[Resolved] Cannot Open external HDD, Wierd problem, Pic's Inc

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Resolved] Cannot Open external HDD, Wierd problem, Pic's Inc, only way to get into is to go to explore instaed of double click

Options

readyshootaim View Member Profile	Aug 18 2008, 12:26 PM Post #1
New Member Group: New Member Posts: 8 Joined: 3-May 08 Member No.: 78,830 Operating System: windows xp	When i right click on my external HDD at the top Open is replaced with some random Letters like A-a' or something like that, see the picture here when i do double click on it it gives me a AVG resident shield alert something about Backdoor.Generic. 5.WU0 or something, so i told it to heal it, and now when i double click on the shortcut it just says "Access is denied" When i go in with explore i can see hidden folders that i cant delete, for example this hidden recycle bin thing here ---> there is also a couple other random files here too Here is my HJT log if this is needed Logfile of HijackThis v1.99.1 Scan saved at 11:18:44 AM, on 8/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\libusbd-nt.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe C:\Program Files\Lexmark 5200 series\lxbtbmon.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\CTHELPER.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe I:\AnyDvd\AnyDVD.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe I:\nero8\Nero 8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - J:\bit comet\tools\BitCometBHO_1.1.7.4.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "I:\nero8\Nero 8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [AnyDVD] I:\AnyDvd\AnyDVD.exe O4 - HKCU\..\Run: [Transparent TaskBar] C:\Program Files\Transparent TaskBar\Transparent TaskBar.EXE -auto_restore O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &D&ownload &with BitComet - res://J:\bit comet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://J:\bit comet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://J:\bit comet\BitComet.exe/AddAllLink.htm O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - J:\bit comet\tools\BitCometBHO_1.1.7.4.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187569940500 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - I:\nero8\Nero 8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe i ran a malwarebytes scan and here are those results Malwarebytes' Anti-Malware 1.25 Database version: 1066 Windows 5.1.2600 Service Pack 2 11:43:16 AM 8/18/2008 mbam-log-08-18-2008 (11-43-12).txt Scan type: Quick Scan Objects scanned: 70473 Time elapsed: 30 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\SYSTEM\sysold (Adware.Tagasaurus) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Unist1.htm (Malware.Trace) -> No action taken. C:\WINDOWS\Uninst2.htm (Malware.Trace) -> No action taken. C:\Documents and Settings\User\Application Data\addon.dat (Malware.Trace) -> No action taken. This post has been edited by readyshootaim: Aug 18 2008, 12:44 PM

ken545 View Member Profile	Aug 25 2008, 11:09 AM Post #2
SuperHelper Group: Malware Expert Posts: 7,062 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP3/ Vista Home Premium SP1	readyshootaim, Welcome, don't know if this is malware related or not. Lets go over a few things. 1. Malwarebytes, you ran this with TAKE NO ACTION which did not accomplish anything, rerun it and check it all and select Remove Selected. 2. QUOTE Use of P2P (Person to Person) file sharing programs We have noticed that most people seeking help from us are coming with infections contracted from the use of P2P programs. Because of this, we felt we needed to change our policy on the use of P2P file sharing programs. * If your helper detects the presence of such programs on your computer he/she will ask you to remove them. We will withdraw our help should you not agree to their removal. * If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we will refuse our help. We do not ask you to do this without reason. P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme. This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program. http://www.infoworld.com/article/07/...D-theft_1.html Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use. When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections. We see no purpose in cleaning your machine if you use P2P programs, as it is pretty much certain that if you continue to use them then you will get infected again. 3. What we need to do is first go to your Add Remove Programs in the Control Panel and uninstall BitComet 4. Your running an outdated version of HJT, drag it to the trash and download and install the latest version by Trendmicro Download Trendmicros Hijackthis to your desktop. Double click it to install Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe Open HJT Scan and Save a Log File, it will open in Notepad Go to Format and make sure Wordwrap is Unchecked Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread. DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required. Post the new Malwarebytes log and a New HJT log by Trendmicro

