Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech Forums - Register now for FREE

We're your place for tech questions. Join 87596 others, and join the conversation. Ask questions. Find answers. Share your ideas and opinions. Browse our community. You'll find experts who enjoy helping others. Who explain technical issues in a non-technical way that anyone can understand. Create an account today (it's 100% free)!

Create an Account Login to Account


Photo

[Resolved] My Computer is infected, Please help ASAP


  • This topic is locked This topic is locked
10 replies to this topic

#1 montabellrose

montabellrose

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 29 January 2008 - 08:32 PM

Well, i've tried a couple different spyware removal programs and nothing is helping. My internet is going extremely slow. I try to go to my calander on the taskbar and it says "windows cannot find 'C:\WINDOWS\system32\rundll32.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search." this also appears when i try to remove programs. While browsing the internet i get alot of ads that pop up and are very annoying.

here's my hijack this. help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 6:26:09 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Monta Bellrose\Desktop\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {8c65531c-754a-078a-7bd4-e469bc070d5d} - {d5d070cb-964e-4db7-a870-a457c13556c8} - C:\WINDOWS\system32\ngusgmdu.dll
O2 - BHO: (no name) - {FA16FE06-B462-470E-9653-79C54B1871FF} - C:\WINDOWS\system32\awtqnno.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [dont-touch-my-ads] C:\Documents and Settings\Monta Bellrose\Desktop\Dont-Touch-My-Ads.exe
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [BMf797109a] Rundll32.exe "C:\WINDOWS\system32\qtsbofxn.dll",s
O4 - HKLM\..\Run: [f4a42306] rundll32.exe "C:\WINDOWS\system32\dikfjgyv.dll",b
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B445C4EE-C935-4461-933F-171F7EB9303D}: NameServer = 62.217.54.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC8DA83D-DAFA-4BE6-86D5-457F645A61DF}: NameServer = 62.217.54.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{E30D886A-BD3F-420A-AFCF-A962041098BB}: NameServer = 62.217.54.69
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtqnno - C:\WINDOWS\SYSTEM32\awtqnno.dll
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)
O20 - Winlogon Notify: wvudesnm - wvudesnm.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\udcrhvdd.exe (file missing)
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,590 posts
  • MVP

Posted 06 February 2008 - 04:03 PM

I don't see a anti-virus program running. Get this free one.

Click HERE Click the Download Now and Save, Install, Update and run a full scan.


Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment

#3 montabellrose

montabellrose

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 06 February 2008 - 10:18 PM

tried installing AVG and this error came up.... Local machine: installation failed Installation: Error: Action failed for file avgamsvr.exe: starting service.... Access is denied. (5)

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,590 posts
  • MVP

Posted 07 February 2008 - 06:26 AM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

#5 montabellrose

montabellrose

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 07 February 2008 - 08:27 PM

Combo Fix:

