d98.dat

c:\windows\f49f4daa.dat

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\f49f4d98.dat

c:\windows\f49f4daa.dat

 

.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))

.

 

2008-11-29 13:08 . 2008-11-29 13:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2008-11-22 12:30 . 2008-11-22 12:30 7,508,624 --a------ C:\Firefox Setup 3.0.4.exe

2008-11-12 12:27 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-12 12:23 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 10:53 . 2008-11-16 11:33 <DIR> d-------- c:\windows\system32\367770

2008-11-03 12:40 . 2008-11-14 11:33 <DIR> d-------- c:\documents and settings\Nasrin\Application Data\ZoomBrowser EX

2008-11-03 10:47 . 2008-11-04 12:03 <DIR> d-------- c:\documents and settings\Nasrin\Application Data\OpenOffice.org2

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-29 18:37 --------- d-----w c:\documents and settings\Billy\Application Data\Skype

2008-11-29 18:05 --------- d-----w c:\program files\Common Files\Adobe

2008-11-29 17:43 0 ----a-w c:\windows\system32\drivers\lvuvc.hs

2008-11-29 17:43 0 ----a-w c:\windows\system32\drivers\logiflt.iad

2008-11-19 14:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-11-19 14:44 --------- d-----w c:\program files\SpywareBlaster

2008-11-17 20:26 --------- d-----w c:\documents and settings\Billy\Application Data\ZoomBrowser EX

2008-11-17 20:21 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2008-11-09 00:12 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-10-27 23:22 --------- d-----w c:\documents and settings\Billy\Application Data\OpenOffice.org2

2008-10-25 22:50 --------- d-----w c:\documents and settings\Nasrin\Application Data\Skype

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-23 12:12 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-20 02:45 --------- d-----w c:\program files\PC Connectivity Solution

2008-10-15 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-10-15 21:05 --------- d-----w c:\program files\iPod

2008-10-15 13:34 --------- d-----w c:\program files\XP Codec Pack

2008-10-12 14:24 --------- d-----w c:\documents and settings\Billy\Application Data\Canon

2008-10-06 16:49 --------- d-----w c:\program files\Creative

2008-10-06 16:43 --------- d-----w c:\program files\Yahoo!

2008-10-05 03:53 --------- d-----w c:\program files\AVAide

2008-10-01 15:26 --------- d-----w c:\program files\BSplayer Pro

2008-09-10 10:08 133,227,519 ----a-w C:\OOo_2.4.1_Win32Intel_install_wJRE_en-US.exe

2007-12-04 17:19 60,104 -c--a-w c:\documents and settings\Billy\Application Data\GDIPFONTCACHEV1.DAT

2007-04-01 00:22 87,608 ----a-w c:\documents and settings\Billy\Application Data\ezpinst.exe

2007-04-01 00:22 47,360 -c--a-w c:\documents and settings\Billy\Application Data\pcouffin.sys

2003-12-20 00:36 40,960 ----a-w c:\program files\Uninstall_CDS.exe

2001-08-29 08:46 294,979 -c--a-w c:\documents and settings\PIP\PISETUP.EXE

2001-03-20 04:12 44,544 -c--a-w c:\documents and settings\PIP\DSETUP.DLL

2001-03-20 04:12 1,772,544 -c--a-w c:\documents and settings\PIP\DSETUP32.DLL

2000-07-27 18:49 1,526,275 -c--a-w c:\documents and settings\PIP\INSTMSIW.EXE

2000-07-27 18:49 1,513,987 -c--a-w c:\documents and settings\PIP\INSTMSIA.EXE

2008-06-24 04:03 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062420080625\index.dat

.