readyshootaim View Member Profile	Aug 25 2008, 09:52 PM Post #3
New Member Group: New Member Posts: 8 Joined: 3-May 08 Member No.: 78,830 Operating System: windows xp	HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:49:57 PM, on 8/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\libusbd-nt.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe C:\Program Files\Lexmark 5200 series\lxbtbmon.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe I:\AnyDvd\AnyDVD.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe I:\nero8\Nero 8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "I:\nero8\Nero 8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [AnyDVD] I:\AnyDvd\AnyDVD.exe O4 - HKCU\..\Run: [Transparent TaskBar] C:\Program Files\Transparent TaskBar\Transparent TaskBar.EXE -auto_restore O4 - HKUS\S-1-5-18\..\Run: [Htpwzdyg] C:\DOCUME~1\User\APPLIC~1\PPATCH~1\WAUCLT~1.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [POSTRBT] C:\Program Files\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Htpwzdyg] C:\DOCUME~1\User\APPLIC~1\PPATCH~1\WAUCLT~1.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [POSTRBT] C:\Program Files\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187569940500 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - I:\nero8\Nero 8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 7533 bytes Malwarebytes log Malwarebytes' Anti-Malware 1.25 Database version: 1066 Windows 5.1.2600 Service Pack 2 7:28:42 PM 8/25/2008 mbam-log-08-25-2008 (19-28-42).txt Scan type: Quick Scan Objects scanned: 70279 Time elapsed: 31 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

ken545 View Member Profile	Aug 26 2008, 03:19 AM Post #4
SuperHelper Group: Malware Expert Posts: 7,062 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP3/ Vista Home Premium SP1	Hello, Please download ATF Cleaner by Atribune to your desktop. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility. Download ComboFix from Here or Here to your Desktop. In the event you already have Combofix, this is a new version that I need you to download. It must be saved directly to your desktop. 1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Remember to re enable the protection again afterwards before connecting to the net 2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix. IF you have not already done so Combofix will disconnect your machine from the Internet when it starts. If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. 3. Now double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

