Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Panda scan thing. Panda scan thing.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 05-03-2008, 11:25 AM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 11
OS: Vista


Computer problems.
Old thread:
Quote:
Well, on the rare occasion I let someone use my laptop, I finally allowed some of my friends to mess around with it while I wasn't on it. Well, this will be the last time. They were on limewire and downloade a video, which called for a codec I'm assuming, of course they downloaded it and it downloaded shitloads of viruses on my computer.

Random IE pages are opening to random sites.
There is a folder named "!" in my pc with over 1900 videos in it of porn and other items.
There are several things in my startup that continuously try to start if I reject them from starting with Spybot.

I've scanned it umpteen times, used hijack to make them stop starting, they still come back. IE pages won't stop coming up, my computer is basically a hell hole right now and I'm not very pleased. Sometimes when I scan it, they come up, sometimes they don't. I've scanned in safe mode, used several online scanners, used AVG, Avast, Spybot, and god only knows what else. I just don't know what to do.

- Sorry if this is the wrong forum.

Edit:// Also, lately apple products have been installing themselves on my pc as well. I have itunes out of my own will, but I don't want Safari and Bonjour?
Deckard's System Scanner v20071014.68
Run by Gage on 2008-05-03 13:37:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
5: 2008-05-03 01:59:55 UTC - RP313 - Windows Update
4: 2008-05-02 01:20:06 UTC - RP312 - Removed Bonjour
3: 2008-05-01 16:56:25 UTC - RP311 - Scheduled Checkpoint
2: 2008-05-01 00:13:52 UTC - RP310 - Installed AVG Free 8.0
1: 2008-04-30 23:14:26 UTC - RP309 - Removed Windows Media Player Firefox Plugin


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1022 MiB (1024 MiB recommended).


-- HijackThis (run as Gage.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:26 PM, on 5/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Gage\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Gage.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\Windows\is-B3N1J.exe" /REG
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 4655 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080502-192819-111 O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
backup-20080502-192819-112 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
backup-20080502-192819-194 O1 - Hosts: ::1 localhost
backup-20080502-192819-241 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
backup-20080502-192819-297 O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
backup-20080502-192819-340 O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
backup-20080502-192819-417 O4 - HKCU\..\Run: [e03f537a] rundll32.exe "C:\Users\Gage\AppData\Local\Temp\uyjjuykc.dll",b
backup-20080502-192819-436 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080502-192819-504 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20080502-192819-622 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
backup-20080502-192819-623 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
backup-20080502-192819-747 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
backup-20080502-192819-750 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=PTB&M=CX210X
backup-20080502-192819-752 O4 - HKCU\..\Run: [BMe30c60e6] Rundll32.exe "C:\Users\Gage\AppData\Local\Temp\orbksebd.dll",s
backup-20080502-192819-757 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
backup-20080502-192819-763 O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Gage\AppData\Local\Temp\wvUljGxY.dll,c
backup-20080502-192819-765 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20080502-192819-774 O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll (file missing)
backup-20080502-192819-799 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
backup-20080502-192819-842 O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
backup-20080502-192819-889 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
backup-20080502-192819-945 O13 - Gopher Prefix:
backup-20080502-192819-985 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
backup-20080502-192821-284 O20 - AppInit_DLLs: avgrsstx.dll
backup-20080502-192957-361 O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>

S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel(R) PRO/1000 PL Network Connection
Device ID: PCI\VEN_8086&DEV_109A&SUBSYS_0281107B&REV_00\4&3B8423CB&0&00E0
Manufacturer: Intel
Name: Intel(R) PRO/1000 PL Network Connection
PNP Device ID: PCI\VEN_8086&DEV_109A&SUBSYS_0281107B&REV_00\4&3B8423CB&0&00E0
Service: e1express


