Tech Support Forum - View Single Post

basskiller · 12-03-2008, 12:59 PM

Good afternoon TheBruce1

Followed everything as instructed.
with the av scan, While it did detect a few things, I took no action as yet. I wanted to make sure with you first.

********************************************************
Combofix log
********************************************************
ComboFix 08-12-01.03 - Owner 2008-12-03 11:28:59.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.129 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active

.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\documents and settings\Owner\My Documents\dad\4363abc\Codecs\AVICodecPackPlus210.exe
c:\documents and settings\Owner\My Documents\programs\applications\Codecs\AVICodecPackPlus210.exe
c:\documents and settings\Owner\My Documents\programs\Codecs\AVICodecPackPlus210.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\dad\4363abc\Codecs\AVICodecPackPlus210.exe
c:\documents and settings\Owner\My Documents\programs\applications\Codecs\AVICodecPackPlus210.exe
c:\documents and settings\Owner\My Documents\programs\Codecs\AVICodecPackPlus210.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-03 03:29 . 2008-12-03 03:29 <DIR> d-------- c:\documents and settings\Owner\Application Data\Cool Record Edit Pro
2008-12-02 15:55 . 2008-12-02 15:55 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 07:52 . 2008-12-02 07:52 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-02 07:52 . 2008-12-02 07:52 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-02 07:51 . 2008-12-02 07:51 <DIR> d-------- c:\program files\Java
2008-12-01 20:03 . 2008-12-01 20:13 250 --a------ c:\windows\gmer.ini
2008-11-23 04:30 . 2008-11-23 04:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\channels
2008-11-20 17:28 . 2008-11-20 17:28 <DIR> d-------- c:\program files\UnRar for Windows
2008-11-20 14:36 . 2008-11-20 14:36 <DIR> d-------- c:\program files\Free Sound Recorder
2008-11-20 14:36 . 2008-11-20 14:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\Free Sound Recorder
2008-11-20 14:36 . 2005-05-17 12:37 1,986,560 --a------ c:\windows\system32\NCTAudioFile2.dll
2008-11-20 14:36 . 2005-05-18 11:52 1,212,416 --a------ c:\windows\system32\NCTAudioInformation2.dll
2008-11-20 14:36 . 2005-04-15 12:08 880,640 --a------ c:\windows\system32\NCTAudioEditor2.dll
2008-11-20 14:36 . 2004-11-04 13:31 835,584 --a------ c:\windows\system32\NCTAudioCDGrabber2.dll
2008-11-20 14:36 . 2005-04-04 17:21 602,112 --a------ c:\windows\system32\NCTAudioTransform2.dll
2008-11-20 14:36 . 2005-03-28 15:54 479,232 --a------ c:\windows\system32\NCTAudioVisualization2.dll
2008-11-20 14:36 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioRecord2.dll
2008-11-20 14:36 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioPlayer2.dll
2008-11-20 14:36 . 2005-03-28 15:52 417,792 --a------ c:\windows\system32\NCTTextToAudio2.dll
2008-11-20 14:36 . 2005-02-24 11:51 348,160 --a------ c:\windows\system32\NCTWMAFile2.dll
2008-11-20 14:36 . 2006-03-23 12:56 113,486 --a------ c:\windows\system32\NCTWMAProfiles.prx
2008-11-15 15:21 . 2008-11-16 18:51 <DIR> d-------- c:\program files\Lexmark X1100 Series
2008-11-15 15:21 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2008-11-15 15:21 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2008-11-15 15:21 . 2003-08-18 06:56 69,632 --a------ c:\windows\system32\lxbkscin.dll
2008-11-15 15:21 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-15 15:21 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 12:40 --------- d-----w c:\program files\Smiley Arcade
2008-12-02 07:32 --------- d-----w c:\program files\FTP Commander
2008-12-02 01:12 --------- d-----w c:\program files\Puppy Luv
2008-12-02 01:12 --------- d-----w c:\program files\CyberLink
2008-12-02 01:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-05 11:56 --------- d-----w c:\program files\DivX
2008-11-03 17:34 362 ----a-w c:\windows\Fonts\BOISTERC.PFM
2008-11-03 17:34 1,482 ----a-w c:\windows\Fonts\BOISTERB.PFM
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-04-21 13:00 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-08-29 16:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-02_15.45.00.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-22 05:23:35 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-02 12:52:00 144,792 ----a-w c:\windows\system32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-02 12:52:00 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-02 12:52:00 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-02 17:24:16 16,384 ----atw c:\windows\temp\Perflib_Perfdata_678.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-11 7286784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-11 86016]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 999424]
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-30 96984]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"nwiz"="nwiz.exe" [2005-10-11 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-12-14 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-12-23 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\PROGRA~1\\RINGZS~1\\STORMC~1\\Stormser.exe"=