ComboFix 08-02.05.3 - Monta Bellrose 2008-02-07 18:13:12.14 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.420 [GMT -8:00]
Running from: C:\Documents and Settings\Monta Bellrose\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqnno.dll
C:\WINDOWS\system32\geebb.dll
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Monta Bellrose\Favorites\Online Security Guide.lnk
C:\Program Files\Helper
C:\Program Files\Helper\superfinderusa.dll
C:\Program Files\Helper\superfindout.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\aagjnxxc.dll
C:\WINDOWS\system32\afrxgkwe.dll
C:\WINDOWS\system32\aiumyuqm.ini
C:\WINDOWS\system32\akxeskoc.dll
C:\WINDOWS\system32\awtqnno.dll
C:\WINDOWS\system32\axeaaljk.dll
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bemyvpqm.dll
C:\WINDOWS\system32\bkyjbmbo.dll
C:\WINDOWS\system32\bouhegog.ini
C:\WINDOWS\system32\caknjhfh.dll
C:\WINDOWS\system32\cbpgqfiy.dll
C:\WINDOWS\system32\cbvyeusd.ini
C:\WINDOWS\system32\cvrfcpki.dll
C:\WINDOWS\system32\cxxnjgaa.ini
C:\WINDOWS\system32\ddhjispo.ini
C:\WINDOWS\system32\ddjeojbj.dll
C:\WINDOWS\system32\dghwswgv.dll
C:\WINDOWS\system32\dikfjgyv.dll
C:\WINDOWS\system32\drvjonr.dll
C:\WINDOWS\system32\dsueyvbc.dll
C:\WINDOWS\system32\duqrrmxo.dll
C:\WINDOWS\system32\dvvfoqvi.dll
C:\WINDOWS\system32\efccaxw.dll
C:\WINDOWS\system32\ekmdxvxp.dll
C:\WINDOWS\system32\euxdargy.dll
C:\WINDOWS\system32\fihvtoig.dll
C:\WINDOWS\system32\fnnohode.dll
C:\WINDOWS\system32\fyvbpplk.dll
C:\WINDOWS\system32\gdamckha.dll
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\gfpqcjtk.dll
C:\WINDOWS\system32\giotvhif.ini
C:\WINDOWS\system32\gmyxjquw.ini
C:\WINDOWS\system32\gsvqvhat.dll
C:\WINDOWS\system32\gxnprckk.dll
C:\WINDOWS\system32\hfhjnkac.ini
C:\WINDOWS\system32\hvrgqeit.ini
C:\WINDOWS\system32\ibnxudsd.dll
C:\WINDOWS\system32\ifjljhcw.dll
C:\WINDOWS\system32\igivqqyl.ini
C:\WINDOWS\system32\iijshmio.dll
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\ijlfrghr.ini
C:\WINDOWS\system32\jdpifxwu.ini
C:\WINDOWS\system32\josvpvws.dll
C:\WINDOWS\system32\kfpeqmhs.ini
C:\WINDOWS\system32\kfsxbopc.ini
C:\WINDOWS\system32\klbvlxox.dll
C:\WINDOWS\system32\klppbvyf.ini
C:\WINDOWS\system32\lkaufpof.dll
C:\WINDOWS\system32\lkifpfbv.dll
C:\WINDOWS\system32\lmmmxieq.dll
C:\WINDOWS\system32\lnjaytpu.dll
C:\WINDOWS\system32\ltnxlgce.dll
C:\WINDOWS\system32\ltwnoqsf.dll
C:\WINDOWS\system32\lyqqvigi.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjhxquis.dll
C:\WINDOWS\system32\mpnddxyv.dll
C:\WINDOWS\system32\msbxelvy.dll
C:\WINDOWS\system32\mtdwruxb.dll
C:\WINDOWS\system32\nfillfdw.ini
C:\WINDOWS\system32\ngusgmdu.dll
C:\WINDOWS\system32\obuvubfu.dll
C:\WINDOWS\system32\oglhkprx.dll
C:\WINDOWS\system32\oimhsjii.ini
C:\WINDOWS\system32\opfjqsxp.ini
C:\WINDOWS\system32\opsijhdd.dll
C:\WINDOWS\system32\oviksctc.dll
C:\WINDOWS\system32\oxmrrqud.ini
C:\WINDOWS\system32\plwglwki.dll
C:\WINDOWS\system32\pnfxwakq.ini
C:\WINDOWS\system32\pvsewkcl.ini
C:\WINDOWS\system32\pvuhoqrj.dll
C:\WINDOWS\system32\qafkqmms.ini
C:\WINDOWS\system32\qbwuveam.dll
C:\WINDOWS\system32\qfaemgxm.dll
C:\WINDOWS\system32\qjesyjth.dll
C:\WINDOWS\system32\qkawxfnp.dll
C:\WINDOWS\system32\qmttwvyc.dll
C:\WINDOWS\system32\qqcqqcgm.ini
C:\WINDOWS\system32\qstwa.ini
C:\WINDOWS\system32\qstwa.ini2
C:\WINDOWS\system32\qtsbofxn.dll
C:\WINDOWS\system32\qvjtgmpj.dll
C:\WINDOWS\system32\ricakgts.ini
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\rsxderer.dll
C:\WINDOWS\system32\rxlmbfdy.dll
C:\WINDOWS\system32\sfuyvfri.ini
C:\WINDOWS\system32\shmqepfk.dll
C:\WINDOWS\system32\slvurmuj.dll
C:\WINDOWS\system32\swefwiep.dll
C:\WINDOWS\system32\tahvqvsg.ini
C:\WINDOWS\system32\tieqgrvh.dll
C:\WINDOWS\system32\tltnmlny.dll
C:\WINDOWS\system32\trfmcvtx.dll
C:\WINDOWS\system32\ubtmxnva.dll
C:\WINDOWS\system32\uwxfipdj.dll
C:\WINDOWS\system32\vbekkceg.dll
C:\WINDOWS\system32\vcevnfmq.ini
C:\WINDOWS\system32\vtvmkroe.dll
C:\WINDOWS\system32\vukjwkvl.dll
C:\WINDOWS\system32\vygjfkid.ini
C:\WINDOWS\system32\vyxddnpm.ini
C:\WINDOWS\system32\wchjljfi.ini
C:\WINDOWS\system32\wdfllifn.dll
C:\WINDOWS\system32\whbdhlxh.dll
C:\WINDOWS\system32\wsyipyfd.dll
C:\WINDOWS\system32\wuqjxymg.dll
C:\WINDOWS\system32\wvudesnm.dllbox
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini2
C:\WINDOWS\system32\wyrwcdye.dll
C:\WINDOWS\system32\xdabkwpt.dll
C:\WINDOWS\system32\xntxnlue.dll
C:\WINDOWS\system32\xpgoqnaw.dll
C:\WINDOWS\system32\xrpkhlgo.ini
C:\WINDOWS\system32\xybjeela.dll
C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini2
C:\WINDOWS\system32\ydjcvvfd.dll
C:\WINDOWS\system32\ygradxue.ini
C:\WINDOWS\system32\yifqgpbc.ini
C:\WINDOWS\system32\yuklagof.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SYMAVC32