readyshootaim View Member Profile	Aug 26 2008, 04:58 PM Post #5
New Member Group: New Member Posts: 8 Joined: 3-May 08 Member No.: 78,830 Operating System: windows xp	just as a note an error box came up after clicking on combo fix with 327882R2FW\hidec.exe at the top saying "Windows cannot access the specified device.path or file. You may not have appropriate permission to access them" after clicking Ok it still scanned here is the log --> ComboFix 08-08-25.01 - User 2008-08-26 10:47:54.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.589 [GMT -7:00] Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ADS - svchost.exe: deleted 88 bytes in 2 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\QDX9F49H\bin.clearspring.com C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\QDX9F49H\bin.clearspring.com\clearspring.sol C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\QDX9F49H\interclick.com C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\QDX9F49H\interclick.com\ud.sol C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\QDX9F49H\www.broadcaster.com C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\system32\shell386.exe C:\WINDOWS\system32\systeminfo3.dll I:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 ))))))))))))))))))))))))))))))) . 2008-08-25 20:49 . 2008-08-25 20:49 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-18 11:08 . 2008-08-18 11:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-18 11:08 . 2008-08-18 11:08 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes 2008-08-18 11:08 . 2008-08-18 11:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes 2008-08-18 11:08 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-18 11:08 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-06 16:30 . 2008-08-06 16:30 <DIR> d-------- C:\Program Files\LibUSB-Win32-0.1.10.1 2008-08-06 16:30 . 2005-03-09 20:50 19,456 --a------ C:\WINDOWS\system32\libusbd-9x.exe 2008-08-06 16:30 . 2005-03-09 20:50 18,944 --a------ C:\WINDOWS\system32\libusbd-nt.exe 2008-08-01 12:56 . 2008-08-25 17:14 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater 2008-07-26 17:05 . 2008-08-09 18:38 <DIR> d-------- C:\Documents and Settings\User\Application Data\Vso 2008-07-26 17:05 . 2008-08-09 18:38 81,920 --a------ C:\Documents and Settings\User\Application Data\ezpinst.exe 2008-07-26 17:05 . 2008-07-26 17:05 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2008-07-26 17:05 . 2008-08-09 18:38 47,360 --a------ C:\Documents and Settings\User\Application Data\pcouffin.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-26 00:52 --------- d-----w C:\Documents and Settings\User\Application Data\U3 2008-08-24 20:11 --------- d-----w C:\Program Files\Lx_cats 2008-08-22 18:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink 2008-08-18 03:38 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-17 04:31 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss 2008-08-01 19:58 --------- d-----w C:\Program Files\Google 2008-07-15 01:36 --------- d-----w C:\Documents and Settings\User\Application Data\Move Networks 2008-07-08 23:26 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-08 23:26 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll 2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-02-20 02:15 31,776 -c--a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT 2006-04-29 19:31 1 -c--a-w C:\Documents and Settings\User\SI.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft Works Update Detection"="???\WkDetect.exe" [?] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "AnyDVD"="I:\AnyDvd\AnyDVD.exe" [2007-06-27 14:11 342636] "Transparent TaskBar"="C:\Program Files\Transparent TaskBar\Transparent TaskBar.EXE" [2005-11-04 09:14 41472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928] "EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-04-10 09:28 34816] "Lexmark 5200 series"="C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 06:58 57344] "LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 13:30 65536] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 15:00 128920] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136] "NBKeyScan"="I:\nero8\Nero 8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-15 00:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-08 16:26 1232152] "CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE] C:\Documents and Settings\User\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-09-15 22:03:02 113664] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 16:06:54 24633] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= ctwdm32.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^dlbcserv.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dlbcserv.lnk backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^gwum.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\gwum.lnk backup=C:\WINDOWS\pss\gwum.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^jgwib.exe] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\jgwib.exe backup=C:\WINDOWS\pss\jgwib.exeCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cnum] C:\Program Files\F?nts\l?gonui.exe [?] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] ???\WkDetect.exe [?] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmwav HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pppytl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2005-08-12 15:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "mi-raysat_3dsmax8"=2 (0x2) "IDriverT"=3 (0x3) "Network Monitor"=2 (0x2) "EPSONStatusAgent2"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "I:\\Starcraft\\StarCraft.exe"= "J:\\Halflife 2\\Steam.exe"= "C:\\Program Files\\Hamachi\\hamachi.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "I:\\MySpaceMp3Gopher.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "17889:TCP"= 17889:TCP:BitComet 17889 TCP "17889:UDP"= 17889:UDP:BitComet 17889 UDP R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys [2001-11-05 10:23] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-08 16:26] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 16:26] R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 20:50] S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\User\LOCALS~1\Temp\iMSPCLOj.sys [] S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys [2004-03-03 09:50] S3 SER120;OTI Serial port driver;C:\WINDOWS\system32\DRIVERS\SER120.sys [2004-11-23 19:09] S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys [2001-11-05 10:23] S3 z520bus;Sony Ericsson 520 driver (WDM);C:\WINDOWS\system32\DRIVERS\z520bus.sys [2006-03-13 19:54] S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z520mdfl.sys [2006-03-13 19:54] S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\z520mdm.sys [2006-03-13 19:54] S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\z520mgmt.sys [2006-03-13 19:54] S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\z520obex.sys [2006-03-13 19:54] S4 msvsmon80;Visual Studio 2005 Remote Debugger;i:\Visual Studio\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{268738ce-c6b1-11db-8c3a-000d61c1efb2}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{607f01e2-1531-11dd-970c-000d61c1efb2}] \Shell\AutoRun\command - G:\LaunchU3.exe -a Newly Created Service - CATCHME . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-Htpwzdyg - C:\DOCUME~1\User\APPLIC~1\PPATCH~1\WAUCLT~1.EXE HKU-Default-RunOnce-POSTRBT - C:\Program Files\Norton AntiVirus\Navw32.exe ShellExecuteHooks-{40847941-2F5E-4BEB-802C-74849B8BA2E4} - (no file) MSConfigStartUp-mmtask - C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe MSConfigStartUp-System - C:\WINDOWS\system32\kernels8.exe MSConfigStartUp-TheMonitor - C:\WINDOWS\SYSC00.exe MSConfigStartUp-UpdReg - C:\WINDOWS\UpdReg.EXE MSConfigStartUp-Wallpaper Manager - C:\Program Files\Adolix\Adolix Wallpaper Changer\AWC.exe MSConfigStartUp-Windows update loader - C:\Windows\xpupdate.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\46wl92zj.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava11.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava12.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava13.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava14.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava32.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJPI150_01.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPOJI610.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 10:52:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXBTCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2008-08-26 10:55:38 ComboFix-quarantined-files.txt 2008-08-26 17:54:45 ComboFix2.txt 2007-08-16 19:04:52 Pre-Run: 11,279,618,048 bytes free Post-Run: 11,859,202,048 bytes free 202 --- E O F --- 2008-08-14 19:06:21 HJT log** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:58:20 PM, on 8/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\libusbd-nt.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe C:\Program Files\Lexmark 5200 series\lxbtbmon.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\iTunes\iTunesHelper.exe I:\AnyDvd\AnyDVD.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe I:\nero8\Nero 8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "I:\nero8\Nero 8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [AnyDVD] I:\AnyDvd\AnyDVD.exe O4 - HKCU\..\Run: [Transparent TaskBar] C:\Program Files\Transparent TaskBar\Transparent TaskBar.EXE -auto_restore O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187569940500 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - I:\nero8\Nero 8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 6550 bytes