-- Scheduled Tasks -------------------------------------------------------------

2008-04-30 18:00:25 406 --a------ C:\Windows\Tasks\Norton Security Scan.job


-- Files created between 2008-04-03 and 2008-05-03 -----------------------------

2008-05-02 19:57:58 0 d-a------ C:\Users\All Users\TEMP
2008-05-02 19:57:48 680960 --a------ C:\Windows\is-B3N1J.exe
2008-05-02 19:57:46 118784 --a------ C:\Windows\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-05-02 19:57:46 0 d-------- C:\Program Files\SpywareBlaster
2008-05-02 19:54:44 0 d-------- C:\ie-spyad_zo
2008-05-02 19:53:36 0 d-------- C:\Program Files\Panda Security
2008-05-02 19:26:15 0 d-------- C:\Program Files\Trend Micro
2008-05-02 18:56:48 0 d-------- C:\Program Files\PCPitstop
2008-04-30 17:21:28 0 d--h----- C:\$AVG8.VAULT$
2008-04-30 17:17:07 0 d-------- C:\Windows\system32\drivers\Avg
2008-04-30 17:16:04 0 d-------- C:\Program Files\AVG
2008-04-30 17:16:03 0 d-------- C:\Users\All Users\avg8
2008-04-29 23:00:35 0 d-------- C:\Users\Gage\Incomplete
2008-04-29 22:56:24 86144 --a------ C:\Windows\system32\drivers\kbdclasss.sys
2008-04-29 22:56:18 0 d-------- C:\Windows\system32\vb1
2008-04-29 22:56:18 0 d-------- C:\Windows\system32\swTMP
2008-04-29 22:56:18 0 d-------- C:\Windows\system32\kn3
2008-04-29 22:56:14 0 d-------- C:\Windows\system32\pnVes05
2008-04-26 20:33:00 0 d-------- C:\Program Files\iPod
2008-04-26 20:28:46 0 d-------- C:\Program Files\QuickTime
2008-04-26 20:23:09 0 d-------- C:\Program Files\Apple Software Update
2008-04-24 22:09:25 0 d-------- C:\Program Files\Final Fantasy VII
2008-04-19 14:33:09 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-19 14:32:58 0 d-------- C:\Program Files\DivX
2008-04-19 14:27:57 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-19 14:27:32 0 d-------- C:\Program Files\Veoh Networks
2008-04-19 14:26:26 0 d-------- C:\Program Files\Real
2008-04-19 14:25:41 0 d-------- C:\Program Files\Common Files\Real
2008-04-19 14:24:01 0 d-------- C:\Windows\Downloaded Installations
2008-04-18 23:25:08 0 d-------- C:\Program Files\uTorrent


-- Find3M Report ---------------------------------------------------------------

2008-05-02 19:02:11 0 d-------- C:\Program Files\Common Files
2008-04-30 18:19:37 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-30 18:00:06 0 d-------- C:\Program Files\Norton Security Scan
2008-04-30 16:57:39 0 d-------- C:\Users\Gage\AppData\Roaming\SiteAdvisor
2008-04-29 23:07:33 0 d-------- C:\Users\Gage\AppData\Roaming\LimeWire
2008-04-29 22:57:30 0 d-------- C:\Users\Gage\AppData\Roaming\FrostWire
2008-04-27 03:41:12 0 d-------- C:\Users\Gage\AppData\Roaming\uTorrent
2008-04-26 20:57:29 0 d-------- C:\Program Files\World of Warcraft
2008-04-26 20:33:08 0 d-------- C:\Program Files\iTunes
2008-04-19 14:33:32 0 d-------- C:\Users\Gage\AppData\Roaming\DivX
2008-04-19 14:31:20 0 d-------- C:\Users\Gage\AppData\Roaming\Real
2008-04-19 14:29:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-12 17:02:38 720 --a------ C:\Users\Gage\AppData\Roaming\wklnhst.dat
2008-04-09 03:14:37 0 d-------- C:\Program Files\Windows Mail
2008-03-31 14:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 14:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 14:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-24 22:52:35 0 d-------- C:\Program Files\Bonjour
2008-03-24 21:59:02 0 d-------- C:\Program Files\Windows Live
2008-03-24 20:37:08 0 d-------- C:\Users\Gage\AppData\Roaming\Apple Computer
2008-03-24 20:08:07 0 -rahs---- C:\MSDOS.SYS
2008-03-24 20:08:07 0 -rahs---- C:\IO.SYS
2008-03-23 02:38:31 0 d-------- C:\Program Files\LimeWire
2008-03-21 13:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 13:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 13:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 13:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-02-12 16:07:40 1276 --a------ C:\Windows\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
04/30/2008 05:17 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [04/30/2008 05:17 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [01/17/2007 12:24 PM]
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 02:45 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/30/2008 05:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"InnoSetupRegFile.0000000001"="C:\Windows\is-B3N1J.exe" /REG