((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-06 22:24 . 2008-02-06 22:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-06 21:05 . 2008-02-06 21:26 <DIR> d-------- C:\Documents and Settings\Monta Bellrose\.housecall6.6
2008-02-06 15:16 . 2004-08-03 23:56 40,448 --a------ C:\WINDOWS\system32\rundll32.exe
2008-02-05 06:35 . 2008-02-05 06:35 90,688 --a------ C:\WINDOWS\system32\smmqkfaq.dll
2008-01-29 22:48 . 2008-01-31 21:27 <DIR> d-------- C:\Program Files\BitComet
2008-01-29 22:48 . 2008-02-06 20:03 <DIR> d-------- C:\Downloads
2008-01-29 22:48 . 2008-01-29 22:48 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-01-29 17:43 . 2008-02-06 19:35 <DIR> d-------- C:\Program Files\ClamWin
2008-01-29 17:43 . 2008-01-29 17:44 <DIR> d-------- C:\Documents and Settings\Monta Bellrose\Application Data\.clamwin
2008-01-29 17:43 . 2008-01-29 17:43 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin
2008-01-29 07:51 . 2008-01-29 07:51 85,568 --a------ C:\WINDOWS\system32\klmvsbpy.exe
2008-01-19 10:54 . 2008-01-19 10:54 85,568 --a------ C:\WINDOWS\system32\bulnwrgr.exe
2008-01-18 10:57 . 2008-01-18 10:57 85,568 --a------ C:\WINDOWS\system32\mhwxdmpx.exe
2008-01-17 10:51 . 2008-01-18 10:52 294 --ahs---- C:\WINDOWS\system32\kncxtxfs.ini
2008-01-11 10:50 . 2008-02-06 06:34 49 --a------ C:\WINDOWS\BMf797109a.xml
2008-01-11 10:50 . 2008-02-07 18:13 21 --a------ C:\WINDOWS\pskt.ini
2008-01-09 13:51 . 2008-01-09 13:51 85,568 --a------ C:\WINDOWS\system32\nfpjqrxj.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 05:04 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-07 04:48 --------- d-----w C:\Program Files\Java
2008-02-07 03:35 --------- d-----w C:\Program Files\Apple Software Update
2008-02-07 03:32 --------- d-----w C:\Program Files\Last.fm
2008-02-06 22:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-30 04:20 --------- d-----w C:\Documents and Settings\Monta Bellrose\Application Data\Azureus
2008-01-30 01:44 --------- d-----w C:\Documents and Settings\Monta Bellrose\Application Data\.clamwin
2008-01-07 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2008-01-03 07:44 --------- d-----w C:\Documents and Settings\Monta Bellrose\Application Data\Uniblue
2007-12-24 22:12 --------- d-----w C:\Program Files\Azureus
2007-12-23 20:42 --------- d-----w C:\Program Files\DIFX
2007-12-11 06:37 --------- d-----w C:\Program Files\Acoustica MP3 Audio Mixer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-05-24 00:17 32256 C:\WINDOWS\MIDIDEF.EXE]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-07-15 12:23 5674352]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 14:37 975872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 10:28 147456]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06 1327104]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 14:17 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2005-05-24 00:28 23552 C:\WINDOWS\CTHELPER.EXE]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 13:25 1028096]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 65536]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 163840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 294912]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"dont-touch-my-ads"="C:\Documents and Settings\Monta Bellrose\Desktop\Dont-Touch-My-Ads.exe" [ ]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 05:21 200704]
"VTTimer"="VTTimer.exe" [2006-09-14 17:54 61440 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2007-04-25 14:41 184320 C:\WINDOWS\system32\VTTrayp.exe]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-01-20 22:08 86016]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 14:47 856064]