 

((((((((((((((((((((((((((((( [email protected]_15.49.43.71 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe

+ 2008-11-29 17:43:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_500.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"POINTER"="c:\program files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 176128]

"UMonit"="c:\windows\System32\umonit.exe" [2003-04-21 49152]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-12 29744]

"OE"="c:\program files\Trend Micro\Anti-Spam For OE\TMAS_OEMon.exe" [2007-12-25 176201]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-18 185896]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"iTunesHelper"="j:\my music\iTunesHelper.exe" [2008-10-01 289576]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"WD Button Manager"="WDBtnMgr.exe" [2007-02-01 c:\windows\system32\WDBtnMgr.exe]

"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

"Promon.exe"="Promon.exe" [2001-07-19 c:\windows\system32\PROMon.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-06 113664]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-07 577597]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-12 67128]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-04-15 155648]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Twonkyvision\\TwonkyMedia.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"j:\\My Music\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-04-15 9344]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-02 78416]

R2 agentcd;DriverAgent Class Driver;\??\c:\windows\System32\AgentCD.sys [2008-09-13 196096]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-02 20560]

R2 BCMNTIO;BCMNTIO;\??\c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-12-13 3744]

R2 MAPMEM;MAPMEM;\??\c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-12-13 3904]

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2008-09-13 28672]

R2 TwonkyVision_Media_Server;TwonkyVision MediaServer;c:\program files\Twonkyvision\TwonkyMedia.exe -serviceversion []

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-13 24652]

R3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2004-04-09 6016]

R3 LVRS;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs.sys [2008-01-12 627864]

R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2008-09-13 6942]

S2 Mojave;Dazzle Mojave Device;c:\windows\system32\DRIVERS\Mojave.sys [2008-09-13 120352]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-01 29744]

S3 PID_0920;Labtec WebCam(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2006-05-14 163328]

S4 hpt3xx;hpt3xx; []

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

 

2008-11-29 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

 

2008-11-28 c:\windows\Tasks\User_Feed_Synchronization-{FA9CA42B-34DB-4CDB-8F4B-FB24CD460873}.job

- c:\windows\system32\msfeedssync.exe [2008-08-22 02:05]

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-29 13:37:17

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-29 13:42:06

ComboFix-quarantined-files.txt 2008-11-29 18:41:47

 

Pre-Run: 32,538,738,688 bytes free

Post-Run: 32,528,773,120 bytes free

 

161 --- E O F --- 2008-11-27 15:02:37

 

 

 

 

 

 

Hi

 

Yes, those virtual memory notifications may be related to this issue.

Disable TeaTimer as instructed in one of my previous posts.

 

Start hjt, do a system scan, check (if found):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Close browsers and fix checked.

Uninstall old Adobe Reader and get the latest one here or get Foxit Reader here.

Open notepad and copy/paste the text in the quotebox below into it:

 

File::
c:\windows\f49f4d98.dat
c:\windows\f49f4daa.dat

Folder:
c:\windows\system32\367770

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-

Save this as

CFScript

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

 

Double-click ATF Cleaner.exe to open it

 

Under Main choose:

Windows Temp

Current User Temp

All Users Temp

Cookies

Temporary Internet Files

Prefetch

Java Cache

*The other boxes are optional*

Then click the Empty Selected button.

 

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Share this post


Link to post
Share on other sites

I forgot to mention that I disabled my Avast anti virus as instructed by the Kaspersky scan. I hope that was OK?

 

 

Hello and thank you again. I'm sorry about the Spybot S&D TeaTimer not being disabled. I really thought that I did as you instructed in the begining but I guess I did something wrong. By the way, was having to do all of my internet work on my laptop and then transfer files (hjt, combofix, Adobe 9.0, etc) between my infected desktop via my network because of the virus has rendered my desktop unable to access the internet.

Initially, I thought I wasn't going to be able to run the Kapersky scan because I was previously unable to access the internet, however that seems to be remidied but I'm still waiting on the Kaspersky scan to complete. It's very slow (only 6% complete so far) but has found 4 infected objects. I have included the new ComboFix log and will get the Kaspersky log whenever it finishes. Please let me know if there's other info I can give you while the Kaspersky scan is running?

 

When I ran ComboFix, it said there was a newer version. I selected OK to update but due to my lack of internet access at the time, the update was unsuccessful. ComboFix still ran and I hope it's alright that I used the older version. Here's the new ComboFix log:

Thanks again,

Billy-boy

 

ComboFix 08-11-28.03 - Billy 2008-11-29 13:31:03.6 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.126 [GMT -5:00]

Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Billy\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

c:\windows\f49f4d98.dat

c:\windows\f49f4daa.dat

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\f49f4d98.dat

c:\windows\f49f4daa.dat

 

.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))

.

