[Resolved] Viruse detected screen, Spybot wont open

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

2 Pages

1 2 >

[Resolved] Viruse detected screen, Spybot wont open

Options

bornlooser View Member Profile	Jul 18 2008, 07:59 AM Post #1
New Member Group: New Member Posts: 12 Joined: 3-July 08 Member No.: 80,011 Operating System: Window XP	This is a great sight. I truly appreciate all that you folks are doing to help us all! Thank you in advance. My problem: I got a blue desktop screen with the virus detected screen (Antivirus XP 08). Spybot wont run, and either will Firefox. IE will let me go to some websights (not this one). Ad-aware wont update and finds the same 4 things every time. I ran Smthfraidfix and now have my desktop back. I could get to Ewido with IE, it found about 700 entries, but errored out before it fixed anything. I ran LSPfix, and it shows no problems. I have run CWShredder, and now comes back clean. Mbam wont run. I can NOT open Spypot. I have downloaded (through another computer) a clean copy of Hijack this (from your sight). I have downloaded a clean copy of combofix (from your sight), but it wont run. I disconnected from the internet, disabled teatimer and AVG, then ran Hijack this. Here is the Hijack log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:46:03 AM, on 7/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Lexmark 5200 series\lxbtbmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe C:\Program Files\Dynex Wireless G Enhanced Adapter\WLanCfgG.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\LxrJD31s.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\Beth\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {23912BB0-CC9F-4C69-83D4-19C2B183BA91} - http://ns-radio.netscape.com/radio/cabs/radiox.cab O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.ne...bls_speedop.cab O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.19/ttinst.cab O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://carelink.minimed.com/plugin/jinstal...indows-i586.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www2.incredimail.com/contents/setup...er/imloader.cab O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test.toontown.com/sv1.0.18...est/tt_test.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O21 - SSODL: KernelSys - {a2d02d21-e8ad-4ec7-9f61-e635134f9632} - (no file) O21 - SSODL: RamSrv - {916531b7-d040-4936-80bd-6fe51236ff93} - (no file) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Dynex Wireless G Enhanced Adapter Service (Dynex DX-WGPDTC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - (no file) O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing) -- End of file - 7982 bytes Anything you can tell me would be MOST usful, as I am stuck! Thanks!

LDTate View Member Profile	Jul 18 2008, 03:48 PM Post #2
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Stay with this topic until I give you the all clean post. You might want to print these instructions out. I suggest you do this: Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Clear "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Clear "Hide protected operating system files." Click Apply, and then click OK. Please do not delete anything unless instructed to. I see you have already downloaded Mbam but it won't run. Try this: Rename Mbam.exe to Mbam.com Now see if it will run.