C:\Documents and Settings\Monta Bellrose\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 20:01:10 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-26 22:42:38 120832]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingsa32]
wingsa32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvudesnm]
wvudesnm.dll

R0 UNPR;UNPR;C:\WINDOWS\system32\unpr.sys [2007-11-11 01:23]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 18:17]
S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-09-30 23:08]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 21:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 07:33:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-03 07:33:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 18:20:33
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-02-07 18:23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 02:23:30
ComboFix2.txt 2008-02-07 09:38:22
ComboFix3.txt 2008-01-20 01:37:06
ComboFix4.txt 2008-01-03 07:07:16
.
2008-01-10 03:01:40 --- E O F ---




HI JACK THIS :

Logfile of HijackThis v1.99.1
Scan saved at 6:27:28 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Monta Bellrose\Desktop\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [dont-touch-my-ads] C:\Documents and Settings\Monta Bellrose\Desktop\Dont-Touch-My-Ads.exe
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)
O20 - Winlogon Notify: wvudesnm - wvudesnm.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,590 posts
  • MVP

Posted 07 February 2008 - 08:48 PM

Did you have ClamWin antivirus?

If your spyhunter is the paid for don't remove it.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\smmqkfaq.dll
C:\WINDOWS\system32\klmvsbpy.exe
C:\WINDOWS\system32\bulnwrgr.exe
C:\WINDOWS\system32\mhwxdmpx.exe
C:\WINDOWS\system32\kncxtxfs.ini
C:\WINDOWS\BMf797109a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\nfpjqrxj.exe
C:\Documents and Settings\Monta Bellrose\Desktop\Dont-Touch-My-Ads.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

Folder::
C:\Program Files\Enigma Software Group\SpyHunter
C:\Program Files\Enigma Software Group

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dont-touch-my-ads"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingsa32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvudesnm]


Save this as Save this as "CFScript"


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

#7 montabellrose

montabellrose

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 07 February 2008 - 10:10 PM

yes i have Clamwin.. i used it the other day though and when it was done scanning it ended up moving explorer to the quarantine folder and it took me awhile to fix that.

my computer's running better i'd say.. no pop ups so far.