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2007-02-02 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 14:00]

2007-02-02 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 14:00]

2007-02-02 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 14:00]
.

********************************************************

******************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 11:31:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-03 11:32:39
ComboFix-quarantined-files.txt 2008-12-03 16:32:07
ComboFix2.txt 2008-12-02 12:21:10
ComboFix3.txt 2008-12-02 11:20:27
ComboFix4.txt 2008-12-02 20:46:39

Pre-Run: 193,591,091,200 bytes free
Post-Run: 194,081,054,720 bytes free

175 --- E O F --- 2008-11-13 22

05

********************************************************
Avira Scan Log
********************************************************

Avira AntiVir Personal
Report file date: Wednesday, December 03, 2008 13:43

Scanning for 1071567 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: YOUR-D0AD85DE8F

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 12/3/2008 16:50:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:50:54
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 16:50:54
ANTIVIR2.VDF : 7.1.0.160 571392 Bytes 11/30/2008 16:50:54
ANTIVIR3.VDF : 7.1.0.183 162304 Bytes 12/3/2008 16:50:54
Engineversion : 8.2.0.36
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 12/3/2008 16:50:54
AESCN.DLL : 8.1.1.5 123251 Bytes 12/3/2008 16:50:54
AERDL.DLL : 8.1.1.3 438645 Bytes 12/3/2008 16:50:54
AEPACK.DLL : 8.1.3.4 393591 Bytes 12/3/2008 16:50:54
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 12/3/2008 16:50:54
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 12/3/2008 16:50:54
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/3/2008 16:50:54
AEGEN.DLL : 8.1.1.6 323955 Bytes 12/3/2008 16:50:54
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/3/2008 16:50:54
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 12/3/2008 16:50:54
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, December 03, 2008 13:43

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'lxbkbmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'lxbkbmgr.exe' - '1' Module(s) have been scanned
Scan process 'soundman.exe' - '1' Module(s) have been scanned
Scan process 'readericon45G.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '61' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\Ringz Studio\Storm Codec\Stormser.exe
[DETECTION] Is the TR/FwBypass.A.14 Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\~.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\My Documents\dad\4363abc\Codecs\AVICodecPackPlus210.exe.vir
[DETECTION] Contains recognition pattern of the DR/Webdir.B.4 dropper
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\My Documents\programs\applications\Codecs\AVICodecPackPlus210.exe.vir
[DETECTION] Contains recognition pattern of the DR/Webdir.B.4 dropper
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\My Documents\programs\Codecs\AVICodecPackPlus210.exe.vir
[DETECTION] Contains recognition pattern of the DR/Webdir.B.4 dropper
[WARNING] The file was ignored!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP195\A0044566.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP197\A0044857.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP197\A0044858.exe
[DETECTION] Is the TR/Agent.26624.37 Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP197\A0044860.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP197\A0044869.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP198\A0045011.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
Begin scan in 'D:\' <RECOVERY>

End of the scan: Wednesday, December 03, 2008 14:30
Used time: 46:32 Minute(s)

The scan has been done completely.

