1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Yellow Triangle message in Taskbar

Discussion in 'Virus & Other Malware Removal' started by PityFool, Jan 31, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. PityFool

    PityFool Thread Starter

    Joined:
    Jan 31, 2008
    Messages:
    29
    hi guys i have researched this topic and found some help but i still get this yellow triangle message with an exclamation mark in the midde of the triangle in my taskbar. it says my computer is infected and when i click on it, it sends me to a IE with fake virus protections. Smitfraud fix helped a little bit but not much. My PF usage goes up really high when the pop up shows when im doing nothing. i have windows xp. please help me fix this problem. thank you :)

    here is my hijack log:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0DCCCDBB-F871-4796-B744-864269BBB4EF} - C:\WINDOWS\system32\cmprop.dll
    O2 - BHO: (no name) - {0E43571F-3477-4A6A-8505-19BB75A970D4} - (no file)
    O2 - BHO: MySidesearch Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
    O2 - BHO: (no name) - {3702D375-C55A-E005-A7D2-05E79BA55D86} - C:\WINDOWS\system32\wzhsirf.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [RDOCURS] C:\WINDOWS\system32\RDOCURS.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Policies\Explorer\Run: [{A032325E-081B-1033-1219-030804030001}] "C:\Program Files\Common Files\{A032325E-081B-1033-1219-030804030001}\Update.exe" mc-110-12-0000272
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143965581562
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O20 - Winlogon Notify: winjgf32 - winjgf32.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8637 bytes
     
  2. Sponsor

  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,072
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
     
  4. PityFool

    PityFool Thread Starter

    Joined:
    Jan 31, 2008
    Messages:
    29
    my first log is the combofix and the second is my new hijackthis log.
    please reply fast on what i need to do next.

    combofix log:

    ComboFix 08-02.01.6 - Kevin 2008-02-01 16:07:27.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT -8:00]
    Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\system32.dll
    C:\WINDOWS\system32\cmprop.dll
    C:\WINDOWS\system32\components
    C:\WINDOWS\system32\drivers\wgnebssy.dat

    ----- BITS: Possible infected sites -----

    hxxp://au.download.windowsupdate.com
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_BYBOZZLT
    -------\bybozzlt


    ((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
    .

    2008-01-30 22:42 . 2008-01-30 22:42 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-29 18:15 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-01-29 18:15 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-01-29 18:15 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-01-29 18:15 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-01-29 18:15 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-01-29 18:15 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-01-27 12:17 . 2008-01-27 12:17 84,761 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
    2008-01-24 22:40 . 2008-01-24 22:40 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\PPLive
    2008-01-24 22:15 . 2008-01-24 22:15 <DIR> d-------- C:\Program Files\TVUPlayer
    2008-01-24 22:15 . 2008-01-24 22:15 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\TVU networks
    2008-01-24 22:15 . 2008-01-24 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
    2008-01-19 08:26 . 2008-01-19 08:26 327,680 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll
    2008-01-17 13:14 . 2008-01-17 13:21 <DIR> d-------- C:\Program Files\SpeedBit Video Accelerator
    2008-01-17 13:14 . 2008-01-17 13:14 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
    2008-01-16 18:30 . 2008-01-16 18:30 <DIR> d-------- C:\Program Files\iPod
    2008-01-16 18:29 . 2008-01-16 18:30 <DIR> d-------- C:\Program Files\iTunes
    2008-01-15 22:28 . 2008-01-15 22:33 <DIR> d-------- C:\Program Files\Total Video Converter
    2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
    2008-01-05 15:27 . 2008-01-05 15:27 <DIR> d---s---- C:\Program Files\Xfire
    2008-01-05 15:27 . 2008-01-05 15:27 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Xfire

