So, i just got horrible virus

Computing.Net > Forums > Security and Virus > So, i just got horrible virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

So, i just got horrible virus

Name: elucid
Date: April 24, 2008 at 11:26:39 Pacific
OS: xp
CPU/Ram: 3.4ghz/4gigs
Product: Alienware

Comment:

So just last night by clicking a fake link i got infected with a pretty bad virus, i ran all the minimals, AVG, Rogueremover, Spywaredoctor, Adaware, Spybot, Nod32,trojan hunter etc. And my computer is still plagued, Starts up dramatically slower, can no longer see desktop picture, and a ton of shady programs in my windows folder, i have ran multiple programs as you can see but none of them are fixing the problem.
here is a screen shot of my processes.
http://img378.imageshack.us/img378/...
you know i am sure you guys get sick of all the people asking for help but then again that is what this place is for, if anyone out there is able to help me out i would appreciate it to the highest extent. If you need any more information from me just let me know on the thread and i shall let you know.
-Aaron

Sponsored Link

Ads by Google

Response Number 1

Name: bitboyx2008
Date: April 24, 2008 at 14:56:38 Pacific

Reply:

i just got rid of the vitumonde.dll. that damn thing generate different dll file. looks like the fcccduu.dll is pretty much same as my gebcd.dll. i used 4 programs to get rid of everything. Procexp, Killbox, hijackthis, and spybot.

Response Number 2

Name: Adii
Date: April 24, 2008 at 21:18:06 Pacific

Reply:

Download the "HijackThis" Installer from this link:
http://www.trendsecure.com/portal/e...

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Post Hijackthis Log in your next reply.
*Do Safe Computing*

Response Number 3

Name: elucid
Date: April 24, 2008 at 21:28:44 Pacific

Reply:

Here it is :S
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:56 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Xfire\xfire.exe
C:\DOCUME~1\WILDCH~1\LOCALS~1\Temp\RarSFX9\avgsetup.exe
C:\DOCUME~1\WILDCH~1\LOCALS~1\Temp\RarSFX9\vcredist_x86.exe
C:\DOCUME~1\WILDCH~1\LOCALS~1\Temp\IXP000.TMP\VCREDI~3.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.ph...
O2 - BHO: BitComet ClickCapture - {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {3c61a40a-8bc0-4595-8a29-eb22e47c4eef} - C:\WINDOWS\system32\fccccDuu.dll
O2 - BHO: (no name) - {f50b3f5e-856e-4757-9bb1-b35d46ca7719} - C:\WINDOWS\system32\nnnkKAtt.dll
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Wildchild\cftmon.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\WILDCH~1\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\WILDCH~1\LOCALS~1\Temp\IXP001.TMP\"
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Wildchild\cftmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitComet] C:\Program Files\BitComet\BitComet.exe /tray
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O8 - Extra context menu item: &d&ownload &with bitcomet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &d&ownload all video with bitcomet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &d&ownload all with bitcomet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {d18a0b52-d63c-4ed0-afc6-c1e3dc1af43a} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Wildchild\Start Menu\Programs\IMVU\Run IMVU.lnk
O20 - Winlogon Notify: nnnkkatt - C:\WINDOWS\SYSTEM32\nnnkKAtt.dll
O21 - SSODL: vadokmxt - {28932E44-314F-467D-9B05-94958B3D27EB} - C:\WINDOWS\vadokmxt.dll
O21 - SSODL: wdpoefan - {B86C2FAE-FDF7-4BE3-9A65-8736C27CE029} - C:\WINDOWS\wdpoefan.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (avg7alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (avg7updsvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (avgems) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Eset HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 6079 bytes

Response Number 4

Name: Adii
Date: April 24, 2008 at 22:11:13 Pacific

Reply:

Badly infected with Trojan/FakeAlert and Virtumonde. :(
<Please take note of the following:
1. Please do not make any system changes yet. as any changes you make may well alter your log.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.
Disable Real Time Monitoring Programs if you have istalled:
click here to see: http://spywaredetail.com/forum/show...
Please run HijackThis again! and click "Scan." Place checks next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.ph...
O2 - BHO: (no name) - {3c61a40a-8bc0-4595-8a29-eb22e47c4eef} - C:\WINDOWS\system32\fccccDuu.dll
O2 - BHO: (no name) - {f50b3f5e-856e-4757-9bb1-b35d46ca7719} - C:\WINDOWS\system32\nnnkKAtt.dll
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Wildchild\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Wildchild\cftmon.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O9 - Extra button: BitComet - {d18a0b52-d63c-4ed0-afc6-c1e3dc1af43a} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Wildchild\Start Menu\Programs\IMVU\Run IMVU.lnk
O20 - Winlogon Notify: nnnkkatt - C:\WINDOWS\SYSTEM32\nnnkKAtt.dll
O21 - SSODL: vadokmxt - {28932E44-314F-467D-9B05-94958B3D27EB} - C:\WINDOWS\vadokmxt.dll
O21 - SSODL: wdpoefan - {B86C2FAE-FDF7-4BE3-9A65-8736C27CE029} - C:\WINDOWS\wdpoefan.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Please download Malwarebytes' Anti-Malware to your desktop. This is an Free Antimalware Application tool.
Download link: http://www.malwarebytes.org/mbam/pr...
>DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
>Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
>If an update is found, it will download and install the latest database updates.
>Once the program has loaded, select Perform full scan, then click Scan.
>When the scan is complete, click OK, then Show Results to view the results.
>Be sure that everything is checked, and click Remove Selected.
>When MBAM finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post its Log in your next reply.

THEN:
Download Combofix by sUBs and save to your desktop.
(If you have previously downloaded ComboFix,please delete that version now.)

download link HERE:
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
Note
It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.
Also post a new Hijackthis log.
*Do Safe Computing*

Response Number 5

Name: elucid
Date: April 24, 2008 at 23:11:46 Pacific

Reply:

Thank you a ton Adii, i am still going down the list of instructions and will write back with my progress, just wanted to give a enormous thank you for the help and effort.

wextract_cleanup1 eset nod32 key aim virus i just got this txt msg saying	my pc keeps freezing and i havent got a virus i just got my computer already 20 gigs gone? I just got a new hard drive how can I copy my old drive to the new one
See More

Response Number 6

Name: Adii
Date: April 25, 2008 at 00:06:28 Pacific

Reply:

You Welcome !
*Do Safe Computing*

Response Number 7

Name: elucid
Date: April 25, 2008 at 09:43:02 Pacific

Reply:

Alright so i have all 3 logs now, first is the Malwarebytes' log.
Malwarebytes' Anti-Malware 1.11
Database version: 679
Scan type: Full Scan (C:\|)
Objects scanned: 131202
Time elapsed: 3 hour(s), 17 minute(s), 39 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 23
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 89
Memory Processes Infected:
c:\WINDOWS\system32\drivers\spools.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\fccccDuu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\nnnkKAtt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\wdpoefan.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\vadokmxt.dll (Trojan.FakeAlert) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3c61a40a-8bc0-4595-8a29-eb22e47c4eef} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3c61a40a-8bc0-4595-8a29-eb22e47c4eef} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\msram.tchongabho (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cf26fac0-7d4e-46d8-ae64-b277b11443ac} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnkkatt (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{29bf1b1f-0106-4881-a7c7-a71035c54825} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{99e591b6-a5ad-4a2d-b349-334020760ef2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ms.videostream (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{414b0283-2228-4f26-8bb3-c2211fa99223} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{414b0283-2228-4f26-8bb3-c2211fa99223} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d59c493a-7b1f-4540-a571-894404a5b864} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dec285db-b834-4d1c-b81c-f1ffe8271ee1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cb63e6a0-3e04-44dd-8d0b-cface3627556} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dpevflbg.bolr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dpevflbg.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wdpoefan (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vadokmxt (Trojan.FakeAlert) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccccduu -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccccduu -> Delete on reboot.
Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\drivers\spools.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccccDuu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\uuDccccf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uuDccccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wildchild\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnkKAtt.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\30IZ6M8D\loader[1].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wildchild\Local Settings\Temp\163.tmp (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP402\A0062270.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP402\A0062272.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP402\A0062273.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP402\A0062274.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP402\A0062282.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP404\A0063290.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP404\A0063310.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP404\A0063379.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP405\A0063389.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP406\A0063628.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP406\A0063660.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP406\A0063702.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP406\A0063703.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP406\A0063707.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP406\A0063708.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP406\A0063805.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP408\A0063895.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP408\A0063896.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP408\A0063923.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP409\A0064000.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP410\A0064068.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP411\A0064194.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP412\A0064254.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP414\A0064293.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP414\A0064298.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP414\A0064301.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP414\A0064311.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP414\A0064332.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP414\A0064396.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP415\A0065421.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP415\A0065422.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP415\A0065436.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38A0687C-AFD1-47B8-9B02-C5B7A58EF2D7}\RP416\A0065518.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntpl.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvrsma.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\lol.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINWGPX.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ydhqzop.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wdpoefan.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\vadokmxt.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\dpevflbg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wildchild\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wildchild\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wildchild\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wildchild\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wildchild\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wildchild\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

Response Number 8

Name: elucid
Date: April 25, 2008 at 09:43:30 Pacific

Reply:

This is the Combofix log
ComboFix 08-04-22.5 - Wildchild 2008-04-25 9:23:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1626 [GMT -7:00]
Running from: C:\Documents and Settings\Wildchild\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\fccccDuu.dll
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\nnnkKAtt.dll
C:\WINDOWS\system32\prBKlUtv.ini
C:\WINDOWS\system32\prBKlUtv.ini2
C:\WINDOWS\system32\UBKjkUtv.ini
C:\WINDOWS\system32\UBKjkUtv.ini2
C:\WINDOWS\system32\vvyIlnpo.ini
C:\WINDOWS\system32\vvyIlnpo.ini2
----- BITS: Possible infected sites -----
hxxp://flyvideonetwork.com
.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.
2008-04-24 23:09 . 2008-04-24 23:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 23:09 . 2008-04-24 23:09 <DIR> d-------- C:\Documents and Settings\Wildchild\Application Data\Malwarebytes
2008-04-24 23:09 . 2008-04-24 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 21:25 . 2008-04-24 21:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 19:59 . 2008-04-24 20:03 <DIR> d-------- C:\Program Files\Uniblue
2008-04-24 19:46 . 2008-04-24 19:46 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-04-24 19:24 . 2008-04-24 20:03 <DIR> d-------- C:\Documents and Settings\Wildchild\Application Data\Uniblue
2008-04-24 18:59 . 2008-04-24 18:59 <DIR> d-------- C:\!KillBox
2008-04-24 18:56 . 2008-04-24 18:57 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-24 13:44 . 2008-04-24 13:48 <DIR> d-------- C:\Documents and Settings\Wildchild\Application Data\AVG7
2008-04-24 13:43 . 2008-04-24 13:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-24 13:42 . 2008-04-24 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-23 23:16 . 2008-04-23 23:16 <DIR> d-------- C:\Program Files\ESET
2008-04-23 23:16 . 2008-04-23 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-23 23:11 . 2008-04-23 23:13 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-23 21:01 . 2008-04-23 22:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-23 21:01 . 2008-04-23 21:01 <DIR> d-------- C:\Documents and Settings\Wildchild\Application Data\PC Tools
2008-04-23 21:01 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-23 21:01 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-23 21:01 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-23 21:01 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-23 19:41 . 2008-04-23 19:41 <DIR> d-------- C:\fixwareout
2008-04-23 19:17 . 2008-04-23 19:17 <DIR> d-------- C:\Program Files\AVG
2008-04-23 19:17 . 2008-04-24 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-23 18:32 . 2008-04-24 22:36 <DIR> d-------- C:\Documents and Settings\Wildchild\Application Data\TmpRecentIcons
2008-04-23 18:32 . 2008-04-24 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-23 15:40 . 2008-04-23 15:40 <DIR> d-------- C:\Documents and Settings\Wildchild\Application Data\TrojanHunter
2008-04-23 15:11 . 2008-04-23 15:11 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-23 13:58 . 2008-04-23 13:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 13:58 . 2008-04-23 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-23 13:45 . 2008-04-23 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\xkzgluvs
2008-04-23 13:41 . 2008-04-23 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\tmvulula
2008-04-23 13:41 . 2008-04-25 09:14 212,992 --------- C:\WINDOWS\wdpoefan.dll
2008-04-23 13:41 . 2008-04-25 09:14 167,936 --------- C:\WINDOWS\vadokmxt.dll
2008-04-23 13:41 . 2008-04-23 13:41 54,784 --a------ C:\WINDOWS\system32\lght.ln
2008-04-23 13:41 . 2008-04-23 13:41 32,768 --a------ C:\WINDOWS\system32\pryx.ln
2008-04-23 13:41 . 2008-04-23 13:41 28,672 --a------ C:\WINDOWS\system32\sbmf.ln
2008-04-23 13:41 . 2008-04-23 13:41 28,672 --a------ C:\WINDOWS\system32\msnf.ln
2008-04-23 13:41 . 2008-04-23 13:41 28,672 --a------ C:\WINDOWS\system32\cc.ln
2008-04-23 13:25 . 2008-04-23 13:27 10,495,846 --a------ C:\of_sins_and_shadows fin midi.wav
2008-04-23 13:23 . 2008-04-23 13:23 <DIR> d-------- C:\Program Files\MIDI TO WAV 1.0 DEMO
2008-04-23 13:21 . 2008-04-23 13:23 <DIR> d-------- C:\temp
2008-04-02 16:26 . 2008-04-02 16:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-03-26 12:06 . 2008-03-26 12:06 84 --a------ C:\WINDOWS\savers.ini
2008-03-25 13:14 . 2008-03-25 13:14 <DIR> d-------- C:\Logs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 16:28 --------- d-----w C:\Program Files\BitComet
2008-04-25 05:47 --------- d-----w C:\Documents and Settings\Wildchild\Application Data\Xfire
2008-04-25 05:16 --------- d-----w C:\Program Files\Steam
2008-04-24 06:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-24 06:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 20:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-23 20:52 --------- d-----w C:\Program Files\MP3 Converter Simple
2008-04-23 20:41 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2008-04-22 07:22 --------- d-----w C:\Documents and Settings\Wildchild\Application Data\Digidesign
2008-04-19 09:30 --------- d-----w C:\Program Files\World of Warcraft
2008-04-19 05:36 --------- d-s---w C:\Program Files\Xfire
2008-04-14 08:59 --------- d-----w C:\Program Files\StepMania
2008-04-02 19:34 --------- d-----w C:\Program Files\AIM6
2008-04-02 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-02 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-01 20:06 22,328 -c--a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-01 20:06 107,832 -c--a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-21 21:07 --------- d-----w C:\Program Files\Logitech
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 23:52 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-03-13 23:44 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-03-13 23:43 40,456 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.
[color=red] C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) [/color]
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 12:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,536 2008-04-23 20:41:04 C:\WINDOWS\system32\user32.dll
577,536 2008-04-23 20:41:04 C:\WINDOWS\system32\dllcache\user32.dll