 

2008-11-29 13:08 . 2008-11-29 13:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2008-11-22 12:30 . 2008-11-22 12:30 7,508,624 --a------ C:\Firefox Setup 3.0.4.exe

2008-11-12 12:27 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-12 12:23 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 10:53 . 2008-11-16 11:33 <DIR> d-------- c:\windows\system32\367770

2008-11-03 12:40 . 2008-11-14 11:33 <DIR> d-------- c:\documents and settings\Nasrin\Application Data\ZoomBrowser EX

2008-11-03 10:47 . 2008-11-04 12:03 <DIR> d-------- c:\documents and settings\Nasrin\Application Data\OpenOffice.org2

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-29 18:37 --------- d-----w c:\documents and settings\Billy\Application Data\Skype

2008-11-29 18:05 --------- d-----w c:\program files\Common Files\Adobe

2008-11-29 17:43 0 ----a-w c:\windows\system32\drivers\lvuvc.hs

2008-11-29 17:43 0 ----a-w c:\windows\system32\drivers\logiflt.iad

2008-11-19 14:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-11-19 14:44 --------- d-----w c:\program files\SpywareBlaster

2008-11-17 20:26 --------- d-----w c:\documents and settings\Billy\Application Data\ZoomBrowser EX

2008-11-17 20:21 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2008-11-09 00:12 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-10-27 23:22 --------- d-----w c:\documents and settings\Billy\Application Data\OpenOffice.org2

2008-10-25 22:50 --------- d-----w c:\documents and settings\Nasrin\Application Data\Skype

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-23 12:12 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-20 02:45 --------- d-----w c:\program files\PC Connectivity Solution

2008-10-15 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-10-15 21:05 --------- d-----w c:\program files\iPod

2008-10-15 13:34 --------- d-----w c:\program files\XP Codec Pack

2008-10-12 14:24 --------- d-----w c:\documents and settings\Billy\Application Data\Canon

2008-10-06 16:49 --------- d-----w c:\program files\Creative

2008-10-06 16:43 --------- d-----w c:\program files\Yahoo!

2008-10-05 03:53 --------- d-----w c:\program files\AVAide

2008-10-01 15:26 --------- d-----w c:\program files\BSplayer Pro

2008-09-10 10:08 133,227,519 ----a-w C:\OOo_2.4.1_Win32Intel_install_wJRE_en-US.exe

2007-12-04 17:19 60,104 -c--a-w c:\documents and settings\Billy\Application Data\GDIPFONTCACHEV1.DAT

2007-04-01 00:22 87,608 ----a-w c:\documents and settings\Billy\Application Data\ezpinst.exe

2007-04-01 00:22 47,360 -c--a-w c:\documents and settings\Billy\Application Data\pcouffin.sys

2003-12-20 00:36 40,960 ----a-w c:\program files\Uninstall_CDS.exe

2001-08-29 08:46 294,979 -c--a-w c:\documents and settings\PIP\PISETUP.EXE

2001-03-20 04:12 44,544 -c--a-w c:\documents and settings\PIP\DSETUP.DLL

2001-03-20 04:12 1,772,544 -c--a-w c:\documents and settings\PIP\DSETUP32.DLL

2000-07-27 18:49 1,526,275 -c--a-w c:\documents and settings\PIP\INSTMSIW.EXE

2000-07-27 18:49 1,513,987 -c--a-w c:\documents and settings\PIP\INSTMSIA.EXE

2008-06-24 04:03 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062420080625\index.dat

.