6344 Scanning directories
567006 Files were scanned
11 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
566993 Files not concerned
13993 Archives were scanned
17 Warnings
0 Notes

********************************************************
HijackThis log
********************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:35 PM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - http://www.hollisterco.com/hol/image...ringbettys.jpg

--
End of file - 5285 bytes

12-03-2008, 12:59 PM	#13 (permalink)
basskiller Registered User Join Date: Dec 2008 Posts: 14 OS: XP	Re: Adware infection help needed Good afternoon TheBruce1 Followed everything as instructed. with the av scan, While it did detect a few things, I took no action as yet. I wanted to make sure with you first. ****************************************************** Combofix log ****************************************************** ComboFix 08-12-01.03 - Owner 2008-12-03 11:28:59.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.129 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt * Created a new restore point * Resident AV is active . - REDUCED FUNCTIONALITY MODE - FILE :: c:\documents and settings\Owner\My Documents\dad\4363abc\Codecs\AVICodecPackPlus210.exe c:\documents and settings\Owner\My Documents\programs\applications\Codecs\AVICodecPackPlus210.exe c:\documents and settings\Owner\My Documents\programs\Codecs\AVICodecPackPlus210.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\My Documents\dad\4363abc\Codecs\AVICodecPackPlus210.exe c:\documents and settings\Owner\My Documents\programs\applications\Codecs\AVICodecPackPlus210.exe c:\documents and settings\Owner\My Documents\programs\Codecs\AVICodecPackPlus210.exe . ((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 ))))))))))))))))))))))))))))))) . 2008-12-03 03:29 . 2008-12-03 03:29 <DIR> d-------- c:\documents and settings\Owner\Application Data\Cool Record Edit Pro 2008-12-02 15:55 . 2008-12-02 15:55 <DIR> d-------- c:\program files\Trend Micro 2008-12-02 07:52 . 2008-12-02 07:52 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-02 07:52 . 2008-12-02 07:52 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-02 07:51 . 2008-12-02 07:51 <DIR> d-------- c:\program files\Java 2008-12-01 20:03 . 2008-12-01 20:13 250 --a------ c:\windows\gmer.ini 2008-11-23 04:30 . 2008-11-23 04:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\channels 2008-11-20 17:28 . 2008-11-20 17:28 <DIR> d-------- c:\program files\UnRar for Windows 2008-11-20 14:36 . 2008-11-20 14:36 <DIR> d-------- c:\program files\Free Sound Recorder 2008-11-20 14:36 . 2008-11-20 14:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\Free Sound Recorder 2008-11-20 14:36 . 2005-05-17 12:37 1,986,560 --a------ c:\windows\system32\NCTAudioFile2.dll 2008-11-20 14:36 . 2005-05-18 11:52 1,212,416 --a------ c:\windows\system32\NCTAudioInformation2.dll 2008-11-20 14:36 . 2005-04-15 12:08 880,640 --a------ c:\windows\system32\NCTAudioEditor2.dll 2008-11-20 14:36 . 2004-11-04 13:31 835,584 --a------ c:\windows\system32\NCTAudioCDGrabber2.dll 2008-11-20 14:36 . 2005-04-04 17:21 602,112 --a------ c:\windows\system32\NCTAudioTransform2.dll 2008-11-20 14:36 . 2005-03-28 15:54 479,232 --a------ c:\windows\system32\NCTAudioVisualization2.dll 2008-11-20 14:36 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioRecord2.dll 2008-11-20 14:36 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioPlayer2.dll 2008-11-20 14:36 . 2005-03-28 15:52 417,792 --a------ c:\windows\system32\NCTTextToAudio2.dll 2008-11-20 14:36 . 2005-02-24 11:51 348,160 --a------ c:\windows\system32\NCTWMAFile2.dll 2008-11-20 14:36 . 2006-03-23 12:56 113,486 --a------ c:\windows\system32\NCTWMAProfiles.prx 2008-11-15 15:21 . 2008-11-16 18:51 <DIR> d-------- c:\program files\Lexmark X1100 Series 2008-11-15 15:21 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll 2008-11-15 15:21 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll 2008-11-15 15:21 . 2003-08-18 06:56 69,632 --a------ c:\windows\system32\lxbkscin.dll 2008-11-15 15:21 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys 2008-11-15 15:21 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-02 12:40 --------- d-----w c:\program files\Smiley Arcade 2008-12-02 07:32 --------- d-----w c:\program files\FTP Commander 2008-12-02 01:12 --------- d-----w c:\program files\Puppy Luv 2008-12-02 01:12 --------- d-----w c:\program files\CyberLink 2008-12-02 01:11 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-05 11:56 --------- d-----w c:\program files\DivX 2008-11-03 17:34 362 ----a-w c:\windows\Fonts\BOISTERC.PFM 2008-11-03 17:34 1,482 ----a-w c:\windows\Fonts\BOISTERB.PFM 2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll 2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll 2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll 2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll 2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll 2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll 2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll 2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll 2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe 2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll 2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll 2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll 2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll 2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe 2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll 2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll 2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll 2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-04-21 13:00 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat 2008-08-29 16:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat . ((((((((((((((((((((((((((((( snapshot@2008-12-02_15.45.00.35 ))))))))))))))))))))))))))))))))))))))))) . - 2008-02-22 05:23:35 135,168 ----a-w c:\windows\system32\java.exe + 2008-12-02 12:52:00 144,792 ----a-w c:\windows\system32\java.exe - 2008-02-22 05:23:39 135,168 ----a-w c:\windows\system32\javaw.exe + 2008-12-02 12:52:00 144,792 ----a-w c:\windows\system32\javaw.exe - 2008-02-22 06:33:32 139,264 ----a-w c:\windows\system32\javaws.exe + 2008-12-02 12:52:00 148,888 ----a-w c:\windows\system32\javaws.exe + 2008-12-02 17:24:16 16,384 ----atw c:\windows\temp\Perflib_Perfdata_678.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-11 7286784] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-11 86016] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656] "VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552] "OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248] "MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104] "MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992] "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592] "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792] "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 999424] "StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-30 96984] "Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600] "nwiz"="nwiz.exe" [2005-10-11 c:\windows\system32\nwiz.exe] "SoundMan"="SOUNDMAN.EXE" [2005-12-14 c:\windows\soundman.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] c:\documents and settings\Owner\Start Menu\Programs\Startup\ PowerReg Scheduler V3.exe [2007-12-23 225280] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\PROGRA~1\\RINGZS~1\\STORMC~1\\Stormser.exe"= Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder 2007-02-02 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 14:00] 2007-02-02 c:\windows\Tasks\ISP signup reminder 2.job - c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 14:00] 2007-02-02 c:\windows\Tasks\ISP signup reminder 3.job - c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 14:00] . ****************************************************** ************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-03 11:31:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2008-12-03 11:32:39 ComboFix-quarantined-files.txt 2008-12-03 16:32:07 ComboFix2.txt 2008-12-02 12:21:10 ComboFix3.txt 2008-12-02 11:20:27 ComboFix4.txt 2008-12-02 20:46:39 Pre-Run: 193,591,091,200 bytes free Post-Run: 194,081,054,720 bytes free 175 --- E O F --- 2008-11-13 2205 **************************************************** Avira Scan Log **************************************************** Avira AntiVir Personal Report file date: Wednesday, December 03, 2008 13:43 Scanning for 1071567 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: YOUR-D0AD85DE8F Version information: BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00 AVSCAN.EXE : 8.1.4.10 315649 Bytes 12/3/2008 16:50:53 AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40 LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19 LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:50:54 ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 16:50:54 ANTIVIR2.VDF : 7.1.0.160 571392 Bytes 11/30/2008 16:50:54 ANTIVIR3.VDF : 7.1.0.183 162304 Bytes 12/3/2008 16:50:54 Engineversion : 8.2.0.36 AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56 AESCRIPT.DLL : 8.1.1.15 332156 Bytes 12/3/2008 16:50:54 AESCN.DLL : 8.1.1.5 123251 Bytes 12/3/2008 16:50:54 AERDL.DLL : 8.1.1.3 438645 Bytes 12/3/2008 16:50:54 AEPACK.DLL : 8.1.3.4 393591 Bytes 12/3/2008 16:50:54 AEOFFICE.DLL : 8.1.0.30 196986 Bytes 12/3/2008 16:50:54 AEHEUR.DLL : 8.1.0.71 1487222 Bytes 12/3/2008 16:50:54 AEHELP.DLL : 8.1.2.0 119159 Bytes 