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Gage^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Users\Gage\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\Windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\auditadmin]
C:\windows\options\auditadmin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
c:\program files\Bigfix\bigfix.exe /atstartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe30c60e6]
Rundll32.exe "C:\Users\Gage\AppData\Local\Temp\orbksebd.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\Gage\AppData\Local\Temp\wvUljGxY.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e03f537a]
rundll32.exe "C:\Users\Gage\AppData\Local\Temp\uyjjuykc.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
%windir%\WindowsMobile\wmdSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{371442b0-8a8c-11dc-afbd-00e0b8b09dc6}]
AutoRun\command- G:\LaunchU3.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8324 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-03 13:41:05 ------------
Attached Files
File Type: txt extra.txt (12.8 KB, 2 views)
File Type: txt ActiveScan.txt (5.0 KB, 2 views)
Last edited by Gage : 05-03-2008 at 11:47 AM. Reason: done wrong
Gage is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-04-2008, 06:42 PM   #2 (permalink)
Registered User
 
Join Date: May 2008
Posts: 11
OS: Vista


Re: Panda scan thing.
I redid it the right way, sorry for the last past.
Gage is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-09-2008, 09:02 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 19,084
OS: WinXP and Vista


Re: Panda scan thing.
Hello Gage and welcome,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-09-2008, 11:03 PM   #4 (permalink)
Registered User
 
Join Date: May 2008
Posts: 11
OS: Vista


Re: Panda scan thing.
I can't seem to figure out how to work that, I read the instructions.
> I have Vista
Gage is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-09-2008, 11:06 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 19,084
OS: WinXP and Vista


Re: Panda scan thing.
My apologies, Gage.

For you, simply download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure how to do this, please see this link http://www.bleepingcomputer.com/forums/topic114351.html

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-12-2008, 03:14 PM   #6 (permalink)
Registered User
 
Join Date: May 2008
Posts: 11
OS: Vista


Re: Panda scan thing.
Here are the logs.