ken545 View Member Profile	Aug 26 2008, 06:21 PM Post #6
SuperHelper Group: Malware Expert Posts: 7,062 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP3/ Vista Home Premium SP1	Go to your Add Remove Programs in the Control Panel and uninstall Limewire Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File:: CODE File:: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\jgwib.exe C:\WINDOWS\pss\jgwib.exe Folder:: C:\Program Files\F?nts Registry:: [-HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^jgwib.exe] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cnum] Save this as CFScript to your desktop. Then drag the CFScript into ComboFix.exe as you see in the screenshot below. This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

readyshootaim

Aug 27 2008, 02:32 PM

Post #7

New Member

Group: New Member
Posts: 8
Joined: 3-May 08
Member No.: 78,830
Operating System: windows xp

ComboFix 08-08-25.01 - User 2008-08-27 13:18:38.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.603 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\jgwib.exe
C:\WINDOWS\pss\jgwib.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-25 20:49 . 2008-08-25 20:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 11:08 . 2008-08-18 11:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 11:08 . 2008-08-18 11:08 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-08-18 11:08 . 2008-08-18 11:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-18 11:08 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 11:08 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 16:30 . 2008-08-06 16:30 <DIR> d-------- C:\Program Files\LibUSB-Win32-0.1.10.1
2008-08-06 16:30 . 2005-03-09 20:50 19,456 --a------ C:\WINDOWS\system32\libusbd-9x.exe
2008-08-06 16:30 . 2005-03-09 20:50 18,944 --a------ C:\WINDOWS\system32\libusbd-nt.exe
2008-08-01 12:56 . 2008-08-25 17:14 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 00:52 --------- d-----w C:\Documents and Settings\User\Application Data\U3
2008-08-24 20:11 --------- d-----w C:\Program Files\Lx_cats
2008-08-22 18:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-08-18 03:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-17 04:31 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-08-10 01:38 81,920 ----a-w C:\Documents and Settings\User\Application Data\ezpinst.exe
2008-08-10 01:38 47,360 ----a-w C:\Documents and Settings\User\Application Data\pcouffin.sys
2008-08-10 01:38 --------- d-----w C:\Documents and Settings\User\Application Data\Vso
2008-08-01 19:58 --------- d-----w C:\Program Files\Google
2008-07-27 00:05 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-15 01:36 --------- d-----w C:\Documents and Settings\User\Application Data\Move Networks
2008-07-08 23:26 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-08 23:26 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-02-20 02:15 31,776 -c--a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-04-29 19:31 1 -c--a-w C:\Documents and Settings\User\SI.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="???\WkDetect.exe" [?]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"AnyDVD"="I:\AnyDvd\AnyDVD.exe" [2007-06-27 14:11 342636]
"Transparent TaskBar"="C:\Program Files\Transparent TaskBar\Transparent TaskBar.EXE" [2005-11-04 09:14 41472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-04-10 09:28 34816]
"Lexmark 5200 series"="C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 06:58 57344]
"LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 13:30 65536]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 15:00 128920]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="I:\nero8\Nero 8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-08 16:26 1232152]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-09-15 22:03:02 113664]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 16:06:54 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^gwum.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\gwum.lnk
backup=C:\WINDOWS\pss\gwum.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
???\WkDetect.exe [?]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmwav
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pppytl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-08-12 15:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mi-raysat_3dsmax8"=2 (0x2)
"IDriverT"=3 (0x3)
"Network Monitor"=2 (0x2)
"EPSONStatusAgent2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"I:\\Starcraft\\StarCraft.exe"=
"J:\\Halflife 2\\Steam.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"I:\\MySpaceMp