COMBO:

ComboFix 08-02.05.3 - Monta Bellrose 2008-02-07 20:05:38.15 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.566 [GMT -8:00]
Running from: C:\Documents and Settings\Monta Bellrose\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Monta Bellrose\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Monta Bellrose\Desktop\Dont-Touch-My-Ads.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\BMf797109a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bulnwrgr.exe
C:\WINDOWS\system32\klmvsbpy.exe
C:\WINDOWS\system32\kncxtxfs.ini
C:\WINDOWS\system32\mhwxdmpx.exe
C:\WINDOWS\system32\nfpjqrxj.exe
C:\WINDOWS\system32\smmqkfaq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Enigma Software Group
C:\Program Files\Enigma Software Group\SpyHunter\ActiveKill.dll
C:\Program Files\Enigma Software Group\SpyHunter\ActiveXKill.dll
C:\Program Files\Enigma Software Group\SpyHunter\AXList.txt
C:\Program Files\Enigma Software Group\SpyHunter\br.exe
C:\Program Files\Enigma Software Group\SpyHunter\Common.dll
C:\Program Files\Enigma Software Group\SpyHunter\def.dat
C:\Program Files\Enigma Software Group\SpyHunter\EnigmaUpdater.dll
C:\Program Files\Enigma Software Group\SpyHunter\HelpDesk.dll
C:\Program Files\Enigma Software Group\SpyHunter\HFMonitor.dll
C:\Program Files\Enigma Software Group\SpyHunter\INSTALL.LOG
C:\Program Files\Enigma Software Group\SpyHunter\install.sss
C:\Program Files\Enigma Software Group\SpyHunter\Language.dll
C:\Program Files\Enigma Software Group\SpyHunter\NetworkSentry.dll
C:\Program Files\Enigma Software Group\SpyHunter\Options.dll
C:\Program Files\Enigma Software Group\SpyHunter\ProcessGuard.dll
C:\Program Files\Enigma Software Group\SpyHunter\RegistryGuard.dll
C:\Program Files\Enigma Software Group\SpyHunter\scan.log
C:\Program Files\Enigma Software Group\SpyHunter\Scanner.dll
C:\Program Files\Enigma Software Group\SpyHunter\Scheduler.dll
C:\Program Files\Enigma Software Group\SpyHunter\SHDS.mht
C:\Program Files\Enigma Software Group\SpyHunter\spyhunter.log
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.chm
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.skn
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
C:\Program Files\Enigma Software Group\SpyHunter\support.log
C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe
C:\Program Files\Enigma Software Group\SpyHunter\Updater.dll
C:\Program Files\Enigma Software Group\SpyHunter\whitelist.dat
C:\Program Files\Enigma Software Group\SpyHunter\WSAMonitor.dll
C:\WINDOWS\BMf797109a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bulnwrgr.exe
C:\WINDOWS\system32\klmvsbpy.exe
C:\WINDOWS\system32\kncxtxfs.ini
C:\WINDOWS\system32\mhwxdmpx.exe
C:\WINDOWS\system32\nfpjqrxj.exe
C:\WINDOWS\system32\smmqkfaq.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 18:11 . 2004-08-03 23:56 395,776 --a------ C:\kmd.exe
2008-02-06 21:05 . 2008-02-06 21:26 <DIR> d-------- C:\Documents and Settings\Monta Bellrose\.housecall6.6
2008-02-06 15:16 . 2004-08-03 23:56 40,448 --a------ C:\WINDOWS\system32\rundll32.exe
2008-01-29 22:48 . 2008-01-31 21:27 <DIR> d-------- C:\Program Files\BitComet
2008-01-29 22:48 . 2008-02-06 20:03 <DIR> d-------- C:\Downloads
2008-01-29 22:48 . 2008-01-29 22:48 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-01-29 17:43 . 2008-02-06 19:35 <DIR> d-------- C:\Program Files\ClamWin
2008-01-29 17:43 . 2008-01-29 17:44 <DIR> d-------- C:\Documents and Settings\Monta Bellrose\Application Data\.clamwin
2008-01-29 17:43 . 2008-01-29 17:43 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 05:04 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-07 04:48 --------- d-----w C:\Program Files\Java
2008-02-07 03:35 --------- d-----w C:\Program Files\Apple Software Update
2008-02-07 03:32 --------- d-----w C:\Program Files\Last.fm
2008-02-06 22:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-30 04:20 --------- d-----w C:\Documents and Settings\Monta Bellrose\Application Data\Azureus
2008-01-30 01:44 --------- d-----w C:\Documents and Settings\Monta Bellrose\Application Data\.clamwin
2008-01-07 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2008-01-03 07:44 --------- d-----w C:\Documents and Settings\Monta Bellrose\Application Data\Uniblue
2008-01-03 07:38 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-01-03 07:38 104,448 ----a-w C:\WINDOWS\system32\drvjon.dll
2007-12-24 22:12 --------- d-----w C:\Program Files\Azureus
2007-12-23 20:42 --------- d-----w C:\Program Files\DIFX
2007-12-11 06:37 --------- d-----w C:\Program Files\Acoustica MP3 Audio Mixer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-05-24 00:17 32256 C:\WINDOWS\MIDIDEF.EXE]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-07-15 12:23 5674352]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 14:37 975872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 10:28 147456]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06 1327104]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 14:17 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2005-05-24 00:28 23552 C:\WINDOWS\CTHELPER.EXE]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 13:25 1028096]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 65536]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 163840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 294912]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 05:21 200704]
"VTTimer"="VTTimer.exe" [2006-09-14 17:54 61440 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2007-04-25 14:41 184320 C:\WINDOWS\system32\VTTrayp.exe]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-01-20 22:08 86016]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [ ]

