Welcome guest, is this your first visit? Click the "Create Account" button now to join.
Results 1 to 9 of 9
  1. #1


    Join Date : Jun 2010
    Posts : 13

    Good evening,

    I have a friend's computer here. It is a Gateway Yorktown Model with WinXP Service Pack 3. Currently it is infected with the Alureon Virus. Windows Security Essntials identify the threat as Win32/Patched.H in C:\windows\system32\ws2_32.dll and hklm\system\currentcontrolset\control\sessionmanager\knowndlls\user32. WSE cannot remove the virus. Attached are the requested logs. I need help removing this virus. Thank you in advance.
    Please note-I have removed Frostwire (where this infection probably came from) as well as some other viruses and informed the owner not to use these types of programs. Also, if you could be of any help removing SmartShopper (another program I have commonly found on infected machines) I would certainly appreciate the extra assistance.
    Attached Files
      My System SpecsSystem Spec

  2. #2

    Hi.Welcome to the forum

    Please run both these programs,Malwarebytes and Combofix..

    Please download Malwarebytes' Anti-Malware from one of these places:
    |MG| Malwarebytes Anti-Malware 1.46 Download
    Malwarebytes' Anti-Malware Free Download and Reviews - Fileforum

    Double Click mbam-setup.exe to install the application.
    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.

    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * Copy&Paste the entire report in your next reply.

    ===============================================

    Download Combofix and place it on your Desktop.

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.
    You can get help on disabling your protection programs here : How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
    Please include the C:\ComboFix.txt in your next reply for further review.

    Caution.....
    Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper

      My System SpecsSystem Spec

  3. #3


    Join Date : Jun 2010
    Posts : 13

    Hi Pancake,

    Thank you for your help.
    Question: mbam wants me to restart my computer. Should I do this before proceeding?
    Here are the logs requested.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org
    Database version: 4249
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    6/28/2010 9:33:17 AM
    mbam-log-2010-06-28 (09-33-17).txt
    Scan type: Quick scan
    Objects scanned: 125690
    Time elapsed: 5 minute(s), 55 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 19
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 13
    Files Infected: 17
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\smartshopper.hbax (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\smartshopper.hbax.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\smartshopper.iebutton (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\smartshopper.iebutton.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\smartshopper.iebuttona (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\smartshopper.iebuttona.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\smartshopper.iebuttonb (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\smartshopper.iebuttonb.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{08aa0598-6a23-4364-9bf4-6d5f57f42993} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{b0e8c398-dabe-4ce1-b4d9-ed43b64923f5} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{c7f127df-8877-4e1e-a196-fbbecbc5bc6d} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{064c57b4-b9ec-425f-b9b3-bceffeea74d9} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{0755e4f0-3f92-4a67-ad14-e9f287f76fbc} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{2260d608-c844-435d-90fd-dc16cfa577f2} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{bceb373d-a35a-4200-bd43-8586cd9dfae7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{2615f050-9c18-4267-b711-8e3687dc0145} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{cb0d9d8c-535e-4352-ba8f-65c3c8676612} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\zango@zango.com (Adware.Zango) -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    C:\Documents and Settings\Owner\Application Data\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\db (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\dwld (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\report (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\res1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\db (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\dwld (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\report (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\res1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
    Files Infected:
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\Config.xml (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\db\Aliases.dbs (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\db\Sites.dbs (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\dwld\Phishinglist.xip (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\dwld\WhiteList.xip (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\report\aggr_storage.xml (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\report\send_storage.xml (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\SmartShopper\cs\res1\WhiteList.dbs (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\Config.xml (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\dwld\Phishinglist.xip (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\dwld\WhiteList.xip (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\report\aggr_storage.xml (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\report\send_storage.xml (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\SmartShopper\cs\res1\WhiteList.dbs (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\SmartShopper\SmartShopper - Comapre product prices.lnk (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\SmartShopper\SmartShopper - Compare travel rate.lnk (Adware.SmartShopper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\SmartShopper\SmartShopper Help.lnk (Adware.SmartShopper) -> Quarantined and deleted successfully.


