Tech Support Forum banner
Status
Not open for further replies.
1 - 2 of 2 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
This started about 3 days ago. I'm pretty sure it came from a link I clicked. My biggest problem is that I can't visit a lot of sites. In fact some sites I was able to visit a day ago I can no longer load. Seems like something is actually logging the sites I go to and blocking me from getting there perhaps? Ex: I can load google.com, but I can't do a search. I can load some sites if I type in the URL, but a lot of sites stopped working for me, such as facebook and several forums I frequent.

I was getting swarmed by anti-virus pop-ups for awhile but adaware took care of that. Other symptoms are my computers performance has severely decreased and every so often a new tab will open in my browser and load an ad. Last thing is, I left my computer when I went out to eat, when I came back all my icons were defaced and I had to restart to fix it. Later that day my desktop completely disappeared and I had to restart again.

I was unable to disinfect with PandaScan because the disinfect button was italicized and contradicted Step 3 by saying you can only disinfect if you buy. Again, the disinfect button was unclickable. Here are my logs:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-01 15:00:50
PROTECTIONS: 0
MALWARE: 31
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][3].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][3].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.com.com/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.yadro.ru/]
00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.hotlog.ru/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.bs.serving-sys.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][3].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][3].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Cookies\[email protected][2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\otgk5g7q.default\cookies.txt[.ads.addynamix.com/]
02974980 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\LJJDUNNE.DLL
02985424 Application/AdvancedXPFixer HackTools No 0 No No C:\Documents and Settings\Allen\Local Settings\Temp\.tt68.tmp[AXPFixer.exe]
02985424 Application/AdvancedXPFixer HackTools No 0 No No C:\Documents and Settings\Allen\Local Settings\Temp\.tt157.tmp[AXPFixer.exe]
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Allen\Local Settings\Temporary Internet Files\Content.IE5\M9FS9GRQ\kb713501[1]
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\mvskhbsa.exe
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\aiatbhtk.exe
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\ieenqhgs.exe
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\tpnmsaov.exe
02998276 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\llwbwtuj.dll
02998278 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\rlhkwcwm.dll
02998680 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{FFABCC24-8965-4F7C-BEEB-70AEDE6CFD34}\RP1\A0000052.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location 
;===================================================================================================================================================================================
No C:\WINDOWS\SYSTEM32\CPWIXEYU.DLL 
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 
;===================================================================================================================================================================================
;===================================================================================================================================================================================



Deckard's System Scanner v20071014.68
Run by Allen on 2008-06-01 16:17:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2008-06-01 21:17:56 UTC - RP10 - Deckard's System Scanner Restore Point
9: 2008-05-31 22:07:20 UTC - RP9 - Removed Venue InterLok Driver Kit
8: 2008-05-31 22:04:52 UTC - RP8 - Removed Sentinel Protection Installer 7.2.2
7: 2008-05-31 22:01:23 UTC - RP7 - Configured FreeAgent Pro Tools
6: 2008-05-31 22:00:40 UTC - RP6 - Removed Free Games Offer, Desktop Shortcut


-- First Restore Point --
1: 2008-05-28 22:47:53 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-01 16:22:38
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Allen\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.videoediting.ru/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6C23AB0C-0244-4B01-8253-BEE724D0D2EC} - C:\WINDOWS\system32\ljJDUnNe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {736da073-3ae3-f208-e724-63c72992a7fd} - {df7a2992-7c36-427e-802f-3ea3370ad637} - C:\WINDOWS\system32\dncruagy.dll
O2 - BHO: (no name) - {EF675E93-DAAC-4FC3-B207-AF0CEEB1578D} - C:\WINDOWS\system32\qoMfdaXP.dll
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]
O4 - HKLM\..\Run: [BM73490ed2] Rundll32.exe "C:\WINDOWS\system32\nhtfxprv.dll",s
O4 - HKLM\..\Run: [707a3d4e] rundll32.exe "C:\WINDOWS\system32\hhlpllfm.dll",b
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: PalTalk.lnk = ?
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: ljJDUnNe - C:\WINDOWS\system32\ljJDUnNe.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dlcx_device - Unknown owner - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 6523 bytes