C:\Documents and Settings\Monta Bellrose\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 20:01:10 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-26 22:42:38 120832]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 UNPR;UNPR;C:\WINDOWS\system32\unpr.sys [2007-11-11 01:23]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 18:17]
S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-09-30 23:08]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 21:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 07:33:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-03 07:33:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 20:07:13
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-07 20:07:48
ComboFix-quarantined-files.txt 2008-02-08 04:07:35
ComboFix2.txt 2008-02-08 02:23:33
ComboFix3.txt 2008-02-07 09:38:22
ComboFix4.txt 2008-01-20 01:37:06
ComboFix5.txt 2008-01-03 07:07:16
.
2008-01-10 03:01:40 --- E O F ---



HI JACK:

Logfile of HijackThis v1.99.1
Scan saved at 8:08:56 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Monta Bellrose\Desktop\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

#8 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,590 posts
  • MVP

Posted 08 February 2008 - 06:47 AM

Open notepad and copy/paste the text in the Codebox below into it:


File::
C:\WINDOWS\system32\drvjon.dll
C:\WINDOWS\system32\unpr.sys

Driver::
unpr



Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

#9 montabellrose

montabellrose

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 08 February 2008 - 11:40 PM

It appears to be running better, however When it rebooted while restarting up just before windows loads, a thing popped up called the "data execution Prevention" and explorer doesn't open when this happens. if i try and do ctrl + alt delete another data thing comes up saying it cant open task manager.. if i do it twice really fast i can get it open.... then i Run Explorer which i also have to do twice fast.