    ComboFix 10-06-27.04 - Owner 06/28/2010 8:46.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.591 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
    c:\documents and settings\All Users\Application Data\pkPkEUP4.exe
    c:\documents and settings\All Users\Application Data\ZangoSA
    c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA.dat
    c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA_kyf.dat
    c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
    c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAau.dat
    c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht
    c:\documents and settings\Owner\Application Data\WeatherDPA
    c:\documents and settings\Owner\Application Data\WeatherDPA\Weather\WeatherStartup.xml
    c:\documents and settings\Owner\Application Data\Zango
    c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
    c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\flags.ini
    c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\uses32.dat
    C:\feed.txt
    c:\program files\Common Files\Uninstall
    c:\program files\Internet Explorer\SET1FC.tmp
    c:\program files\Internet Explorer\SET201.tmp
    c:\program files\Internet Explorer\SET282.tmp
    c:\program files\SmartShopper
    c:\program files\SmartShopper\Bin\2.5.0\SmrtShpr.dll
    c:\windows\system32\certstore.dat
    c:\windows\system32\dxe.txt
    c:\windows\system32\fsc.txt
    c:\windows\system32\hlp.dat
    c:\windows\system32\ide.txt
    c:\windows\system32\klgd.bmp
    c:\windows\system32\user32.dllBCCE9C84
    c:\windows\system32\ws2_32.dllF1E2E8B8
    c:\windows\system32\xef.txt
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At1001.job
    Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_6TO4
    -------\Service_6to4