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-31 00:23 --------- d-----w C:\Program Files\Steam
    2008-01-30 06:47 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Azureus
    2008-01-29 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
    2008-01-17 02:27 --------- d-----w C:\Program Files\QuickTime
    2008-01-06 03:42 --------- d-----w C:\Program Files\Gpotato
    2007-12-31 05:21 --------- d-----w C:\Documents and Settings\Kevin\Application Data\U3
    2007-12-29 04:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-12-29 04:10 --------- d-----w C:\Program Files\Veoh Networks
    2007-12-28 23:46 --------- d-----w C:\Program Files\K-Lite Codec Pack
    2007-12-28 23:33 --------- d-----w C:\Documents and Settings\Kevin\Application Data\AVG7
    2007-12-23 07:55 --------- d-----w C:\Program Files\Azureus
    2007-12-22 02:08 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Image Zone Express
    2007-12-14 23:53 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Printer Info Cache
    2007-12-14 23:52 --------- d-----w C:\Program Files\Common Files\HP
    2007-12-13 23:57 --------- d-----w C:\Program Files\Red Kawa
    2007-12-13 23:57 --------- d-----w C:\Program Files\AviSynth 2.5
    2007-12-13 02:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-06 00:24 --------- d-----w C:\Documents and Settings\Kevin\Application Data\gtk-2.0
    2007-11-07 05:14 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
    2007-11-07 05:14 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
    2007-11-07 05:14 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
    2007-11-07 05:14 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
    2006-08-09 04:21 19,000 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}]
    2008-01-19 08:26 327680 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3702D375-C55A-E005-A7D2-05E79BA55D86}]
    C:\WINDOWS\system32\wzhsirf.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
    "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35 67112]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-23 16:22 67128]
    "WebCamRT.exe"="" []
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 17:16 4670968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
    "VTTimer"="VTTimer.exe" [2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12 144896]
    "RDOCURS"="C:\WINDOWS\system32\RDOCURS.exe" [ ]
    "LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 16:54 127022]
    "LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 17:32 155648]
    "LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 17:31 61440]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-07 07:15 180269]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 21:54 579072]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 17:42 219136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
    "{A032325E-081B-1033-1219-030804030001}"= "C:\Program Files\Common Files\{A032325E-081B-1033-1219-030804030001}\Update.exe" mc-110-12-0000272

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    --a------ 2007-11-29 20:44 1266936 c:\program files\steam\steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2007-06-11 17:16 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

    R2 MLPTDR_B;MLPTDR_B;C:\WINDOWS\system32\MLPTDR_B.sys [2003-09-02 13:06]
    R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 13:13]
    R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-01-17 13:14]
    R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe -start []
    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
    S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
    S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 13:12]
    S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 13:12]
    S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 13:12]
    S3 cheetah1;cheetah1;C:\DOCUME~1\Kevin\LOCALS~1\Temp\Rar$EX15.391\ce13\cheetah.sys []
    S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Wizet\MapleStory\GameGuard\dump_wmimmc.sys []
    S3 MooseKOPMA;MooseKOPMA;C:\DOCUME~1\Kevin\LOCALS~1\Temp\Rar$EX00.422\trainer\MooseKOPMA.sys []
    S3 serb1;serb1;C:\DOCUME~1\Kevin\LOCALS~1\Temp\Rar$EX06.390\Serbio\serbio.sys []
    S3 zenx1;zenx1;C:\DOCUME~1\Kevin\LOCALS~1\Temp\Rar$EX01.313\ZenxEngine\zenx.sys []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5349dccc-93d6-11dc-bce3-000ea663c400}]
    \Shell\AutoRun\command - F:\Setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-24 02:20:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-01 16:14:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    .
    **************************************************************************
    .
    Completion time: 2008-02-01 16:19:43 - machine was rebooted [Kevin]
    ComboFix-quarantined-files.txt 2008-02-02 00:19:39
    .
    2008-01-09 11:02:53 --- E O F ---



    new HIJACKFIX THIS LOG:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:23:44 PM, on 2/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: MySidesearch Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
    O2 - BHO: (no name) - {3702D375-C55A-E005-A7D2-05E79BA55D86} - C:\WINDOWS\system32\wzhsirf.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [RDOCURS] C:\WINDOWS\system32\RDOCURS.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Policies\Explorer\Run: [{A032325E-081B-1033-1219-030804030001}] "C:\Program Files\Common Files\{A032325E-081B-1033-1219-030804030001}\Update.exe" mc-110-12-0000272
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143965581562
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8119 bytes
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,072
    You have been infected by your use of P2P program and will continue to be infected by using programs like azeureus

    I strongly suggest you uninstall ALL P2P programs & not use them

    download the attached CFScript.txt to your desktop

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     

    Attached Files:

  6. PityFool

    PityFool Thread Starter

    Joined:
    Jan 31, 2008
    Messages:
    29
    here are the new combofix with txt and hijackthis logs.
    thanks for helping dvk01

    COMBOFIX LOG:

    ComboFix 08-02.01.6 - Kevin 2008-02-02 13:35:21.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.146 [GMT -8:00]
    Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Kevin\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE
    C:\Program Files\Common Files\{A032325E-081B-1033-1219-030804030001}\Update.exe
    C:\WINDOWS\system32\mysidesearch_sidebar.dll
    C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
    C:\WINDOWS\system32\wzhsirf.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\system32\mysidesearch_sidebar.dll
    C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe

    ----- BITS: Possible infected sites -----

    hxxp://au.download.windowsupdate.com
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CHEETAH1
    -------\LEGACY_DUMP_WMIMMC
    -------\LEGACY_MOOSEKOPMA
    -------\LEGACY_SERB1
    -------\LEGACY_ZENX1
    -------\cheetah1
    -------\dump_wmimmc
    -------\MooseKOPMA
    -------\serb1
    -------\zenx1


    ((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
    .

    2008-02-02 13:41 . 2008-02-02 13:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-02-02 13:41 . 2008-02-02 13:41 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-01-30 22:42 . 2008-01-30 22:42 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-29 18:15 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-01-29 18:15 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-01-29 18:15 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-01-29 18:15 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-01-29 18:15 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-01-29 18:15 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-01-24 22:40 . 2008-01-24 22:40 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\PPLive
    2008-01-24 22:15 . 2008-01-24 22:15 <DIR> d-------- C:\Program Files\TVUPlayer
    2008-01-24 22:15 . 2008-01-24 22:15 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\TVU networks
    2008-01-24 22:15 . 2008-01-24 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
    2008-01-17 13:14 . 2008-01-17 13:21 <DIR> d-------- C:\Program Files\SpeedBit Video Accelerator
    2008-01-17 13:14 . 2008-01-17 13:14 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
    2008-01-16 18:30 . 2008-01-16 18:30 <DIR> d-------- C:\Program Files\iPod
    2008-01-16 18:29 . 2008-01-16 18:30 <DIR> d-------- C:\Program Files\iTunes
    2008-01-15 22:28 . 2008-01-15 22:33 <DIR> d-------- C:\Program Files\Total Video Converter
    2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
    2008-01-05 15:27 . 2008-01-05 15:27 <DIR> d---s---- C:\Program Files\Xfire
    2008-01-05 15:27 . 2008-01-05 15:27 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Xfire

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-02 21:32 --------- d-----w C:\Program Files\LimeWire
    2008-02-02 21:31 --------- d-----w C:\Program Files\Azureus
    2008-01-31 00:23 --------- d-----w C:\Program Files\Steam
    2008-01-30 06:47 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Azureus
    2008-01-29 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
    2008-01-17 02:27 --------- d-----w C:\Program Files\QuickTime
    2008-01-06 03:42 --------- d-----w C:\Program Files\Gpotato
    2007-12-31 05:21 --------- d-----w C:\Documents and Settings\Kevin\Application Data\U3
    2007-12-29 04:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-12-29 04:10 --------- d-----w C:\Program Files\Veoh Networks
    2007-12-28 23:46 --------- d-----w C:\Program Files\K-Lite Codec Pack
    2007-12-28 23:33 --------- d-----w C:\Documents and Settings\Kevin\Application Data\AVG7
    2007-12-22 02:08 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Image Zone Express
    2007-12-14 23:53 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Printer Info Cache
    2007-12-14 23:52 --------- d-----w C:\Program Files\Common Files\HP
    2007-12-13 23:57 --------- d-----w C:\Program Files\Red Kawa
    2007-12-13 23:57 --------- d-----w C:\Program Files\AviSynth 2.5
    2007-12-13 02:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-06 00:24 --------- d-----w C:\Documents and Settings\Kevin\Application Data\gtk-2.0
    2007-11-07 05:14 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
    2007-11-07 05:14 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
    2007-11-07 05:14 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
    2007-11-07 05:14 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
    2006-08-09 04:21 19,000 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3702D375-C55A-E005-A7D2-05E79BA55D86}]
    C:\WINDOWS\system32\wzhsirf.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
    "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35 67112]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-23 16:22 67128]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 17:16 4670968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
    "VTTimer"="VTTimer.exe" [2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12 144896]
    "LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 16:54 127022]
    "LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 17:32 155648]
    "LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 17:31 61440]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-07 07:15 180269]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 21:54 579072]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 17:42 219136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    --a------ 2007-11-29 20:44 1266936 c:\program files\steam\steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2007-06-11 17:16 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

    R2 MLPTDR_B;MLPTDR_B;C:\WINDOWS\system32\MLPTDR_B.sys [2003-09-02 13:06]
    R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 13:13]
    R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-01-17 13:14]
    R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe -start []
    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
    S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
    S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 13:12]
    S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 13:12]
    S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 13:12]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5349dccc-93d6-11dc-bce3-000ea663c400}]
    \Shell\AutoRun\command - F:\Setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-24 02:20:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-02 13:41:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    .
    **************************************************************************
    .
    Completion time: 2008-02-02 13:46:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-02-02 21:46:43
    ComboFix2.txt 2008-02-02 00:19:43
    .
    2008-01-09 11:02:53 --- E O F ---