bornlooser View Member Profile	Jul 18 2008, 06:09 PM Post #3
New Member Group: New Member Posts: 12 Joined: 3-July 08 Member No.: 80,011 Operating System: Window XP	Thanks for getting back to me so fast! I really didn't expect a reply for days! I did try the rename trick (I saw that on a similar post), but I started with Combo-fix. That has changed things ALLOT in the last few hours. I can now run all of my programs. I ran Combo-fix, then Mbam. They both fixed lots. here are the new logs: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:38:59 PM, on 7/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe C:\Program Files\Dynex Wireless G Enhanced Adapter\WLanCfgG.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\LxrJD31s.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Lexmark 5200 series\lxbtbmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Beth\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {23912BB0-CC9F-4C69-83D4-19C2B183BA91} - http://ns-radio.netscape.com/radio/cabs/radiox.cab O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.ne...bls_speedop.cab O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.19/ttinst.cab O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://carelink.minimed.com/plugin/jinstal...indows-i586.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www2.incredimail.com/contents/setup...er/imloader.cab O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test.toontown.com/sv1.0.18...est/tt_test.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Dynex Wireless G Enhanced Adapter Service (Dynex DX-WGPDTC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - (no file) -- End of file - 8146 bytes AND: ComboFix 08-07-17.4 - Beth 2008-07-18 18:25:07.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.316 [GMT -5:00] Running from: C:\Documents and Settings\Beth\Desktop\Combofix.com.exe Command switches used :: C:\Documents and Settings\Beth\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 ))))))))))))))))))))))))))))))) . 2008-07-18 16:51 . 2008-07-18 16:51 <DIR> d-------- C:\Documents and Settings\Beth\Application Data\Malwarebytes 2008-07-18 16:51 . 2008-07-18 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-18 16:51 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys 2008-07-18 16:51 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-07-18 15:29 . 2008-07-18 16:07 <DIR> d-------- C:\Combo-fix.com 2008-07-18 08:42 . 2008-07-18 08:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles 2008-07-03 15:31 . 2008-07-03 16:20 156,910 --a------ C:\WINDOWS\WMSysPr8.prx 2008-07-03 15:13 . 2008-07-03 16:08 23,392 --a------ C:\WINDOWS\SYSTEM32\nscompat.tlb 2008-07-03 15:13 . 2008-07-03 16:08 16,832 --a------ C:\WINDOWS\SYSTEM32\amcompat.tlb 2008-07-01 14:25 . 2008-07-01 14:25 <DIR> d-------- C:\Vdefs 2008-07-01 14:16 . 2008-07-01 14:17 <DIR> d-------- C:\!KillBox 2008-07-01 10:24 . 2008-07-01 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-30 18:24 . 2008-06-30 18:24 <DIR> d-------- C:\Documents and Settings\Beth\Application Data\GlarySoft 2008-06-30 18:02 . 2008-06-30 19:03 <DIR> d-------- C:\Program Files\Max Registry Cleaner 2008-06-30 18:02 . 2007-05-24 16:57 143,360 --a------ C:\WINDOWS\SYSTEM32\GetHardDiskNo.dll 2008-06-30 18:02 . 2008-06-30 18:02 63 --a------ C:\WINDOWS\SYSTEM\SYSRegC.dll 2008-06-30 17:53 . 2008-06-30 17:53 <DIR> d-------- C:\Program Files\Uniblue 2008-06-30 17:53 . 2008-06-30 17:53 <DIR> d-------- C:\Documents and Settings\Beth\Application Data\Uniblue 2008-06-30 12:42 . 2008-07-18 07:27 <DIR> d-------- C:\Program Files\Advanced Spyware Remover 2008-06-28 09:01 . 2008-06-30 22:17 2,070 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-06-27 18:02 . 2003-07-16 15:24 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys 2008-06-27 09:36 . 2008-06-27 09:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe 2008-06-27 09:30 . 2008-06-27 09:30 <DIR> d-------- C:\Documents and Settings\Beth\Application Data\vlc 2008-06-27 09:21 . 2008-06-27 09:21 <DIR> d-------- C:\Program Files\Common Files\LightScribe 2008-06-27 09:16 . 2008-06-27 09:16 <DIR> d-------- C:\Program Files\Nero 2008-06-27 09:16 . 2008-06-27 09:20 <DIR> d-------- C:\Program Files\Common Files\Ahead 2008-06-27 09:16 . 2008-06-27 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-18 20:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-07-18 13:58 --------- d-----w C:\Documents and Settings\Beth\Application Data\OpenOffice.org2 2008-07-18 12:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-18 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-07-03 19:51 --------- d-----w C:\Program Files\Lx_cats 2008-06-27 23:16 --------- d-----w C:\Documents and Settings\Beth\Application Data\AVG7 2008-06-27 14:11 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-27 14:10 --------- d-----w C:\Documents and Settings\Beth\Application Data\AdobeUM 2008-06-16 14:56 14,336 ----a-w C:\Documents and Settings\Matthew\Application Data\psohq.exe 2008-05-21 20:53 --------- d-----w C:\Documents and Settings\Matthew\Application Data\AdobeUM 2007-08-17 14:53 92,064 ----a-w C:\Documents and Settings\Beth\mqdmmdm.sys 2007-08-17 14:53 9,232 ----a-w C:\Documents and Settings\Beth\mqdmmdfl.sys 2007-08-17 14:53 79,328 ----a-w C:\Documents and Settings\Beth\mqdmserd.sys 2007-08-17 14:53 66,656 ----a-w C:\Documents and Settings\Beth\mqdmbus.sys 2007-08-17 14:53 6,208 ----a-w C:\Documents and Settings\Beth\mqdmcmnt.sys 2007-08-17 14:53 5,936 ----a-w C:\Documents and Settings\Beth\mqdmwhnt.sys 2007-08-17 14:53 4,048 ----a-w C:\Documents and Settings\Beth\mqdmcr.sys 2007-08-17 14:53 25,600 ----a-w C:\Documents and Settings\Beth\usbsermptxp.sys 2007-08-17 14:53 22,768 ----a-w C:\Documents and Settings\Beth\usbsermpt.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-22 00:44 126976] "Lexmark 5200 series"="C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" [2004-02-24 12:10 57344] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-15 05:00 579584] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-22 00:48 155648] "LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-02-23 08:47 61440] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 05:00 219136] [HKLM\~\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^Registration Lock On] backup=C:\WINDOWS\pss\Registration Lock OnStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Update 3300C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2003-10-06 10:05 53248 c:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] --a------ 2003-10-06 10:05 118784 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch] --a------ 2003-06-24 12:09 568096 C:\Program Files\Netscape\Netscape\Netscp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] --------- 2003-08-26 19:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2004-12-31 18:26 204845 C:\Program Files\Real\RealPlayer\realplay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd] --a------ 2004-07-23 10:02 1277952 C:\Program Files\Support.com\BellSouth\hcenter.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Messenger"=2 (0x2) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s "IgfxTray"=C:\WINDOWS\system32\igfxtray.exe "IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe "tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper "V0230Mon.exe"=C:\WINDOWS\V0230Mon.exe "cwcptray"=C:\Program Files\ContentWatch\Internet Protection\cwtray.exe "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" "DVDSentry"=C:\WINDOWS\System32\DSentry.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" "NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe "DVDSentry"=C:\WINDOWS\System32\DSentry.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"= "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"= "C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"= "C:\\Program Files\\Windows Media Player\\wmplayer.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09] R2 CwAltaService20;ContentWatch;C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe [2007-05-30 09:40] R2 Dynex DX-WGPDTC WLService;Dynex Wireless G Enhanced Adapter Service;C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe [2004-03-29 16:08] R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09] R3 V0230Vfx;V0230Vfx;C:\WINDOWS\system32\DRIVERS\V0230Vfx.sys [2006-03-24 02:00] R3 V0230VID;Live! Cam Video IM Pro;C:\WINDOWS\system32\DRIVERS\V0230VID.sys [2006-09-29 02:01] S3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys [2001-08-17 12:19] S3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys [2001-08-17 12:19] S3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys [2001-08-17 12:19] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\bootcd\wintools\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3da718f-ad47-11db-881a-000f1f4cc58d}] \Shell\AutoRun\command - setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c557ac7c-cbd6-11d9-8839-000f1f4cc58d}] \Shell\AutoRun\command - F:\setupSNK.exe Newly Created Service - GTNDIS5 Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder "2008-06-28 12:13:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-07-18 11:17:01 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job" - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-18 18:28:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\system32\wxbase28u_vc_CW.dll . Completion time: 2008-07-18 18:30:00 ComboFix-quarantined-files.txt 2008-07-18 23:29:34 ComboFix2.txt 2008-07-18 21:07:39 Pre-Run: 12,101,378,048 bytes free Post-Run: 12,057,657,344 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 184 I also ran Spybot (2 files) and ATF cleaner. I am actully sending this on the infected computer, so things are looking up! I will stop messing with now that I am "in your control". What do you think?