ComboFix 08-05-09.1 - Gage 2008-05-12 15:44:47.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.477 [GMT -7:00]
Running from: C:\Users\Gage\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\pac.txt
D:\Autorun.inf
C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 08:01 . 2008-05-12 08:02 <DIR> d-------- C:\Users\Gage\AppData\Roaming\U3
2008-05-09 20:28 . 2008-05-09 20:29 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-05-09 20:28 . 2008-05-09 20:29 <DIR> d-------- C:\ProgramData\Lavasoft
2008-05-09 20:28 . 2008-05-09 20:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-09 20:27 . 2008-05-09 20:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-09 20:05 . 2008-05-09 20:05 167,545 --------- C:\WINDOWS\System32\drivers\core.cache.dsk
2008-05-09 18:18 . 2008-05-09 18:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-09 18:18 . 2008-05-09 18:18 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 17:56 . 2008-05-09 17:56 <DIR> d-------- C:\Deckard
2008-05-07 03:28 . 2008-05-07 03:28 <DIR> d-------- C:\Program Files\Sophos
2008-05-05 21:27 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\System32\drivers\tmcomm.sys
2008-05-05 21:22 . 2008-05-09 12:36 <DIR> d-------- C:\WINDOWS\System32\HouseCall 6.6
2008-05-05 21:20 . 2008-05-05 21:20 <DIR> d-------- C:\WINDOWS\Sun
2008-05-05 21:15 . 2008-05-05 21:16 <DIR> d-------- C:\Users\Gage\.housecall6.6
2008-05-02 19:57 . 2008-05-12 12:24 <DIR> d-a------ C:\Users\All Users\TEMP
2008-05-02 19:57 . 2008-05-12 12:24 <DIR> d-a------ C:\ProgramData\TEMP
2008-05-02 19:57 . 2008-05-03 13:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-02 19:57 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\System32\MSCOMCTL.OCX
2008-05-02 19:57 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\System32\MSSTDFMT.DLL
2008-05-02 19:53 . 2008-05-09 12:36 <DIR> d-------- C:\Program Files\Panda Security
2008-05-02 19:26 . 2008-05-02 19:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-02 18:56 . 2008-05-05 18:33 <DIR> d-------- C:\Program Files\PCPitstop
2008-04-30 17:21 . 2008-05-12 15:35 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-30 17:18 . 2008-04-30 17:18 67,080 --a------ C:\WINDOWS\System32\drivers\avgwfpx.sys
2008-04-30 17:18 . 2008-04-30 17:18 10,520 --a------ C:\WINDOWS\System32\avgrsstx.dll
2008-04-30 17:17 . 2008-05-12 15:33 <DIR> d-------- C:\WINDOWS\System32\drivers\Avg
2008-04-30 17:17 . 2008-04-30 17:17 96,520 --a------ C:\WINDOWS\System32\drivers\avgldx86.sys
2008-04-30 17:16 . 2008-04-30 17:16 <DIR> d-------- C:\Users\All Users\avg8
2008-04-30 17:16 . 2008-04-30 17:16 <DIR> d-------- C:\ProgramData\avg8
2008-04-30 17:16 . 2008-04-30 17:16 <DIR> d-------- C:\Program Files\AVG
2008-04-30 17:06 . 2008-04-30 17:18 524,288 --ahs---- C:\Users\YE8512~2{5f132cbf-170d-11dd-8bce-86c80d3c890e}.TMContainer00000000000000000002.regtrans-ms
2008-04-30 17:06 . 2008-04-30 17:18 524,288 --ahs---- C:\Users\YE8512~2{5f132cbf-170d-11dd-8bce-86c80d3c890e}.TMContainer00000000000000000001.regtrans-ms
2008-04-30 17:06 . 2008-04-30 17:18 65,536 --ahs---- C:\Users\YE8512~2{5f132cbf-170d-11dd-8bce-86c80d3c890e}.TM.blf
2008-04-30 17:06 . 2008-04-30 17:16 5,120 --ah----- C:\Users\YE8512~2.LOG1
2008-04-30 17:06 . 2008-04-30 17:06 0 --ah----- C:\Users\YE8512~2.LOG2
2008-04-30 16:30 . 2008-04-30 16:30 122,912,211 --a------ C:\WINDOWS\MEMORY.DMP
2008-04-30 07:25 . 2008-05-04 13:36 216 --a------ C:\WINDOWS\wininit.ini
2008-04-29 23:00 . 2008-05-12 02:26 <DIR> d-------- C:\Users\Gage\Incomplete
2008-04-29 22:56 . 2008-04-30 17:54 <DIR> d-------- C:\WINDOWS\System32\vb1
2008-04-29 22:56 . 2008-04-30 17:54 <DIR> d-------- C:\WINDOWS\System32\swTMP
2008-04-29 22:56 . 2008-04-30 17:54 <DIR> d-------- C:\WINDOWS\System32\pnVes05
2008-04-29 22:56 . 2008-04-30 17:54 <DIR> d-------- C:\WINDOWS\System32\kn3
2008-04-29 22:56 . 2008-04-29 22:56 86,144 --a------ C:\WINDOWS\System32\drivers\kbdclasss.sys
2008-04-26 20:33 . 2008-04-26 20:33 <DIR> d-------- C:\Program Files\iPod
2008-04-26 20:28 . 2008-04-26 20:29 <DIR> d-------- C:\Program Files\QuickTime
2008-04-26 20:23 . 2008-04-26 20:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-24 22:15 . 1998-07-17 13:36 140,800 --a------ C:\WINDOWS\System32\tm20dec.ax
2008-04-24 22:09 . 2008-04-24 22:14 <DIR> d-------- C:\Program Files\Final Fantasy VII
2008-04-21 01:24 . 2008-04-22 03:57 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{cf3eac24-0f7a-11dd-a1a3-a4de73fa263e}.TMContainer00000000000000000002.regtrans-ms
2008-04-21 01:24 . 2008-04-22 03:57 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{cf3eac24-0f7a-11dd-a1a3-a4de73fa263e}.TMContainer00000000000000000001.regtrans-ms