------- Sigcheck -------
2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-23 13:41 577536 d0cda2a2679ba67bd45cd9d91587cb30 C:\WINDOWS\system32\user32.dll
2008-04-23 13:41 577536 d0cda2a2679ba67bd45cd9d91587cb30 C:\WINDOWS\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 10:18 1856544]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-03-24 23:38 2196280]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 10:18 1856544]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-10-22 10:13 9438488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-24 13:43 219136]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave4"= Digi32.dll
"Midi1"= mbx2midu.dll
"Midi2"= diomidi.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^logitech setpoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=C:\WINDOWS\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TrayMin200.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TrayMin200.exe.lnk
backup=C:\WINDOWS\pss\TrayMin200.exe.lnkCommon Startup
[HKLM\~\startupfolder\c:^documents and settings^wildchild^start menu^programs^startup^magicdisc.lnk]
path=C:\Documents and Settings\Wildchild\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\c:^documents and settings^wildchild^start menu^programs^startup^product registration.lnk]
path=C:\Documents and Settings\Wildchild\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-09-28 22:56 57344 C:\WINDOWS\ALCMTR.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a--c--- 2004-09-28 22:56 2552320 C:\WINDOWS\ALCWZRD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Wildchild\cftmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\WINDOWS\VM_STI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control Center]
--a------ 2005-09-16 14:57 1668096 C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a--c--- 2006-11-12 03:48 157592 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\delayload]
C:\DOCUME~1\WILDCH~1\LOCALS~1\Temp\mso13.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
--a------ 2006-11-14 00:05 61440 C:\Program Files\Digidesign\Drivers\MMERefresh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-17 16:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd]
C:\DOCUME~1\WILDCH~1\LOCALS~1\Temp\winlogan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 02:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
C:\DOCUME~1\WILDCH~1\LOCALS~1\Temp\csrssc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernel and hardware abstraction layer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernelfaultcheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\launch lcdmon]
--a------ 2007-07-17 16:30 1687824 C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\launch lgdcore]
--a------ 2007-07-17 17:08 2094352 C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\launch lgdevagt]
--a------ 2007-07-17 17:13 99600 C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\logitech hardware abstraction layer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1535.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-09-28 22:57 77824 C:\WINDOWS\SOUNDMAN.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spybotsd teatimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-05 20:51 1271032 C:\Program Files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 04:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\unlcydhe]
C:\WINDOWS\system32\dmfwrefw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 18:56 24576 C:\WINDOWS\system32\CTHELPER.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xfire Music]
--a------ 2006-11-20 19:12 253650 C:\Program Files\Xfire\xfiremusic.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Steam\\SteamApps\\elucidfantasia\\counter-strike source\\hl2.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\SteamApps\\elucidfantasia\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23959:TCP"= 23959:TCP:BitComet 23959 TCP
"23959:UDP"= 23959:UDP:BitComet 23959 UDP
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 21:38]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 21:38]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-03-27 02:10]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 21:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 21:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 21:37]
S1 ydhqzop;ydhqzop;C:\WINDOWS\ydhqzop.sys []
S3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]
S3 L6POD;L6 PODxt Service;C:\WINDOWS\system32\Drivers\L6POD.sys [2007-09-17 12:24]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-20 21:04:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-25 16:28:25 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-25 03:03:54 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 09:28:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2008-04-25 9:32:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 16:32:53
Pre-Run: 63,319,900,160 bytes free
Post-Run: 64,235,331,584 bytes free
295 --- E O F --- 2008-04-11 09:44:09

Response Number 9

Name: elucid
Date: April 25, 2008 at 09:44:03 Pacific

Reply:

And lastly this is the Hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:03 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.ph...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (avg7alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (avg7updsvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (avgems) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Eset HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 4394 bytes

Response Number 10

Name: Adii
Date: April 25, 2008 at 21:37:17 Pacific

Reply:

Logs looking much better.
few more things to do:

Remove this folder if present:
C:\WINDOWS\privacy_danger
now copy following bold text and paste into notepad file.

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"FriendlyName"="My Current Home Page"
"SubscribedURL"="About:Home"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,e2,02,\
00,00,01,00,00,00
save this file with the name 123.reg (registry file) on your desktop. Select Save type as "All files".
now double click on 123.reg file from your desktop and click Yes.