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R2 DigiNet (Digidesign Ethernet Support) - c:\windows\system32\drivers\diginet.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools®>
R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
R3 cmuda3 (HDA Digital X-Mystique 7.1 PCI Audio Interface) - c:\windows\system32\drivers\cmuda3.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S2 DS1410D - c:\windows\system32\drivers\ds1410d.sys (file missing)
S2 Nsynas32 - c:\windows\system32\drivers\nsynas32.sys <Not Verified; Syncrosoft Hard- und Software GmbH; Internet Protection Hardware Driver>
S3 AvidNitrisBase (Avid Nitris Base Driver) - c:\windows\system32\drivers\avidnitrisbase.sys <Not Verified; Avid Technology, Inc.; Avid Symphony Nitris>
S3 AvidNitrisCodec (Avid Nitris Codec Driver) - c:\windows\system32\drivers\avidnitriscodec.sys <Not Verified; Avid Technology, Inc.; Avid Symphony Nitris>
S3 Sntnlusb (Rainbow USB SuperPro) - c:\windows\system32\drivers\sntnlusb.sys <Not Verified; Rainbow Technologies Inc.; Rainbow Technologies USB Security Device Driver>
S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys (file missing)
S3 WUSB54GPV4SRV (Linksys Home Wireless-G USB Adaptor Driver) - c:\windows\system32\drivers\rt2500usb.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 DigiRefresh (Digidesign MME Refresh Service) - c:\program files\digidesign\drivers\mmerefresh.exe -s <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Digidesign MME Binder>
R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-01 and 2008-06-01 -----------------------------