    ((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
    .
    2010-06-28 12:37 . 2010-06-28 12:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-06-28 12:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-28 12:37 . 2010-06-28 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-28 12:37 . 2010-06-28 12:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-28 12:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-28 02:35 . 2010-06-28 02:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\VS Revo Group
    2010-06-28 02:35 . 2010-06-28 02:35 -------- d-----w- c:\windows\LastGood.Tmp
    2010-06-28 02:35 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2010-06-26 13:04 . 2010-06-26 13:04 -------- d-----w- c:\program files\Common Files\Java
    2010-06-26 13:04 . 2010-06-26 13:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-26 12:04 . 2010-06-26 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
    2010-06-26 12:00 . 2010-06-26 12:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-06-26 12:00 . 2010-06-26 12:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-06-26 11:58 . 2006-10-22 16:22 208896 ----a-w- c:\windows\system32\nvudisp.exe
    2010-06-26 11:58 . 2006-10-22 19:06 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-06-26 11:57 . 2010-06-26 11:57 -------- d-----w- C:\NVIDIA
    2010-06-26 11:43 . 2010-06-26 11:43 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-06-26 11:39 . 2010-06-26 11:39 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
    2010-06-26 11:26 . 2010-06-26 11:26 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
    2010-06-26 02:54 . 2010-06-26 02:54 -------- d-----w- c:\program files\Microsoft.NET
    2010-06-26 02:53 . 2010-06-26 02:53 -------- d-----w- c:\windows\system32\winrm
    2010-06-26 02:53 . 2010-06-26 02:53 -------- d-----w- c:\windows\system32\GroupPolicy
    2010-06-26 02:53 . 2010-06-26 02:53 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
    2010-06-26 02:30 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-26 02:30 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-26 02:30 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-26 02:30 . 2010-06-26 12:12 -------- d-----w- c:\windows\ie8updates
    2010-06-26 02:30 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-06-26 02:28 . 2010-06-26 11:22 -------- dc-h--w- c:\windows\ie8
    2010-06-26 02:23 . 2010-06-26 11:59 -------- d-----w- c:\windows\nview
    2010-06-25 02:11 . 2010-06-25 02:11 64512 ----a-w- c:\windows\system32\drivers\SERIAL.SYS
    2010-06-24 03:28 . 2008-07-24 18:25 262144 ----a-w- c:\program files\Uninstall Ask Toolbar.dll
    2010-06-24 02:27 . 2010-06-28 02:35 -------- d-----w- c:\program files\VS Revo Group
    2010-06-23 20:40 . 2010-06-27 15:11 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-06-23 02:00 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-23 02:00 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-23 02:00 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-23 02:00 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-23 02:00 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-23 02:00 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-23 02:00 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-06-23 02:00 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-06-23 02:00 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-23 02:00 . 2010-06-23 02:00 -------- d-----w- c:\program files\Alwil Software
    2010-06-23 02:00 . 2010-06-23 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-06-16 13:18 . 2010-06-16 13:20 45056 ----a-w- c:\windows\system32\PuCfqnpR.dll
    2010-06-13 21:42 . 2010-06-13 21:42 -------- d-----w- c:\program files\ATT-RC
    2010-06-10 18:34 . 2010-06-10 18:34 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-06-10 18:32 . 2010-06-10 18:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-26 13:04 . 2010-06-26 13:04 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-452d1f3d-n\msvcp71.dll
    2010-06-26 13:04 . 2010-06-26 13:04 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-452d1f3d-n\jmc.dll
    2010-06-26 13:04 . 2010-06-26 13:04 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-452d1f3d-n\msvcr71.dll
    2010-06-26 13:04 . 2010-06-26 13:04 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4b033e-n\decora-sse.dll
    2010-06-26 13:04 . 2010-06-26 13:04 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4b033e-n\decora-d3d.dll
    2010-06-26 13:04 . 2008-10-18 21:53 -------- d-----w- c:\program files\Java
    2010-06-26 11:58 . 2008-04-23 15:25 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-06-26 07:16 . 2008-04-23 16:32 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-26 02:41 . 2008-04-23 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-26 01:17 . 2008-04-23 16:38 -------- d-----w- c:\program files\CyberLink
    2010-06-26 01:17 . 2008-04-23 15:26 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-23 23:48 . 2009-10-24 22:56 -------- d-----w- c:\program files\iTunes
    2010-06-23 23:48 . 2009-10-24 22:52 -------- d-----w- c:\program files\QuickTime
    2010-06-23 23:48 . 2009-02-01 21:21 -------- d-----w- c:\program files\Lexmark 2600 Series
    2010-06-23 20:42 . 2008-04-23 16:39 -------- d-----w- c:\program files\Windows Defender
    2010-06-23 20:41 . 2010-06-07 13:08 112 ----a-w- c:\documents and settings\All Users\Application Data\1nxw2x.dat
    2010-06-22 23:47 . 2010-02-10 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-06-21 18:25 . 2010-04-24 23:13 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-06-17 01:21 . 2009-04-15 18:02 -------- d-----w- c:\program files\Blubster
    2010-05-27 18:02 . 2010-04-24 23:25 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 18:14 . 2009-10-03 06:25 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-06 10:41 . 2010-06-26 02:30 916480 ------w- c:\windows\system32\SET273.tmp
    2010-05-06 10:41 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-06 10:41 . 2010-06-26 02:30 5950976 ------w- c:\windows\system32\SET277.tmp
    2010-05-06 10:41 . 2010-06-26 02:30 1209344 ------w- c:\windows\system32\SET274.tmp
    2010-05-06 10:41 . 2010-06-26 02:30 55296 ------w- c:\windows\system32\SET278.tmp
    2010-05-06 10:41 . 2010-06-26 02:30 599040 ------w- c:\windows\system32\SET279.tmp
    2010-05-06 10:41 . 2010-06-26 02:30 1985536 ------w- c:\windows\system32\SET27C.tmp
    2010-05-06 10:41 . 2010-06-26 02:30 184320 ------w- c:\windows\system32\SET27D.tmp
    2010-05-06 10:41 . 2010-06-26 02:30 11076096 ------w- c:\windows\system32\SET27E.tmp
    2010-05-02 05:22 . 2004-08-12 14:09 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-23 00:39 . 2010-01-20 08:19 7631232 ----a-w- c:\documents and settings\Owner\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.823.0-static-A.exe
    2010-04-20 05:30 . 2010-04-20 05:30 285696 ----a-w- c:\windows\system32\SET508.tmp
    2010-04-20 05:30 . 2004-08-12 13:55 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    .
    Code:
    <pre>
    c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
    c:\program files\Intel\NCS\PROSet\PRONoMgr .exe
    c:\program files\iTunes\iTunesHelper .exe
    c:\program files\Lexmark 2600 Series\ezprint .exe
    c:\program files\Lexmark 2600 Series\lxdnmon .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
    c:\program files\QuickTime\qttask             .exe
    c:\program files\Windows Defender\MSASCui .exe
    c:\windows\system32\CTHELPER .exe
    c:\windows\system32\CTXFIHLP .exe
    </pre>
    ------- Sigcheck -------
    [7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
    [-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
    [-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
    [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
    [-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
    [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
    [7] 2004-08-12 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "nwiz"="nwiz.exe" [2006-10-22 1622016]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
    "c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\lxdncoms.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Lexmark 2600 Series\\lxdnmon .exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/22/2010 10:00 PM 164048]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/22/2010 10:00 PM 19024]
    R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
    R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxd nserv.exe [2/1/2009 5:23 PM 94208]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys [4/23/2008 10:52 AM 22144]
    S3 mercury;mercury;\??\c:\windows\system32\mercury.sys --> c:\windows\system32\mercury.sys [?]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/27/2010 10:35 PM 27064]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/12/2004 10:06 AM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{31D9B4A9-6FCC-4698-A092-C4C28D017B36}]
    jbwonjm.dll [N/A]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    c:\windows\Tasks\At1112.job
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.att.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    .
    - - - - ORPHANS REMOVED - - - -
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-06-28 08:57
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,75,dc,07,ad,a0,2e,47,80,ef,5e,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,75,dc,07,ad,a0,2e,47,80,ef,5e,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(672)
    c:\windows\system32\l3codeca.acm
    - - - - - - - > 'explorer.exe'(292)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\l3codeca.acm
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\lxdncoms.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-06-28 09:07:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-06-28 13:07
    Pre-Run: 59,865,022,464 bytes free
    Post-Run: 61,340,332,032 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    - - End Of File - - 41F90338987D81D0E954708F3F93A6A4
      My System SpecsSystem Spec

  4. #4

    Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
    It's IMPORTANT to carry out the instructions in the sequence listed below.
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    Open *notepad* and copy/paste the the text in the quotebox below into it:
    Code:
    Renv::
    c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
    c:\program files\Intel\NCS\PROSet\PRONoMgr .exe
    c:\program files\iTunes\iTunesHelper .exe
    c:\program files\Lexmark 2600 Series\ezprint .exe
    c:\program files\Lexmark 2600 Series\lxdnmon .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
    c:\program files\QuickTime\qttask             .exe
    c:\program files\Windows Defender\MSASCui .exe
    c:\windows\system32\CTHELPER .exe
    c:\windows\system32\CTXFIHLP .exe
    File::
    c:\windows\system32\SET273.tmp
    c:\windows\system32\SET277.tmp
    c:\windows\system32\SET274.tmp
    c:\windows\system32\SET278.tmp
    c:\windows\system32\SET279.tmp
    c:\windows\system32\SET27C.tmp
    c:\windows\system32\SET27D.tmp
    c:\windows\system32\SET27E.tmp
    c:\windows\system32\SET508.tmp
    Folder::
    Registry::
    Rootkit::
    DDS::
    RESTORE::
    RegNull::
    ATJob::
    MBR::
    TDL::
    Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


    Refering to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt
    Please copy and paste the ComboFix.txt in your next reply please.

    *Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*
      My System SpecsSystem Spec

  5. #5


    Join Date : Jun 2010
    Posts : 13

    Hello Pancake,

    File run as instructed. Results below:

    ComboFix 10-06-27.04 - Owner 06/29/2010 0:05.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.697 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FILE ::
    "c:\windows\system32\SET273.tmp"
    "c:\windows\system32\SET274.tmp"
    "c:\windows\system32\SET277.tmp"
    "c:\windows\system32\SET278.tmp"
    "c:\windows\system32\SET279.tmp"
    "c:\windows\system32\SET27C.tmp"
    "c:\windows\system32\SET27D.tmp"
    "c:\windows\system32\SET27E.tmp"
    "c:\windows\system32\SET508.tmp"
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\windows\system32\SET273.tmp
    c:\windows\system32\SET274.tmp
    c:\windows\system32\SET277.tmp
    c:\windows\system32\SET278.tmp
    c:\windows\system32\SET279.tmp
    c:\windows\system32\SET27C.tmp
    c:\windows\system32\SET27D.tmp
    c:\windows\system32\SET27E.tmp
    c:\windows\system32\SET508.tmp
    .
    ((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
    .
    2010-06-28 12:37 . 2010-06-28 12:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-06-28 12:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-28 12:37 . 2010-06-28 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-28 12:37 . 2010-06-28 12:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-28 12:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-28 02:35 . 2010-06-28 02:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\VS Revo Group
    2010-06-28 02:35 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2010-06-26 13:04 . 2010-06-26 13:04 -------- d-----w- c:\program files\Common Files\Java
    2010-06-26 13:04 . 2010-06-26 13:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-26 12:04 . 2010-06-26 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
    2010-06-26 12:00 . 2010-06-26 12:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-06-26 12:00 . 2010-06-26 12:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-06-26 11:58 . 2006-10-22 16:22 208896 ----a-w- c:\windows\system32\nvudisp.exe
    2010-06-26 11:58 . 2006-10-22 19:06 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-06-26 11:57 . 2010-06-26 11:57 -------- d-----w- C:\NVIDIA
    2010-06-26 11:43 . 2010-06-26 11:43 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-06-26 11:39 . 2010-06-26 11:39 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
    2010-06-26 11:26 . 2010-06-26 11:26 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
    2010-06-26 02:54 . 2010-06-26 02:54 -------- d-----w- c:\program files\Microsoft.NET
    2010-06-26 02:53 . 2010-06-26 02:53 -------- d-----w- c:\windows\system32\winrm
    2010-06-26 02:53 . 2010-06-26 02:53 -------- d-----w- c:\windows\system32\GroupPolicy
    2010-06-26 02:53 . 2010-06-26 02:53 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
    2010-06-26 02:30 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-26 02:30 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-26 02:30 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-26 02:30 . 2010-06-26 12:12 -------- d-----w- c:\windows\ie8updates
    2010-06-26 02:30 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-06-26 02:28 . 2010-06-26 11:22 -------- dc-h--w- c:\windows\ie8
    2010-06-26 02:23 . 2010-06-29 03:44 -------- d-----w- c:\windows\nview
    2010-06-25 02:11 . 2010-06-25 02:11 64512 ----a-w- c:\windows\system32\drivers\SERIAL.SYS
    2010-06-24 03:28 . 2008-07-24 18:25 262144 ----a-w- c:\program files\Uninstall Ask Toolbar.dll
    2010-06-24 02:27 . 2010-06-28 02:35 -------- d-----w- c:\program files\VS Revo Group
    2010-06-23 20:40 . 2010-06-27 15:11 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-06-23 02:00 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-23 02:00 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-23 02:00 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-23 02:00 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-23 02:00 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-23 02:00 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-23 02:00 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-06-23 02:00 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-06-23 02:00 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-23 02:00 . 2010-06-23 02:00 -------- d-----w- c:\program files\Alwil Software
    2010-06-23 02:00 . 2010-06-23 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-06-16 13:18 . 2010-06-16 13:20 45056 ----a-w- c:\windows\system32\PuCfqnpR.dll
    2010-06-13 21:42 . 2010-06-13 21:42 -------- d-----w- c:\program files\ATT-RC
    2010-06-10 18:34 . 2010-06-10 18:34 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-06-10 18:32 . 2010-06-10 18:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-29 04:05 . 2009-10-24 22:56 -------- d-----w- c:\program files\iTunes
    2010-06-29 04:05 . 2009-10-24 22:52 -------- d-----w- c:\program files\QuickTime
    2010-06-29 04:05 . 2009-02-01 21:21 -------- d-----w- c:\program files\Lexmark 2600 Series
    2010-06-29 04:05 . 2008-04-23 16:39 -------- d-----w- c:\program files\Windows Defender
    2010-06-26 13:04 . 2010-06-26 13:04 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-452d1f3d-n\msvcp71.dll
    2010-06-26 13:04 . 2010-06-26 13:04 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-452d1f3d-n\jmc.dll
    2010-06-26 13:04 . 2010-06-26 13:04 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-452d1f3d-n\msvcr71.dll
    2010-06-26 13:04 . 2010-06-26 13:04 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4b033e-n\decora-sse.dll
    2010-06-26 13:04 . 2010-06-26 13:04 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4b033e-n\decora-d3d.dll
    2010-06-26 13:04 . 2008-10-18 21:53 -------- d-----w- c:\program files\Java
    2010-06-26 11:58 . 2008-04-23 15:25 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-06-26 07:16 . 2008-04-23 16:32 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-26 02:41 . 2008-04-23 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-26 01:17 . 2008-04-23 16:38 -------- d-----w- c:\program files\CyberLink
    2010-06-26 01:17 . 2008-04-23 15:26 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-23 20:41 . 2010-06-07 13:08 112 ----a-w- c:\documents and settings\All Users\Application Data\1nxw2x.dat
    2010-06-22 23:47 . 2010-02-10 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-06-21 18:25 . 2010-04-24 23:13 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-06-17 01:21 . 2009-04-15 18:02 -------- d-----w- c:\program files\Blubster
    2010-05-27 18:02 . 2010-04-24 23:25 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 18:14 . 2009-10-03 06:25 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-06 10:41 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2004-08-12 14:09 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-23 00:39 . 2010-01-20 08:19 7631232 ----a-w- c:\documents and settings\Owner\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.823.0-static-A.exe
    2010-04-20 05:30 . 2004-08-12 13:55 285696 ----a-w- c:\windows\system32\atmfd.dll
    .
    ------- Sigcheck -------
    [7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
    [-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
    [-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
    [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
    [-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
    [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
    [7] 2004-08-12 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "nwiz"="nwiz.exe" [2006-10-22 1622016]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
    "c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\lxdncoms.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/22/2010 10:00 PM 164048]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/22/2010 10:00 PM 19024]
    R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
    R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxd nserv.exe [2/1/2009 5:23 PM 94208]
    S0 obpx;obpx;c:\windows\system32\drivers\flomk.sys --> c:\windows\system32\drivers\flomk.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys [4/23/2008 10:52 AM 22144]
    S3 mercury;mercury;\??\c:\windows\system32\mercury.sys --> c:\windows\system32\mercury.sys [?]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/27/2010 10:35 PM 27064]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/12/2004 10:06 AM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.att.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    .
    - - - - ORPHANS REMOVED - - - -
    ActiveSetup-{31D9B4A9-6FCC-4698-A092-C4C28D017B36} - jbwonjm.dll