 

((((((((((((((((((((((((((((( [email protected]_15.49.43.71 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe

+ 2008-11-29 17:43:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_500.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"POINTER"="c:\program files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 176128]

"UMonit"="c:\windows\System32\umonit.exe" [2003-04-21 49152]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-12 29744]

"OE"="c:\program files\Trend Micro\Anti-Spam For OE\TMAS_OEMon.exe" [2007-12-25 176201]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-18 185896]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"iTunesHelper"="j:\my music\iTunesHelper.exe" [2008-10-01 289576]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"WD Button Manager"="WDBtnMgr.exe" [2007-02-01 c:\windows\system32\WDBtnMgr.exe]

"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

"Promon.exe"="Promon.exe" [2001-07-19 c:\windows\system32\PROMon.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-06 113664]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-07 577597]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-12 67128]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-04-15 155648]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Twonkyvision\\TwonkyMedia.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"j:\\My Music\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-04-15 9344]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-02 78416]

R2 agentcd;DriverAgent Class Driver;\??\c:\windows\System32\AgentCD.sys [2008-09-13 196096]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-02 20560]

R2 BCMNTIO;BCMNTIO;\??\c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-12-13 3744]

R2 MAPMEM;MAPMEM;\??\c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-12-13 3904]

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2008-09-13 28672]

R2 TwonkyVision_Media_Server;TwonkyVision MediaServer;c:\program files\Twonkyvision\TwonkyMedia.exe -serviceversion []

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-13 24652]

R3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2004-04-09 6016]

R3 LVRS;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs.sys [2008-01-12 627864]

R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2008-09-13 6942]

S2 Mojave;Dazzle Mojave Device;c:\windows\system32\DRIVERS\Mojave.sys [2008-09-13 120352]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-01 29744]

S3 PID_0920;Labtec WebCam(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2006-05-14 163328]

S4 hpt3xx;hpt3xx; []

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

 

2008-11-29 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

 

2008-11-28 c:\windows\Tasks\User_Feed_Synchronization-{FA9CA42B-34DB-4CDB-8F4B-FB24CD460873}.job

- c:\windows\system32\msfeedssync.exe [2008-08-22 02:05]

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-29 13:37:17

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-29 13:42:06

ComboFix-quarantined-files.txt 2008-11-29 18:41:47

 

Pre-Run: 32,538,738,688 bytes free

Post-Run: 32,528,773,120 bytes free

 

161 --- E O F --- 2008-11-27 15:02:37

 

 

 

 

 

 

Hi

 

Yes, those virtual memory notifications may be related to this issue.

Disable TeaTimer as instructed in one of my previous posts.

 

Start hjt, do a system scan, check (if found):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Close browsers and fix checked.

Uninstall old Adobe Reader and get the latest one here or get Foxit Reader here.

Open notepad and copy/paste the text in the quotebox below into it:

 

File::
c:\windows\f49f4d98.dat
c:\windows\f49f4daa.dat

Folder:
c:\windows\system32\367770

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-

Save this as

CFScript

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

 

Double-click ATF Cleaner.exe to open it

 

Under Main choose:

Windows Temp

Current User Temp

All Users Temp

Cookies

Temporary Internet Files

Prefetch

Java Cache

*The other boxes are optional*

Then click the Empty Selected button.

 

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Share this post


Link to post
Share on other sites

Good morning Blade81. The Kaspersky scan is complete and here are the results of the scan:

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Monday, December 1, 2008

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Saturday, November 29, 2008 20:22:01

Records in database: 1428083

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

 

Scan statistics:

Files scanned: 129071

Threat name: 4

Infected objects: 4

Suspicious objects: 0

Duration of the scan: 37:44:07

 

 

File name / Threat name / Threats count

C:\Documents and Settings\Billy\Desktop\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

C:\Documents and Settings\Billy\Desktop\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

C:\Documents and Settings\Billy\My Documents\Downloaded Files\AVAide-Video-Converter.exe Infected: Trojan-Downloader.Win32.Injecter.aqx 1

C:\Documents and Settings\Billy\My Documents\Downloaded Files\AVAide-Video-Converter.exe Infected: Trojan.Win32.Zapchast.os 1

 

The selected area was scanned.