2008-06-01 16:14:35 0 d-------- C:\2d90ee3022b62d358d581ba23e28a0d4
2008-06-01 16:00:32 114176 --a------ C:\WINDOWS\system32\hhlpllfm.dll
2008-06-01 15:57:32 2560 --a------ C:\WINDOWS\system32\mbnpiwqr.exe
2008-06-01 15:41:26 132096 --a------ C:\WINDOWS\system32\dncruagy.dll
2008-06-01 15:35:26 126464 --a------ C:\WINDOWS\system32\nhtfxprv.dll
2008-05-31 17:29:12 0 d-------- C:\WINDOWS\LastGood
2008-05-31 17:19:56 0 d-------- C:\Program Files\Panda Security
2008-05-31 16:41:31 114176 -----n--- C:\WINDOWS\system32\xxesfhlm.dll
2008-05-31 16:38:41 2560 --a------ C:\WINDOWS\system32\tpnmsaov.exe
2008-05-31 15:38:05 132096 --a------ C:\WINDOWS\system32\ygvgnjsx.dll
2008-05-31 15:34:56 126464 --a------ C:\WINDOWS\system32\utorafbv.dll
2008-05-30 15:43:25 115712 --a------ C:\WINDOWS\system32\cpwixeyu.dll
2008-05-30 15:40:25 2560 --a------ C:\WINDOWS\system32\ieenqhgs.exe
2008-05-30 15:34:25 134144 --a------ C:\WINDOWS\system32\bdrjdqag.dll
2008-05-30 15:31:56 253 --a------ C:\WINDOWS\system32\vkjdlnxc.dll
2008-05-29 14:02:15 132608 --a------ C:\WINDOWS\system32\toguynkr.dll
2008-05-29 13:59:24 2560 --a------ C:\WINDOWS\system32\aiatbhtk.exe
2008-05-29 13:59:15 126976 --a------ C:\WINDOWS\system32\iguxhnvt.dll
2008-05-29 00:41:35 0 d-------- C:\Documents and Settings\Allen\Application Data\Paltalk
2008-05-29 00:41:21 0 d-------- C:\WINDOWS\PaltalkScene
2008-05-29 00:41:21 0 d-------- C:\Program Files\Paltalk Messenger
2008-05-28 17:44:17 0 d-------- C:\WINDOWS\pss
2008-05-28 16:55:28 0 d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2008-05-28 16:54:31 1843200 --a------ C:\WINDOWS\system32\acXMLParser.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2008-05-28 16:54:13 0 d-------- C:\Documents and Settings\Allen\Application Data\Intuit
2008-05-28 16:53:05 0 d-------- C:\Program Files\Common Files\Palo Alto Software
2008-05-28 16:52:28 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-28 16:52:13 0 d-------- C:\Program Files\Quicken
2008-05-28 16:50:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-05-28 14:06:12 2560 --a------ C:\WINDOWS\system32\mvskhbsa.exe
2008-05-28 14:03:12 116224 --a------ C:\WINDOWS\system32\rlhkwcwm.dll
2008-05-28 13:58:00 126464 --a------ C:\WINDOWS\system32\llwbwtuj.dll
2008-05-27 20:15:54 0 d-------- C:\Program Files\PartyGaming
2008-05-27 19:54:21 0 d-------- C:\Program Files\Lavasoft
2008-05-27 19:54:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-27 19:49:54 808346 --ahs---- C:\WINDOWS\system32\PXadfMoq.ini2
2008-05-27 19:49:48 370688 --a------ C:\WINDOWS\system32\qoMfdaXP.dll
2008-05-27 19:45:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 19:44:44 57344 --a------ C:\WINDOWS\system32\ljJDUnNe.dll
2008-05-27 16:55:08 3532 --a------ C:\drmHeader.bin
2008-05-27 16:37:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 15:35:14 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-27 14:19:55 0 d-------- C:\Program Files\Real Alternative
2008-05-27 14:19:55 0 d-------- C:\Documents and Settings\Allen\Application Data\Real
2008-05-27 14:19:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
2008-05-27 02:23:04 0 d-------- C:\f0d92c12052b48cdf1
2008-05-02 02:22:38 0 d-------- C:\WINDOWS\SHELLNEW
2008-05-02 02:22:36 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-02 02:19:05 0 dr-h----- C:\MSOCache
2008-05-01 14:35:18 188960 --a------ C:\WINDOWS\system\WINGDE.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-05-01 14:35:18 12800 --a------ C:\WINDOWS\system\WING32.DLL <Not Verified; Microsoft Corporation; WinG>
2008-05-01 14:35:18 92208 --a------ C:\WINDOWS\system\WING.DLL <Not Verified; Microsoft Corporation; WinG>
2008-05-01 14:35:18 44464 --a------ C:\WINDOWS\system\D2HTOOLS.DLL <Not Verified; WexTech Systems, Inc.; Doc-To-Help®>
2008-05-01 14:35:18 25808 --a------ C:\WINDOWS\system\CTL3DV2.DLL <Not Verified; Microsoft Corporation; 3D Windows Control>
2008-05-01 14:35:18 21008 --a------ C:\WINDOWS\system\CTL3D.DLL <Not Verified; Microsoft Corporation; 3d Windows Control>
2008-05-01 14:35:18 89504 --a------ C:\WINDOWS\system\_MSTEST.EXE
2008-05-01 14:35:08 0 d-------- C:\SC2K4WIN


-- Find3M Report ---------------------------------------------------------------

2008-06-01 15:06:48 0 d-------- C:\Documents and Settings\Allen\Application Data\Azureus
2008-05-31 17:07:42 0 d-------- C:\Program Files\Vstplugins
2008-05-31 17:04:59 0 d-------- C:\Program Files\Common Files
2008-05-31 17:02:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-31 16:38:37 337 --a------ C:\WINDOWS\system32\tablet.dat
2008-05-27 13:03:50 0 d-------- C:\Program Files\Steam
2008-05-17 17:04:26 0 d-------- C:\Documents and Settings\Allen\Application Data\Skype
2008-05-14 13:45:17 0 d-------- C:\Program Files\Dl_cats
2008-05-09 14:07:02 0 d-------- C:\Documents and Settings\Allen\Application Data\Adobe
2008-05-07 16:04:52 0 d-------- C:\Program Files\Azureus
2008-04-29 00:19:46 0 d-------- C:\Documents and Settings\Allen\Application Data\dvdcss
2008-04-23 17:33:03 0 d-------- C:\Documents and Settings\Allen\Application Data\LimeWire
2008-04-10 13:02:23 0 d-------- C:\Program Files\AWS
2008-04-10 13:02:23 0 d-------- C:\Documents and Settings\Allen\Application Data\WeatherBug


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}]
05/27/2008 07:44 PM 57344 --a------ C:\WINDOWS\system32\ljJDUnNe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{df7a2992-7c36-427e-802f-3ea3370ad637}]
06/01/2008 03:41 PM 132096 --a------ C:\WINDOWS\system32\dncruagy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF675E93-DAAC-4FC3-B207-AF0CEEB1578D}]
05/27/2008 07:49 PM 370688 --a------ C:\WINDOWS\system32\qoMfdaXP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [10/16/2006 12:31 AM]
"BM73490ed2"="C:\WINDOWS\system32\nhtfxprv.dll" [06/01/2008 03:35 PM]
"707a3d4e"="C:\WINDOWS\system32\hhlpllfm.dll" [06/01/2008 04:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [08/29/2007 10:55 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PalTalk.lnk - C:\Program Files\Paltalk Messenger\paltalk.exe [5/8/2008 5:17:29 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}"= C:\WINDOWS\system32\ljJDUnNe.dll [05/27/2008 07:44 PM 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDUnNe]
ljJDUnNe.dll 05/27/2008 07:44 PM 57344 C:\WINDOWS\system32\ljJDUnNe.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMfdaXP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Allen^Start Menu^Programs^Startup^AutoBackup Launcher.lnk]
path=C:\Documents and Settings\Allen\Start Menu\Programs\Startup\AutoBackup Launcher.lnk
backup=C:\WINDOWS\pss\AutoBackup Launcher.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\707a3d4e]
rundll32.exe "C:\WINDOWS\system32\rlhkwcwm.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM73490ed2]
Rundll32.exe "C:\WINDOWS\system32\llwbwtuj.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CmPCIaudio]
RunDll32 CMICNFG3.CPL,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
C:\Program Files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcxmon.exe]
"C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Dell PC Fax\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
"C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]
"C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Truepianos_trial_reset]
trial-reset.exe /execryptor /clear /Silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c91378b-eef9-11dc-b19f-00123f6c7ea2}]
AutoRun\command- I:\LaunchU3.exe -a

*Newly Created Service* - RKPAVPROC



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8520 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-01 16:23:26 ------------
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello and welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.


Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please explain why you have no antivirus program installed and running on this system. This is an open invitation for infection and likely why you are here.

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Viewpoint Media Player<<This is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Please read here and here

If you decide to uninstall it, also delete the following Folder if it still exists:

C:\Program Files\Viewpoint

------------------------------------------------------

I see you have Weatherbug installed on your system. This application is not spyware but is ad-supported, containing both banner and pop-up ads. Please read here

Although this is entirely up to you, we recommend uninstalling it and downloading an ad-free alternative from here or here

------------------------------------------------------

I see you have P2P software ( Azureus Vuze and Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you decide to uninstall Azureus Vuze and Limewire, also delete these Folders if they still exist:

C:\Documents and Settings\Allen\Application Data\Azureus
C:\Documents and Settings\Allen\Application Data\LimeWire
C:\Program Files\Azureus
C:\Program Files\LimeWire

------------------------------------------------------

Please visit this webpage for instructions on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:

  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
When the tool is finished, it will produce a log for you.

Please post that log, ComboFix.txt along with a new HijackThis log so we may continue cleansing the system.

------------------------------------------------------

Please download HijackThis and Save it to your Desktop.

Alternate link

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double-click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Please post the HijackThis log in your next reply. Do not fix anything in HijackThis since they may be harmless.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
new HijackThis log


If you have any questions along the way...STOP and ask them before proceeding.
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top