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-06-29 00:19
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,75,dc,07,ad,a0,2e,47,80,ef,5e,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,75,dc,07,ad,a0,2e,47,80,ef,5e,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(676)
    c:\windows\system32\l3codeca.acm
    - - - - - - - > 'explorer.exe'(3232)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\l3codeca.acm
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\lxdncoms.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-06-29 00:24:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-06-29 04:24
    ComboFix2.txt 2010-06-29 03:55
    ComboFix3.txt 2010-06-28 13:07
    Pre-Run: 61,312,868,352 bytes free
    Post-Run: 61,311,303,680 bytes free
    - - End Of File - - EF2BDB5AF262D1B6EE6AF83697280C2B
      My System SpecsSystem Spec

  6. #6

    Ok.All done.I see no more malware.This will clear away any of the files and folders that were created by ComboFix.
    Go to :
    Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK.

    ComboFix /Uninstall

    Please read these for future reference it may save you future problems with malware:

    http://www.pchelpforum.com/fixed-hij...afterwork.html
    http://www.pchelpforum.com/fixed-hij...happening.html
    http://www.pchelpforum.com/fixed-hij...-infected.html
    Prevention
    =============================

    This will help clean up your system.
    Please download ATF Cleaner by Atribune. http://www.atribune.org/ccount/click.php?id=1
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    (If you use FireFox or the Opera browser
    To keep saved passwords, click No at the prompt.)
    It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.
      My System SpecsSystem Spec

  7. #7


    Join Date : Jun 2010
    Posts : 13

    Thanks man! You've been a big help-and a pleasure to work with. Donation will be forthcoming. Keep up the great work!
      My System SpecsSystem Spec

  8. #8

    No problem.Glad to assist and thanks for the donation.
      My System SpecsSystem Spec

  9. #9

    Hi scooter

    I am delighted to see that your issue has been resolved,I will now mark your thread as solved and hope to see you next time..

    Regards,

    airman24
      My System SpecsSystem Spec

 

 
Similar Threads
Thread Forum
Alureon virus AntiVirus, Firewalls & System Security
Alureon Virus? AntiVirus, Firewalls & System Security
Alureon Trojan Virus AntiVirus, Firewalls & System Security
Virus identified Win32/Patched.HG AntiVirus, Firewalls & System Security
suspected Alureon.A virus AntiVirus, Firewalls & System Security