Reset and Re-enable your System Restore:
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
(You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.

can you tell me how things are running now?
Post fresh hijcakthis log in your next reply.
*Do Safe Computing*

Response Number 11

Name: elucid
Date: April 26, 2008 at 00:54:03 Pacific

Reply:

The computer is running at about 90% to how it use to run, all of the fake warnings and pop ups are completely gone, there are just a few small things that are not back to normal. One of the things is my programable keyboard (logitech G15) seems crippled, altho the keys work, i can not navigate through any of the menus and none of my game macros are working, although i have not tried to re-install the software i will give it a try when i get the chance since it is not a big deal.
The 2nd thing is a lot of my menus will not show pictures, it shows it as a broken image, i will give an example, i can no longer see my desktop picture, all it shows is my default back round color (black) with what looks like a broken link icon on the top left, what is unusual about this is that my actual desktop picture appears only at the split second my computer is being turned off and turned on. I took a screen shot of the top left corner of my desktop and a screen shot of a game window.

Desktop Screen shot: http://img145.imageshack.us/img145/...
Here is the new Hijackthis log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:55 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\BitComet\BitComet.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\World of Warcraft\Launcher.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.ph...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (avg7alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (avg7updsvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (avgems) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Eset HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 4373 bytes

Response Number 12

Name: Adii
Date: April 26, 2008 at 11:33:00 Pacific

Reply:

Congratulation your log is successfully cleand.
yes you can reinstall software. It will be the right way.
*Do Safe Computing*

Response Number 13

Name: Adii
Date: April 26, 2008 at 11:38:02 Pacific

Reply:

In order to protect yourself against spyware, you should consider installing and running the following free programs:
How to prevent further spyware/virus infection:
read here:
http://spywaredetail.com/steps.htm
http://spywaredetail.com/tips.htm
Spyware and Malware Removal Forum: http://spywaredetail.com/forum/inde...

Visit Microsoft's Windows Update Site Frequently:
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install AVG Anti-Virus Free Edition:
AVG Free Edition is the well known antivirus protection tool and provides the high level of detection capability.
Download: http://free.grisoft.com

Install Ad-Aware 2007:
Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
Download: http://www.lavasoftusa.com/products...
Install Spybot Search and Destroy:
Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software.
Download: http://www.safer-networking.org/en/...
Install SpywareBlaster:
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
Download: http://www.javacoolsoftware.com/spy...
Install SpywareGuard:
SpywareGuard provides a real-time protection solution against spyware.
Download: http://www.javacoolsoftware.com/spy...
Install IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
Download: http://www.spywarewarrior.com/uiuc/...

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

NOTE:Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.
*Do Safe Computing*

Response Number 14

Name: elucid
Date: April 26, 2008 at 12:12:12 Pacific

Reply:

Thanks a million Adii, i was having a hard time figuring out how to remove this stuff on my own.
I was ready to re-install windows and lose all of my composed film score peaces i have written in the passed 5 years :S

Response Number 15

Name: Adii
Date: April 26, 2008 at 12:40:29 Pacific

Reply:

You are Welcome.
Glad we could help you.
We are also trying our best to kick out malwares from user's pc at this forum: http://spywaredetail.com/forum/inde...

Cheers,
Safe Computing!
*Do Safe Computing*

Sponsored Link

Ads by Google

I Think I have A Virus

startup item?

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: So, i just got horrible virus

I've got a virus!!!

Summary

www.computing.net/answers/security/ive-got-a-virus/14332.html

think i've got a virus???

Summary

www.computing.net/answers/security/think-ive-got-a-virus/14807.html

I think I got a virus

Summary

www.computing.net/answers/security/i-think-i-got-a-virus/19386.html

From the Geek Dictionary
thread - Not referring to the type you sew with, instead it is referring to forum's ...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
Help me... :'(

Wordpad + Paint have gone standalone

DirectX 5?!?!

user guide

pc upgradeable

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE