[coachessonny]

Hello,my son picked up a trojan from some stupid download.Please help.
I ran Superantispyware but it did not fix everything.
Here is the log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/23/2008 at 00:05 AM

Application Version : 4.15.1000

Core Rules Database Version : 3487
Trace Rules Database Version: 1478

Scan type : Complete Scan
Total Scan Time : 00:08:05

Memory items scanned : 337
Memory threats detected : 3
Registry items scanned : 4183
Registry threats detected : 14
File items scanned : 4921
File threats detected : 23

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\VTUKBUVV.DLL
C:\WINDOWS\SYSTEM32\VTUKBUVV.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{142C56F1-C749-4ED0-BCC4-1B7DDBD429EA}
HKCR\CLSID\{142C56F1-C749-4ED0-BCC4-1B7DDBD429EA}
HKCR\CLSID\{142C56F1-C749-4ED0-BCC4-1B7DDBD429EA}\InprocServer32
HKCR\CLSID\{142C56F1-C749-4ED0-BCC4-1B7DDBD429EA}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE7E4CE1-8CBA-44A6-956F-462A667D3286}
HKCR\CLSID\{BE7E4CE1-8CBA-44A6-956F-462A667D3286}
HKCR\CLSID\{BE7E4CE1-8CBA-44A6-956F-462A667D3286}\InprocServer32
HKCR\CLSID\{BE7E4CE1-8CBA-44A6-956F-462A667D3286}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{ BE7E4CE1-8CBA-44A6-956F-462A667D3286}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\vtUKBuvv

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\VTUMNOLF.DLL
C:\WINDOWS\SYSTEM32\VTUMNOLF.DLL

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\SATBWOON.DLL
C:\WINDOWS\SYSTEM32\SATBWOON.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@media.adrevolver[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@ad.yieldmanager[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@cache.trafficmp[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@atdmt[2].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@apmebf[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@media.adrevolver[2].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@adrevolver[2].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@data.coremetrics[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@mediaplex[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@casalemedia[2].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@trafficmp[2].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@hornymatches[2].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@ads.pointroll[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@tacoda[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@tribalfusion[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@doubleclick[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@fastclick[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@advertising[1].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Justin Finley\Cookies\justin_finley@revsci[2].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-1343024091-1580818891-839522115-1004\Software\Microsoft\rdfa

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:44 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {db864d7c-81d9-ca98-3124-cd8f0445d8e9} - {9e8d5440-f8dc-4213-89ac-9d18c7d468bd} - (no file)
O4 - HKLM\..\Run: [BM5f04f5f8] Rundll32.exe "C:\WINDOWS\system32\lopnncvd.dll",s
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1211667267953
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1211667379015
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 4697 bytes

[andyspeake]

Hello, and Welcome
I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

• Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
• Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
• Please bookmark or favourite this page. In case you need it as reference or etc.

[coachessonny]

ok thanks

[andyspeake]

Hi,

Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/comb...o-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[coachessonny]

I did not install the recovery console as I am unable to go to the bleeping computer website.
Another thing that is happening is that there is nothing in my device manager and it says I have no audio device installed.
ComboFix 08-06-20.4 - Justin Finley 2008-06-25 14:13:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254 [GMT -7:00]
Running from: C:\Documents and Settings\Justin Finley\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5f04f5f8.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\FLonmUtv.ini
C:\WINDOWS\system32\FLonmUtv.ini2
C:\WINDOWS\system32\fpxhoegd.ini
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-23 09:49 . 2008-06-23 09:49 <DIR> d-------- C:\Documents and Settings\Justin Finley\Application Data\Atari
2008-06-23 09:49 . 2008-06-23 09:49 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-23 09:47 . 2008-06-23 09:47 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-06-23 09:47 . 2008-06-23 09:47 <DIR> d-------- C:\Documents and Settings\Justin Finley\Application Data\Leadertech
2008-06-23 09:47 . 2002-02-27 18:50 197,120 --a------ C:\WINDOWS\patchw32.dll
2008-06-23 09:44 . 2008-06-23 09:44 <DIR> d-------- C:\Program Files\Atari
2008-06-23 00:33 . 2008-06-23 00:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-23 00:33 . 2008-06-23 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-22 23:56 . 2008-06-22 23:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-22 23:56 . 2008-06-22 23:56 <DIR> d-------- C:\Documents and Settings\Justin Finley\Application Data\SUPERAntiSpyware.com
2008-06-22 23:56 . 2008-06-22 23:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-22 23:41 . 2008-06-22 23:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 23:36 . 2008-06-22 23:36 812,344 --a------ C:\Program Files\HJTInstall.exe
2008-06-22 16:35 . 2008-06-22 18:00 <DIR> d-------- C:\Documents and Settings\Justin Finley\.housecall6.6
2008-06-22 01:00 . 2008-06-22 01:00 81,408 --a------ C:\WINDOWS\system32\dgeohxpf.dll
2008-06-22 00:59 . 2008-06-22 00:59 45,056 --a------ C:\WINDOWS\system32\rxhsdxcf.dll
2008-06-22 00:58 . 2008-06-22 00:58 90,112 --a------ C:\WINDOWS\system32\lopnncvd.dll
2008-06-20 23:49 . 2008-06-20 23:49 <DIR> d-------- C:\temp
2008-06-19 18:07 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-18 16:07 . 2008-06-18 16:08 <DIR> d-------- C:\Program Files\DivX
2008-06-14 16:04 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 13:13 . 1999-03-23 02:00 401,484 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2008-06-09 13:13 . 2001-07-24 09:16 126,976 --a------ C:\WINDOWS\system32\AVIClean.dll
2008-06-09 13:13 . 2002-06-07 12:56 102,400 --a------ C:\WINDOWS\system32\Digital Movie Creator.scr
2008-06-09 13:12 . 2001-07-05 15:13 233,472 --a------ C:\WINDOWS\system32\IDMC1API.dll
2008-06-09 13:12 . 2001-07-05 15:12 126,976 --a------ C:\WINDOWS\system32\IDMC1JPG.dll
2008-06-09 13:12 . 2001-07-02 10:07 122,880 --a------ C:\WINDOWS\system32\AVITrim.dll
2008-06-09 13:12 . 2001-07-05 15:13 65,536 --a------ C:\WINDOWS\system32\IDMC1Gra.dll
2008-06-09 13:12 . 2001-07-05 15:12 61,440 --a------ C:\WINDOWS\system32\IDMC1DnL.dll
2008-06-09 13:12 . 2001-07-05 15:13 57,344 --a------ C:\WINDOWS\system32\IDMC1If.DLL
2008-06-09 12:51 . 2008-06-18 18:12 38 --a------ C:\WINDOWS\avisplitter.INI
2008-05-31 14:00 . 2008-05-31 14:00 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-30 23:11 . 2008-05-30 23:26 <DIR> d-------- C:\Documents and Settings\Justin Finley\Contacts
2008-05-30 22:59 . 2008-05-30 23:07 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-30 22:58 . 2008-05-30 23:09 <DIR> d-------- C:\Program Files\Windows Live
2008-05-30 22:58 . 2008-05-30 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-29 21:22 . 2008-05-29 21:23 <DIR> d-------- C:\Program Files\Collage Maker
2008-05-28 16:40 . 2008-05-28 16:40 <DIR> d-------- C:\Documents and Settings\Justin Finley\Application Data\vlc
2008-05-27 16:49 . 2008-05-27 16:49 <DIR> d-------- C:\Program Files\Audacity
2008-05-27 16:31 . 2008-06-25 14:17 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-05-26 14:11 . 2008-05-26 14:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-26 14:11 . 2008-06-22 23:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 14:11 . 2008-05-26 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-26 14:04 . 2008-05-26 14:04 <DIR> d-------- C:\Documents and Settings\Justin Finley\Application Data\CyberLink
2008-05-26 11:10 . 2008-05-26 11:10 <DIR> d-------- C:\WINDOWS\system32\Dell
2008-05-26 11:10 . 2008-05-26 11:10 <DIR> d-------- C:\Program Files\Dell
2008-05-26 09:25 . 2008-05-26 09:25 <DIR> d-------- C:\Program Files\LucasArts
2008-05-26 09:18 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-26 09:18 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 16:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-23 07:24 --------- d-----w C:\Program Files\CCleaner
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 20:12 --------- d-----w C:\Program Files\Digital Blue
2008-05-25 22:12 --------- d-----w C:\Documents and Settings\Justin Finley\Application Data\LimeWire
2008-05-25 05:36 --------- d-----w C:\Program Files\Ubi Soft
2008-05-25 05:28 --------- d-----w C:\Program Files\Photo!
2008-05-25 05:21 --------- d-----w C:\Program Files\Java
2008-05-25 03:50 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-05-25 03:37 --------- d-----w C:\Documents and Settings\Justin Finley\Application Data\Media Player Classic
2008-05-25 03:26 --------- d-----w C:\Program Files\VideoLAN
2008-05-25 03:13 --------- d--h--r C:\Documents and Settings\Justin Finley\Application Data\SecuROM
2008-05-25 03:13 --------- d-----w C:\Program Files\Tomb Raider - Anniversary
2008-05-25 02:46 --------- d-----w C:\Program Files\Sierra
2008-05-25 01:42 --------- d-----w C:\Program Files\DIFX
2008-05-25 01:17 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-25 01:12 --------- d-----w C:\Program Files\Jasc Software Inc
2008-05-25 01:12 --------- d-----w C:\Program Files\Dell Computer
2008-05-25 01:12 --------- d-----w C:\Documents and Settings\Justin Finley\Application Data\Jasc Software Inc
2008-05-25 01:11 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-05-25 01:08 --------- d-----w C:\Program Files\Activision
2008-05-25 01:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-25 01:06 --------- d-----w C:\Documents and Settings\Justin Finley\Application Data\InterTrust
2008-05-25 00:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-25 00:42 --------- d-----w C:\Program Files\MumboJumbo
2008-05-25 00:41 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-05-25 00:36 --------- d-----w C:\Program Files\Microsoft Works
2008-05-25 00:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-25 00:31 --------- d-----w C:\Program Files\Microsoft Works Suite 2002
2008-05-25 00:30 --------- d-----w C:\Program Files\LimeWire
2008-05-25 00:21 --------- d-----w C:\Program Files\Cucusoft
2008-05-25 00:12 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-25 00:12 --------- d-----w C:\Documents and Settings\Justin Finley\Application Data\DAEMON Tools
2008-05-24 23:58 --------- d-----w C:\Program Files\Common Files\Java
2008-05-24 23:01 --------- d-----w C:\Program Files\VoptXP v7
2008-05-24 22:07 --------- d-----w C:\Program Files\McAfee
2008-05-24 21:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-24 21:28 --------- d-----w C:\Program Files\McAfee.com
2008-05-24 21:28 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-24 21:14 --------- d-----w C:\Program Files\CyberLink
2008-05-24 20:54 --------- d-----w C:\Program Files\Creative
2008-05-24 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-05-24 20:30 --------- d-----w C:\Program Files\Microsoft Hardware
2008-05-24 20:29 --------- d-----w C:\Program Files\Intel
2008-05-24 20:26 --------- d-----w C:\Program Files\Analog Devices
2008-05-24 19:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 05:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9e8d5440-f8dc-4213-89ac-9d18c7d468bd}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM5f04f5f8"="C:\WINDOWS\system32\lopnncvd.dll" [2008-06-22 00:58 90112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM5f04f5f8]
--a------ 2008-06-22 00:58 90112 C:\WINDOWS\system32\lopnncvd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 22:46 13529088 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R2 Ca536av;Icatch(VII) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 07:47]
R3 USBCamera;Icatch(VII) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 11:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 21:28:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-01 08:20:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 14:16:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\lopnncvd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-06-25 14:18:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 21:18:25