2008-04-21 01:24 . 2008-04-22 03:57 65,536 --ahs---- C:\Users\Public\NTUSER.DAT{cf3eac24-0f7a-11dd-a1a3-a4de73fa263e}.TM.blf
2008-04-19 14:33 . 2008-04-19 14:33 <DIR> d-------- C:\Users\Gage\AppData\Roaming\DivX
2008-04-19 14:33 . 2008-05-05 18:24 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-19 14:32 . 2008-05-05 18:25 <DIR> d-------- C:\Program Files\DivX
2008-04-19 14:27 . 2008-04-19 14:27 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-19 14:26 . 2008-04-19 14:26 <DIR> d-------- C:\Program Files\Real
2008-04-19 14:25 . 2008-04-19 14:27 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-19 14:24 . 2008-05-05 18:30 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-13 01:19 . 2008-04-13 01:19 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{e7971532-0787-11dd-82f6-82f1f9634545}.TMContainer00000000000000000002.regtrans-ms
2008-04-13 01:19 . 2008-04-13 01:19 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{e7971532-0787-11dd-82f6-82f1f9634545}.TMContainer00000000000000000001.regtrans-ms
2008-04-13 01:19 . 2008-04-13 01:19 65,536 --ahs---- C:\Users\Public\NTUSER.DAT{e7971532-0787-11dd-82f6-82f1f9634545}.TM.blf
2008-04-13 01:19 . 2008-05-12 15:44 5,120 --ah----- C:\Users\Public\NTUSER.DAT.LOG1
2008-04-13 01:19 . 2008-04-13 01:19 0 --ah----- C:\Users\Public\NTUSER.DAT.LOG2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 09:08 --------- d-----w C:\Users\Gage\AppData\Roaming\LimeWire
2008-05-12 01:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-09 16:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 15:14 1,490 ----a-w C:\Users\Gage\AppData\Roaming\wklnhst.dat
2008-05-06 01:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 23:57 --------- d-----w C:\Users\Gage\AppData\Roaming\SiteAdvisor
2008-04-30 05:57 --------- d-----w C:\Users\Gage\AppData\Roaming\FrostWire
2008-04-27 03:57 --------- d-----w C:\Program Files\World of Warcraft
2008-04-27 03:33 --------- d-----w C:\Program Files\iTunes
2008-04-21 08:31 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-21 08:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-15 00:00 --------- d-----w C:\ProgramData\McAfee
2008-04-09 10:14 --------- d-----w C:\Program Files\Windows Mail
2008-03-25 04:59 --------- d-----w C:\Program Files\Windows Live
2008-03-25 03:37 --------- d-----w C:\Users\Gage\AppData\Roaming\Apple Computer
2008-03-23 09:38 --------- d-----w C:\Program Files\LimeWire
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 11:25 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 11:25 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 11:25 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 11:25 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 11:25 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2007-10-18 12:39 174 --sha-w C:\Program Files\desktop.ini
2007-10-21 21:32 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-21 21:32 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-21 21:32 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-04-30 17:17 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-30 17:17 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-04-30 17:17 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 05:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 12:24 36904]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 02:45 222208]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-30 17:16 1177368]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-19 14:25 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Users^Gage^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Users\Gage\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\Windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\auditadmin]
--a------ 2007-04-05 02:58 476 C:\windows\options\auditadmin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
--a------ 2006-11-16 16:04 2348584 c:\program files\Bigfix\bigfix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe30c60e6]
C:\Users\Gage\AppData\Local\Temp\orbksebd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
C:\Users\Gage\AppData\Local\Temp\wvUljGxY.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e03f537a]
C:\Users\Gage\AppData\Local\Temp\uyjjuykc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2006-09-29 12:39 151552 C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2007-01-16 23:34 634880 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-11-16 23:58 815104 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-19 14:25 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-10-18 03:21 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