    HIJACKTHIS LOG:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:48:09 PM, on 2/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3702D375-C55A-E005-A7D2-05E79BA55D86} - C:\WINDOWS\system32\wzhsirf.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143965581562
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8089 bytes
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,072
    I can't see anything else there now buy we need to doublecheck with


    download Sunbelt Counterspy Free trial

    Save the install file to desktop and double click it to install counterspy

    Once it has installed, follow the set up wizard which will automatically start, allow it to update itself

    It will take a few minutes to update to the latest definitions file versions

    run a full scan & when it finishes a window will open with all items found

    They should all be marked as quarantine or delete by default so scroll down & check that nothing you know to be good or want to keep is detected. Just in case of an error select Quarantine for everything rather than delete.Then just press the take action button & follow any prompts ( set anything you want to keep as ignore)

    post back with it's report ( on the scan page, press view details & copy that report & paste it back here )
     
  8. PityFool

    PityFool Thread Starter

    Joined:
    Jan 31, 2008
    Messages:
    29
    hey heres the log from counterspy:

    Scan History Details
    Start Date: 2/2/2008 5:46:21 PM
    End Date: 2/2/2008 6:35:03 PM
    Total Time: 48 Min 42 Sec
    Detected security risks

    Morpheus P2P Program more information...
    Details: P2P file sharing program that installs a number of adware programs. Morpheus also displays its own popup advertsing.
    Status: Quarantined

    Files detected
    C:\WINDOWS\system32\npmirage.dll


    Bifrost Backdoor more information...
    Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
    Status: Quarantined

    Registry entries detected
    HKEY_USERS\.DEFAULT\SOFTWARE\WGET
    HKEY_USERS\S-1-5-18\SOFTWARE\WGET
    HKEY_USERS\S-1-5-21-299502267-1390067357-725345543-1004\SOFTWARE\WGET


    eZula.CommonElements Adware (General) more information...
    Details: eZula.CommonElements is the collection of traces common to multiple eZula adware applications.
    Status: Quarantined

    Files detected
    C:\Documents and Settings\Kevin\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav18\Groove.x32


    Adware.Zhong Adware (General) more information...
    Status: Quarantined

    Registry entries detected
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\Control
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\InprocServer32
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\InprocServer32
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\InprocServer32
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\Insertable
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\MiscStatus
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\MiscStatus
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\MiscStatus\1
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\MiscStatus\1
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\ProgID
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\ProgID
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\Programmable
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\ToolboxBitmap32
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\ToolboxBitmap32
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\Version
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\Version
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\VersionIndependentProgID
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\VersionIndependentProgID


    Cookie: Tracking Cookies Cookie (General) more information...
    Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
    Status: Deleted

    Cookies detected
    c:\documents and settings\kevin\cookies\[email protected][1].txt
    c:\documents and settings\kevin\cookies\[email protected][1].txt
    c:\documents and settings\kevin\cookies\[email protected][2].txt
    c:\documents and settings\kevin\cookies\[email protected][1].txt
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,072
    that cleared a bit more up

    Please download ATF Cleaner by Atribune

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

    If you use Firefox browser as well as Internet Explorer or instead of it then also do this step

    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser as well as Internet Explorer or instead of it then also do this step

    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.


    Notes for Windows Vista users:

    On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
    Prefetch has been disabled on Windows Vista. As the author is not not sure the effects that emptying prefetch on Windows Vista will have, for the time being that function won't be enabled

    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    press cleanup & it will search for and delete/uninstall all the tools we have used to fix your problems and all their backup folders and then delete itself when you next reboot

    then
    Turn off system restore by following instructions here
    http://www.thespykiller.co.uk/index.php?page=8
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
     
  10. PityFool

    PityFool Thread Starter

    Joined:
    Jan 31, 2008
    Messages:
    29
    OTMoveIt by OldTimer link does not work =[
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,072
  12. PityFool

    PityFool Thread Starter

    Joined:
    Jan 31, 2008
    Messages:
    29
    so am i clean now?? if i am thank you soooooo much for your help.
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,072
    you should be BUT if you continue to use P2P programs you will be reinfected very quickly
     
  14. PityFool

    PityFool Thread Starter

    Joined:
    Jan 31, 2008
    Messages:
    29
    is that if i download a virus or is there a virus on my pc. i like to download so should i just be more careful or just not use p2p?? =[
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,072
    All P2P programs are inherently dangerous and downloading using them is an enormous risk

    a very high % of everything downloaded has a virus embedded in it
     
  16. PityFool

    PityFool Thread Starter

    Joined:
    Jan 31, 2008
    Messages:
    29
    so i cant have any p2p (azereus) at all? that kinda sucks
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/677903