bornlooser View Member Profile	Jul 18 2008, 06:14 PM Post #4
New Member Group: New Member Posts: 12 Joined: 3-July 08 Member No.: 80,011 Operating System: Window XP	Sorry, here is Mbam: Malwarebytes' Anti-Malware 1.20 Database version: 965 Windows 5.1.2600 Service Pack 2 6:12:23 PM 7/18/2008 mbam-log-7-18-2008 (18-12-23).txt Scan type: Full Scan (C:\\|H:\\|I:\\|) Objects scanned: 261544 Time elapsed: 1 hour(s), 16 minute(s), 37 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 4 Files Infected: 65 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\rhc9ctj0e72v (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\FreeCodec (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\NewCfg (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\Disney\Disney Online\Toontown\InstallLauncher.exe (Adware.Agent) -> Quarantined and deleted successfully. C:\Program Files\Disney\Disney Online\ToontownTest\InstallLauncher.exe (Adware.Agent) -> Quarantined and deleted successfully. C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\TDM\TDMInstall.exe (Adware.Agent) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dyvnqpeh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ekeqsred.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fccbCvvT.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gdyfjdhd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hpkvjf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hvfaxokq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ibxuljvr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jsnwvpuu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kgbgrcxg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\khfExutR.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nmhuvvuo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oagkjv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pphccctj0e72v.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tjkqqvsn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvWNhEw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uofyso.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wewdqxft.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wgrgkmer.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xkfaelmi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. I:\Documents and Settings\Cole\Local Settings\Temporary Internet Files\Content.IE5\VHSZQI0W\DellSupportUpdateForIE7[1].exe (Adware.Agent) -> Quarantined and deleted successfully. I:\Program Files\Disney\Disney Online\Toontown\InstallLauncher.exe (Adware.Agent) -> Quarantined and deleted successfully. I:\Program Files\Disney\Disney Online\ToontownTest\InstallLauncher.exe (Adware.Agent) -> Quarantined and deleted successfully. I:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\TDM\TDMInstall.exe (Adware.Agent) -> Quarantined and deleted successfully. C:\Program Files\FreeCodec\Uninstall.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\1.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\10.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\2.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\20off.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\3.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\4.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\5.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\6.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\7.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\8.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\9.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\action.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\atlantis.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\bfgtoolbarDLL.zip (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\bfgtoolbartb0500.cfg (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\bfg_greetings.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\card.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\COMBOSEARCH.acs (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\logo.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\mahjong.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\mygames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\mygamestoolbar.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\new.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\newgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\puzzle.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\search.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\thereef.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\topten.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\webgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\Beth\Application Data\bfgtoolbar\word.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully. C:\Documents and Settings\Matthew\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