%windir%\WindowsMobile\wmdSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-11-02 05:36 201728 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6D0008A6-DD72-4AFF-94CF-98244F9E4905}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{C294EFF0-6DED-4C77-862E-3637ACBF0A71}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F6606025-9CE1-4CA6-80C4-E424E8EFB246}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{ED589A18-3E99-4C5E-B95E-5491D1F215E0}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{DE75DD10-BA46-45BC-AD6B-30EBFC6FD9BC}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{FE6320B4-B9D3-4E27-B24F-687E233D159F}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{083589D0-3888-406E-A082-A7BB4787379C}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3F67DFE1-547E-4F10-965F-A18087816018}"= UDP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{60E04715-8134-46BA-87B4-901539BE3861}"= TCP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{EF09AA87-F7EA-4EB5-8F05-A19AA2C19D2A}"= UDP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{1D176B26-42FB-4085-B2B4-23302A889FF1}"= TCP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{03E9521E-4028-4B2A-A91D-DD4FAEBC338F}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{1A97CD5E-BECD-424C-AF92-F5136B3BE1DF}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{58DDE06D-BF0B-4D21-8C9E-318AD2567EE3}"= UDP:C:\Program Files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{4688675D-D04A-40A5-AAC9-D9345B8964E0}"= TCP:C:\Program Files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{7B6323B1-C3FB-4EFA-B665-65DB4929D345}"= UDP:C:\Program Files\dogproxy2\DogProxy2.exe:DogProxy II
"{F6BE57FE-841B-4271-8194-A52C2B9190DC}"= TCP:C:\Program Files\dogproxy2\DogProxy2.exe:DogProxy II
"{0194A105-C084-4D24-8CAA-FC2E10C19996}"= UDP:C:\Program Files\Furcadia\Furcadia.exe:Play Furcadia!
"{064BD59D-FC42-4E23-9145-0883DE6C9748}"= TCP:C:\Program Files\Furcadia\Furcadia.exe:Play Furcadia!
"TCP Query User{4D09A5C3-809D-450A-91ED-3BCF39E5DD72}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{6D922878-4C40-467A-8978-F5433D44458C}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"TCP Query User{3A7BBD14-3B48-44CB-A347-459C4D88A302}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{E567B99E-3DC4-43D9-A361-53990C6B1A74}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{F56D9F76-EB5A-4D3B-93FD-EB4721F9761E}C:\\program files\\pawproxy\\pawproxy.exe"= UDP:C:\program files\pawproxy\pawproxy.exe:PawProxy
"UDP Query User{AA82186F-5CC4-41A3-84C0-42722D2519E8}C:\\program files\\pawproxy\\pawproxy.exe"= TCP:C:\program files\pawproxy\pawproxy.exe:PawProxy
"TCP Query User{F7304491-C70D-4298-A969-9011EE78C02D}C:\\users\\gage\\desktop\\oc.exe"= UDP:C:\users\gage\desktop\oc.exe:oc.exe
"UDP Query User{E8E1F1D2-2476-4A8A-9D55-30AAA9442301}C:\\users\\gage\\desktop\\oc.exe"= TCP:C:\users\gage\desktop\oc.exe:oc.exe
"{319A7D13-A514-402E-9A2E-FFD84FA343F7}"= UDP:990:LocalSubnet:LocalSubnet|IF={855C2ED5-DEA7-4CC1-9922-D0F4DAC90B04}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{598EDB21-4B40-4331-BAAD-0A95C6D8B36C}"= UDP:990:LocalSubnet:LocalSubnet|IF={855C2ED5-DEA7-4CC1-9922-D0F4DAC90B04}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{0DD55457-0CDB-417E-80D6-31297C74D72B}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{99CD4F78-2287-4335-85D0-50D059AFED3D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{7BAD0B35-EF4C-4F9B-AAF7-A8D3386D8257}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{29FE7C25-B234-4487-ACA2-BD853249DA6A}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{BDD8F470-883C-466C-B4D8-344F26E80A42}C:\\users\\gage\\desktop\\meow proxy\\mreowproxy.exe"= UDP:C:\users\gage\desktop\meow proxy\mreowproxy.exe:mreowproxy.exe
"UDP Query User{3804F244-9F24-4850-A1DF-9277290456D9}C:\\users\\gage\\desktop\\meow proxy\\mreowproxy.exe"= TCP:C:\users\gage\desktop\meow proxy\mreowproxy.exe:mreowproxy.exe
"TCP Query User{DE6687A3-3A50-4938-B832-0252288B6352}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{D27E106B-F3EB-4AFC-A579-D05B7BEE85F0}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{91CABEB9-7DE2-484D-A68E-5DEAB88720BE}"= UDP:C:\Users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-2.3.0.7561-to-2.3.2.7741-enUS-downloader.exe:Blizzard Downloader
"{1CE313F9-BFA3-43D4-A2CD-1CC2E11C07AE}"= TCP:C:\Users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-2.3.0.7561-to-2.3.2.7741-enUS-downloader.exe:Blizzard Downloader
"{AC9BF2B1-946E-47B8-B588-48FC27F652C4}"= UDP:3724:Blizzard Downloader: 3724