Combo:


ComboFix 08-02.05.3 - Monta Bellrose 2008-02-08 21:26:16.16 - NTFSx86
Running from: C:\Documents and Settings\Monta Bellrose\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Monta Bellrose\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drvjon.dll
C:\WINDOWS\system32\unpr.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drvjon.dll
C:\WINDOWS\system32\unpr.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_UNPR
-------\UNPR


((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-07 20:05 . 2004-08-03 23:56 395,776 --a------ C:\kmd.exe
2008-02-06 21:05 . 2008-02-06 21:26 <DIR> d-------- C:\Documents and Settings\Monta Bellrose\.housecall6.6
2008-02-06 15:16 . 2004-08-03 23:56 40,448 --a------ C:\WINDOWS\system32\rundll32.exe
2008-01-29 22:48 . 2008-01-31 21:27 <DIR> d-------- C:\Program Files\BitComet
2008-01-29 22:48 . 2008-02-08 02:11 <DIR> d-------- C:\Downloads
2008-01-29 22:48 . 2008-01-29 22:48 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-01-29 17:43 . 2008-02-06 19:35 <DIR> d-------- C:\Program Files\ClamWin
2008-01-29 17:43 . 2008-01-29 17:44 <DIR> d-------- C:\Documents and Settings\Monta Bellrose\Application Data\.clamwin
2008-01-29 17:43 . 2008-01-29 17:43 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 05:04 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-07 04:48 --------- d-----w C:\Program Files\Java
2008-02-07 03:35 --------- d-----w C:\Program Files\Apple Software Update
2008-02-07 03:32 --------- d-----w C:\Program Files\Last.fm
2008-02-06 22:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-30 04:20 --------- d-----w C:\Documents and Settings\Monta Bellrose\Application Data\Azureus
2008-01-30 01:44 --------- d-----w C:\Documents and Settings\Monta Bellrose\Application Data\.clamwin
2008-01-07 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2008-01-03 07:44 --------- d-----w C:\Documents and Settings\Monta Bellrose\Application Data\Uniblue
2007-12-24 22:12 --------- d-----w C:\Program Files\Azureus
2007-12-23 20:42 --------- d-----w C:\Program Files\DIFX
2007-12-11 06:37 --------- d-----w C:\Program Files\Acoustica MP3 Audio Mixer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-05-24 00:17 32256 C:\WINDOWS\MIDIDEF.EXE]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-07-15 12:23 5674352]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 14:37 975872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 10:28 147456]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06 1327104]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 14:17 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2005-05-24 00:28 23552 C:\WINDOWS\CTHELPER.EXE]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 13:25 1028096]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 65536]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 163840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 294912]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 05:21 200704]
"VTTimer"="VTTimer.exe" [2006-09-14 17:54 61440 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2007-04-25 14:41 184320 C:\WINDOWS\system32\VTTrayp.exe]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-01-20 22:08 86016]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [ ]

C:\Documents and Settings\Monta Bellrose\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 20:01:10 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-26 22:42:38 120832]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 18:17]
S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-09-30 23:08]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 21:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 07:33:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-03 07:33:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 21:30:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-02-08 21:32:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 05:32:49
ComboFix2.txt 2008-02-08 04:07:49
ComboFix3.txt 2008-02-08 02:23:33
ComboFix4.txt 2008-02-07 09:38:22
ComboFix5.txt 2008-01-20 01:37:06
.
2008-01-10 03:01:40 --- E O F ---



Hijack:


Logfile of HijackThis v1.99.1
Scan saved at 9:37:33 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Monta Bellrose\Desktop\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

#10 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,590 posts
  • MVP

Posted 09 February 2008 - 07:16 AM

Data Execution Prevention (DEP)
http://support.microsoft.com/kb/875352


Good job :thumbup:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image


    Here's my usual all clean post

    Log looks good :D


    You need to create a new Clean restore point.

    Note: This will remove all previous Restore Points

    Click Start Menu > Run > copy and paste

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Check "Hide file extensions for known file types."
    Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
    Check "Hide protected operating system files."
    Click Apply, and then click OK.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Note: I no longer suggest Zone Alarm

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Winpatrol


  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

#11 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,590 posts
  • MVP

Posted 11 February 2008 - 06:06 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.



Similar Topics: [Resolved] My Computer is infected, Please help ASAP     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users