Pre-Run: 61,732,818,944 bytes free
Post-Run: 61,681,405,952 bytes free

203 --- E O F --- 2008-06-21 21:41:52

[andyspeake]

Hi,

RECOVERY CONSOLE

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
• At the next prompt, click 'No' to exit ComboFix.

I'd like you to check (a file/some files) for Viruses.

• Go to VirusTotal or Jotti's

Quote:

C:\WINDOWS\system32\AVIClean.dll
C:\WINDOWS\system32\IDMC1API.dll
C:\WINDOWS\system32\IDMC1JPG.dll
C:\WINDOWS\system32\IDMC1Gra.dll
C:\WINDOWS\system32\IDMC1DnL.dll
C:\WINDOWS\system32\IDMC1If.DLL

• Copy/Paste the first file on the list into the white Upload a file box.
• Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Note details of any viruses found.
• Repeat for all files on the list, and post me the details please

Remove bad HijackThis entries

• Run HijackThis
• Click on do a system scan only
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: {db864d7c-81d9-ca98-3124-cd8f0445d8e9} - {9e8d5440-f8dc-4213-89ac-9d18c7d468bd} - (no file)
  O4 - HKLM\..\Run: [BM5f04f5f8] Rundll32.exe "C:\WINDOWS\system32\lopnncvd.dll",s
  
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  Code:

  File:: 
  C:\WINDOWS\system32\dgeohxpf.dll
  C:\WINDOWS\system32\rxhsdxcf.dll
  C:\WINDOWS\system32\lopnncvd.dll 
  
  Registry:: 
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9e8d5440-f8dc-4213-89ac-9d18c7d468bd}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "BM5f04f5f8"=-
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM5f04f5f8]

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

So please post back:
Uploding results
CFScript results
Fresh Hijackthis log

Thanks

[coachessonny]

Ok here you go.I don't know why I have nothing showing in device mgr.

[andyspeake]

Device Manager Problems.

1. Click Start, click Run, type services.msc, and then click OK.
2. Double-click Plug and Play.
If you receive a Configuration Manager message, click OK.

3. In the Startup Type list, click Automatic, and then click OK.
4. Close Services.
5. Restart the computer.

==========================

I'd like you to check (a file/some files) for Viruses.

• Go to VirusTotal or Jotti's

Quote:

C:\WINDOWS\system32\AVIClean.dll

• Copy/Paste the first file on the list into the white Upload a file box.
• Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Note details of any viruses found.
• Repeat for all files on the list, and post me the details please

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

So please post back:
Device manager results
Upload results
MBAM results

Thanks.

[coachessonny]

Hello,
Device mgr is ok,Thanks.
So far its looking good.
Sonny

[andyspeake]

Could you please post back a fresh HJT log and hopefully we should be good to go

[coachessonny]

Here you go and thanks.
Sonny
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:39 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1211667267953
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1211667379015
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 4363 bytes

[andyspeake]

Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6u6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

Congratulations you are clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Remove tools

• Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
  
  • Uninstall tools - The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.
    • Go to Start
    • Click on Run
    • Type ComboFix /u

After doing that with ComboFix, do this with OTcleanup to remove the tools not removed by ComboFix.

Please download OTCleanup from http://download.bleepingcomputer.com.../OTCleanIt.exe
Click the OTCleanIt icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt

Let me know if the clean up went OK for OTcleanup.

You may delete any logs left on the desktop.


Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Note: Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:

Quote:

Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Please check this article by miekiemoes about how to prevent malware.

http://users.telenet.be/bluepatchy/m...revention.html

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be finished.

Could please also mark this thread "solved"

Happy safe surfing!

andyspeake

[coachessonny]

Thanks fot the help.
Sonny