 

...and here is the fresh HjT log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:54:51 AM, on 12/1/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\DVDRAMSV.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\NMSSvc.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Twonkyvision\TwonkyMedia.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\umonit.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Trend Micro\Anti-Spam For OE\TMAS_OEMon.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\WINDOWS\system32\Promon.exe

C:\WINDOWS\MMKeybd.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\PC Connectivity Solution\NclBTHandler.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\iPod\bin\iPodService.exe

J:\My Music\iTunesHelper.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [uMonit] C:\WINDOWS\System32\umonit.exe

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [OE] "C:\Program Files\Trend Micro\Anti-Spam For OE\TMAS_OEMon.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [Promon.exe] Promon.exe

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "J:\My Music\iTunesHelper.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15012/CTSUEng.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160572156171

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab

O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/components/ImageUploader3.cab

O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://D:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB

O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal...eck_1_0_0_4.cab

O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUniversal...0_15_Silent.cab

O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal...sal_1_0_0_3.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,38

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15012/CTPID.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: TwonkyVision MediaServer (TwonkyVision_Media_Server) - TwonkyVision GmbH - C:\Program Files\Twonkyvision\TwonkyMedia.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 14016 bytes

 

Thanks for your patience and help with all of this. I do hope we can fix everything and get my computer running safe again. I also hope you had a nice Thanksgiving.

Sincerely,

Billy-boy

Share this post


Link to post
Share on other sites

Hi

 

We don't celebrate Thanksgiving here in Finland. So, for me it was just another busy day. Anyway, I hope your Thanksgiving was good B)

 

Delete C:\Documents and Settings\Billy\My Documents\Downloaded Files\AVAide-Video-Converter.exe file and c:\windows\system32\367770 folder.

 

Do you still have problems accessing the web?

Share this post


Link to post
Share on other sites

Oops, I didn' tsee where you were from Finland. Sorry. Of course you don't celebrate Thanksgiving. Well, I hope you had a nice weekend.

I am able to access the internet. Did those deletions get rid of everything? I thought there were four infected files according to Kaspersky?

Thanks

Share this post


Link to post
Share on other sites

Hi

 

Actually two different files with two different detected issues on both. However, C:\Documents and Settings\Billy\Desktop\tightvnc-1.2.9-setup.exe file is ok if you've get it by yourself and are familiar with it.

 

 

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

 

 

THESE STEPS ARE VERY IMPORTANT

 

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

 

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

 

 

 

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

 

UPDATING WINDOWS AND INTERNET EXPLORER

 

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

 

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

 

 

Make your Internet Explorer more secure

 

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

 

 

 

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    SpywareBlaster tutorial
     
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!

    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:



    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.

    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).

 

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

 

 

Once again, please post and tell me how things are going with your system... problems etc.

 

Have a great day,

Blade B)

Share this post


Link to post
Share on other sites

I'm in the process of doing your first step, turning off system restore. I checked the "turn off system restore box and clicked apply. Two identical (what I think are Java script) Application Error message popped up which state "General Exception - Name: jReport java.lang.NullpointerException: null pData

There is an OK and Details box. What do I do?

Share this post


Link to post
Share on other sites

Thank you so much. I do still have a few questions;

I thought I did have a firewall, the one that came with Windows. Do I need an additinal or different one?

Should I not be using Internet Explorer and instead use FireFox?

What about the Running Processes? Did you see any unwanted or unneeded ones?

What about the Tea Timer settings we changed and the Rest TeaTimer program?

With SpyBot S&D, are those pop-up Allow or Disallow boxes helpful or necessary?

I currently use Avast as my Anti-Virus program. Is that a good one or do you recommend something else?

I also have a problem with Outlok Express. I am runnign TrendMicro Anti-Spam but when I switch between email Identities, I am unableot to read or wrtite the email text. Any ideas?

Should my low Virtual Memory problem be resolved too?

Thanks again and I also appreciate you taking time to answer my questions.

Share this post


Link to post
Share on other sites
I thought I did have a firewall, the one that came with Windows. Do I need an additinal or different one?

Hi

 

XP internal firewall doesn't monitor all traffic and that's why it's recommended to get a 3rd party solution if you're not behind a router with NAT enabled.

 

Should I not be using Internet Explorer and instead use FireFox?

At the moment Firefox is safer so I recommend using it when possible (some web sites work correctly with Internet Explorer only).

 

What about the Running Processes? Did you see any unwanted or unneeded ones?