LDTate View Member Profile	Jul 18 2008, 06:30 PM Post #5
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	I need you to do this first. Delete this file: C:\Windows\System32\beep.sys Download beep.sys from here and save it to C:\Windows\system32\drivers\ Answer yes if it asks to overwrite. I will be back with another fix in a minute.

LDTate View Member Profile	Jul 18 2008, 06:37 PM Post #6
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	I want you to rename combofix.com back to combofix.exe and try running it.

bornlooser View Member Profile	Jul 18 2008, 06:39 PM Post #7
New Member Group: New Member Posts: 12 Joined: 3-July 08 Member No.: 80,011 Operating System: Window XP	done.

LDTate View Member Profile	Jul 18 2008, 06:40 PM Post #8
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Will combofix.exe run now?

bornlooser View Member Profile	Jul 18 2008, 06:46 PM Post #9
New Member Group: New Member Posts: 12 Joined: 3-July 08 Member No.: 80,011 Operating System: Window XP	Combofix.exe is running now on the infected computer.

LDTate View Member Profile	Jul 18 2008, 06:48 PM Post #10
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

bornlooser

Jul 18 2008, 06:50 PM

Post #11

New Member

Group: New Member
Posts: 12
Joined: 3-July 08
Member No.: 80,011
Operating System: Window XP

Here is the log.

ComboFix 08-07-17.4 - Beth 2008-07-18 19:41:08.3 - NTFSx86
Running from: C:\Documents and Settings\Beth\Desktop\Combofix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 18:55 . 2008-07-18 18:55 <DIR> d-------- C:\fsaua.data
2008-07-18 16:51 . 2008-07-18 16:51 <DIR> d-------- C:\Documents and Settings\Beth\Application Data\Malwarebytes
2008-07-18 16:51 . 2008-07-18 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 16:51 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-18 16:51 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-18 15:29 . 2008-07-18 16:07 <DIR> d-------- C:\Combo-fix.com
2008-07-18 08:42 . 2008-07-18 08:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-07-03 15:31 . 2008-07-03 16:20 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-07-03 15:13 . 2008-07-03 16:08 23,392 --a------ C:\WINDOWS\SYSTEM32\nscompat.tlb
2008-07-03 15:13 . 2008-07-03 16:08 16,832 --a------ C:\WINDOWS\SYSTEM32\amcompat.tlb
2008-07-01 14:25 . 2008-07-01 14:25 <DIR> d-------- C:\Vdefs
2008-07-01 14:16 . 2008-07-01 14:17 <DIR> d-------- C:\!KillBox
2008-07-01 10:24 . 2008-07-01 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-30 18:24 . 2008-06-30 18:24 <DIR> d-------- C:\Documents and Settings\Beth\Application Data\GlarySoft
2008-06-30 18:02 . 2008-06-30 19:03 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2008-06-30 18:02 . 2007-05-24 16:57 143,360 --a------ C:\WINDOWS\SYSTEM32\GetHardDiskNo.dll
2008-06-30 18:02 . 2008-06-30 18:02 63 --a------ C:\WINDOWS\SYSTEM\SYSRegC.dll
2008-06-30 17:53 . 2008-06-30 17:53 <DIR> d-------- C:\Program Files\Uniblue
2008-06-30 17:53 . 2008-06-30 17:53 <DIR> d-------- C:\Documents and Settings\Beth\Application Data\Uniblue
2008-06-30 12:42 . 2008-07-18 18:41 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2008-06-28 09:01 . 2008-06-30 22:17 2,070 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-06-27 09:36 . 2008-06-27 09:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-06-27 09:30 . 2008-06-27 09:30 <DIR> d-------- C:\Documents and Settings\Beth\Application Data\vlc
2008-06-27 09:21 . 2008-06-27 09:21 <DIR> d-------- C:&