"TCP Query User{82472FD7-E982-4A55-A40A-93E6370A35CD}C:\\program files\\aim\\aim.exe"= UDP:C:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{71484B72-2BCE-4670-9FE4-4DFCFF9E47F5}C:\\program files\\aim\\aim.exe"= TCP:C:\program files\aim\aim.exe:AOL Instant Messenger
"{3303EDDD-A472-4D50-8F61-AC2ABC34E1F1}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{D6A48609-8BB6-4129-AD25-78177C3035E0}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{52C11598-3A25-4D76-88DF-D506F4412647}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{C3E7A46F-DEA6-4EC0-81DD-890087071F8C}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{9939B334-9189-4A4C-BE63-8F6F28A88DDB}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{9059AA53-22D1-4D4B-B9C2-40B07EF51184}C:\\program files\\aim\\aim.exe"= UDP:C:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{FD651106-C4D2-4DDB-93C3-52C473B74D4F}C:\\program files\\aim\\aim.exe"= TCP:C:\program files\aim\aim.exe:AOL Instant Messenger
"TCP Query User{9856FB83-C6CA-4177-92AD-A8AE5F7060E8}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{73CE938C-BAE7-462C-9C95-D2E98974A13D}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{35585E42-272B-40B0-80B3-E53A93EE40F6}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{C9020F40-34E6-4D08-845D-4EF5F278A2F9}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{3739F9DD-6FFC-41DA-BC96-EC0AC71A8DDF}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{0D2FD912-A8D8-4FE7-B23B-1497B2948F96}C:\\users\\gage\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\y5r0c4b8\\housecall66[1].exe"= UDP:C:\users\gage\appdata\local\microsoft\windows\temporary internet files\content.ie5\y5r0c4b8\housecall66[1].exe:housecall66[1].exe
"UDP Query User{DC1941BB-8CC9-4843-B8D8-24E128A8F0FD}C:\\users\\gage\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\y5r0c4b8\\housecall66[1].exe"= TCP:C:\users\gage\appdata\local\microsoft\windows\temporary internet files\content.ie5\y5r0c4b8\housecall66[1].exe:housecall66[1].exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-04-30 17:17]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-30 17:16]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-30 17:16]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 02:45]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 02:45]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-28 11:01]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-04-30 17:18]
R3 FinePnt;FinePoint Innovations HID Driver;C:\Windows\system32\DRIVERS\FpHidDrv.sys [2006-10-29 21:17]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;C:\Windows\system32\DRIVERS\mstabbtn.sys [2006-11-13 20:02]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 00:30]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-28 11:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a8e5de9-1c46-11dd-ae01-0019d2d0cfed}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{371442b0-8a8c-11dc-afbd-00e0b8b09dc6}]
\shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 01:00:26 C:\Windows\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 15:52:13
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> ?:\Windows\system32\SXS.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\audiodg.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2008-05-12 15:57:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 22:57:24

Pre-Run: 24,035,553,280 bytes free
Post-Run: 24,127,131,648 bytes free

308 --- E O F --- 2008-05-06 2323



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:58 PM, on 5/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\explorer.exe
C:\Users\Gage\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Gage.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 4602 bytes
Attached Files
File Type: txt log 1.txt (25.5 KB, 2 views)
File Type: txt hijackthis.txt (4.5 KB, 1 views)
Last edited by Ried : 05-12-2008 at 09:47 PM.
Gage is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-12-2008, 10:12 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 19,084
OS: WinXP and Vista


Re: Panda scan thing.
Hi Gage,


Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\System32\drivers\kbdclasss.sys
C:\WINDOWS\System32\drivers\core.cache.dsk

Folder::
C:\WINDOWS\System32\vb1
C:\WINDOWS\System32\swTMP
C:\WINDOWS\System32\pnVes05
C:\WINDOWS\System32\kn3


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe30c60e6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e03f537a]
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply: **Please copy/paste directly into the reply box--do not attach unless requested to do so.


C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried : 05-12-2008 at 10:15 PM.
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-13-2008, 01:01 PM   #