None of those running ones is malicious. Following list contains start up items that are optional and which you may disable thru msconfig (instructions) if you want:

Google Desktop Search

PCSuiteTrayApplication

LogitechCommunicationsManager

LogitechQuickCamRibbon

TkBellExe

SunJavaUpdateSched

Adobe Reader Speed Launcher

QuickTime Task

iTunesHelper

Skype

MSMSGS

WMPNSCFG

Picasa Media Detector

Adobe Gamma Loader

Logitech Desktop Messenger

Microsoft Works Calendar Reminders

 

 

 

What about the Tea Timer settings we changed and the Rest TeaTimer program?

With SpyBot S&D, are those pop-up Allow or Disallow boxes helpful or necessary?

You may decide whether or not you want to re-enable TeaTimer. I'm not personally using it.

 

I currently use Avast as my Anti-Virus program. Is that a good one or do you recommend something else?

Avast is good choice B)

 

I also have a problem with Outlok Express. I am runnign TrendMicro Anti-Spam but when I switch between email Identities, I am unableot to read or wrtite the email text. Any ideas?

No, but you could ask at http://forums.techguy.org

 

Should my low Virtual Memory problem be resolved too?

Yes, should be gone now if it was due to the infection.

Share this post


Link to post
Share on other sites

Awesome! Thank you so much for your help. You people who volunteer to help are real life savers. Thanks and I hope you have a nice Christmas. I know you Fins celebrate that ;-) Isn't Finland wher ethe legend of Santa Clause came from?

Thanks again,

Billy-boy

 

Hi

 

XP internal firewall doesn't monitor all traffic and that's why it's recommended to get a 3rd party solution if you're not behind a router with NAT enabled.

At the moment Firefox is safer so I recommend using it when possible (some web sites work correctly with Internet Explorer only).

None of those running ones is malicious. Following list contains start up items that are optional and which you may disable thru msconfig (instructions) if you want:

Google Desktop Search

PCSuiteTrayApplication

LogitechCommunicationsManager

LogitechQuickCamRibbon

TkBellExe

SunJavaUpdateSched

Adobe Reader Speed Launcher

QuickTime Task

iTunesHelper

Skype

MSMSGS

WMPNSCFG

Picasa Media Detector

Adobe Gamma Loader

Logitech Desktop Messenger

Microsoft Works Calendar Reminders

You may decide whether or not you want to re-enable TeaTimer. I'm not personally using it.

Avast is good choice B)

No, but you could ask at http://forums.techguy.org

Yes, should be gone now if it was due to the infection.

Share this post


Link to post
Share on other sites

Hello again. I just wanted to give you an update on my computer. Things aren't working 100% smoothly. I installed the Online Armor Firewall but I now am havign a few other problems which I think are related to the new instalation.

On start up, I received this message;

Microsoft Visual C++ Runtime Library Runtime Error! Program: C:\Program Files\ Trend Micro\ AntiSpam For OE\ TMAS_OE.exe

 

I'm also having problems with FireFox which doesn't conect to the internet and I get this message;

Proxy server refused connection

 

Also, I use my Playstation 3 as a media server and now the PS3 doesn't find my computer. I went back into Windows Media Player and made sure everyhtign was correctly set up nad it was. Any ideas?

 

I also receive pop-up questions from Online Armor about Viewpoint Service, which I'm not even sure what that program does. I also receive a few pop-ups abotu Trend Micro Anti-spam and soem relatign to OE. If I don't allow these, I'm unable to connect to the internet using OE. Like I mentioned earlier, FireFox doesn' twork even after I OK these pop-ups.

 

Sorry to be coming back at you with more problems but I appreciate your help.

Sincerely,

Billy-boy

Share this post


Link to post
Share on other sites

Hi

 

I believe you've configured Online Armor wrong. You may ask help with configuring here on the official forums. :)

 

Thanks and I hope you have a nice Christmas. I know you Fins celebrate that ;-) Isn't Finland wher ethe legend of Santa Clause came from?

I wish you merry upcoming Christmas too. Yes, Santa Claus lives in northern Finland :)

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this