12/3/2008 16:50:54 AEGEN.DLL : 8.1.1.6 323955 Bytes 12/3/2008 16:50:54 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56 AECORE.DLL : 8.1.5.2 172405 Bytes 12/3/2008 16:50:54 AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56 AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05 AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01 AVREP.DLL : 8.0.0.2 98344 Bytes 12/3/2008 16:50:54 AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40 AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23 AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49 SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02 SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40 NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10 RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07 RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, D:, Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Wednesday, December 03, 2008 13:43 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'lxbkbmon.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'lxbkbmgr.exe' - '1' Module(s) have been scanned Scan process 'soundman.exe' - '1' Module(s) have been scanned Scan process 'readericon45G.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'jqs.exe' - '1' Module(s) have been scanned Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 31 processes with 31 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Master boot sector HD1 [INFO] No virus was found! [WARNING] System error [21]: The device is not ready. Master boot sector HD2 [INFO] No virus was found! [WARNING] System error [21]: The device is not ready. Master boot sector HD3 [INFO] No virus was found! [WARNING] System error [21]: The device is not ready. Master boot sector HD4 [INFO] No virus was found! [WARNING] System error [21]: The device is not ready. Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Boot sector 'D:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '61' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Program Files\Ringz Studio\Storm Codec\Stormser.exe [DETECTION] Is the TR/FwBypass.A.14 Trojan [WARNING] The file was ignored! C:\Qoobox\Quarantine\C\Documents and Settings\Owner\~.exe.vir [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [WARNING] The file was ignored! C:\Qoobox\Quarantine\C\Documents and Settings\Owner\My Documents\dad\4363abc\Codecs\AVICodecPackPlus210.exe.vir [DETECTION] Contains recognition pattern of the DR/Webdir.B.4 dropper [WARNING] The file was ignored! C:\Qoobox\Quarantine\C\Documents and Settings\Owner\My Documents\programs\applications\Codecs\AVICodecPackPlus210.exe.vir [DETECTION] Contains recognition pattern of the DR/Webdir.B.4 dropper [WARNING] The file was ignored! C:\Qoobox\Quarantine\C\Documents and Settings\Owner\My Documents\programs\Codecs\AVICodecPackPlus210.exe.vir [DETECTION] Contains recognition pattern of the DR/Webdir.B.4 dropper [WARNING] The file was ignored! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP195\A0044566.dll [DETECTION] Is the TR/BHO.Gen Trojan [WARNING] The file was ignored! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP197\A0044857.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [WARNING] The file was ignored! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP197\A0044858.exe [DETECTION] Is the TR/Agent.26624.37 Trojan [WARNING] The file was ignored! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP197\A0044860.dll [DETECTION] Is the TR/Vundo.Gen Trojan [WARNING] The file was ignored! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP197\A0044869.dll [DETECTION] Is the TR/Vundo.Gen Trojan [WARNING] The file was ignored! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP198\A0045011.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [WARNING] The file was ignored! Begin scan in 'D:\' <RECOVERY> End of the scan: Wednesday, December 03, 2008 14:30 Used time: 46:32 Minute(s) The scan has been done completely. 6344 Scanning directories 567006 Files were scanned 11 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 0 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 566993 Files not concerned 13993 Archives were scanned 17 Warnings 0 Notes **************************************************** HijackThis log ****************************************************** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:50:35 PM, on 12/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Digital Media Reader\readericon45G.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe" O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user') O4 - Startup: PowerReg Scheduler V3.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O24 - Desktop Component 0: (no name) - http://www.hollisterco.com/hol/image...ringbettys.jpg -- End of file - 5285 bytes