Jump to content


Photo

Desktop is infected pls help.


  • Please log in to reply
8 replies to this topic

#1 larsky

larsky

    Active Member

  • Active Members
  • 51 posts

Posted 04 April 2009 - 05:02 PM

I was trying to do automatic updates but I cannot connect to the site using IE and mozilla.This made me think I might be infected. So I checked and updated my spybot but it will not run its locking up.Then I ran Microsoft windows removal tool and it says I have a virus/malware and it partially removed it after a full scan. Now I ran HJT and here is the log file. Hope you can help me. Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:13 AM, on 4/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Airlink101\AWLL5025\WLService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Airlink101\AWLL5025\AWLL5025.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://203.190.75.22...os.ph/certifyit
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [Orb] C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Picture Package Menu.lnk = ?
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: my.magicjack.com
O15 - Trusted Zone: reg.talk4free.com
O20 - AppInit_DLLs: WIKI.DLL
O23 - Service: Airlink101 USB XR Adapter WLService - Unknown owner - C:\Program Files\Airlink101\AWLL5025\WLService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 8612 bytes


#2 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • General Admin
  • 15,881 posts

Posted 04 April 2009 - 07:54 PM

First:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Second:

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Third:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingc...to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.


Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



#3 larsky

larsky

    Active Member

  • Active Members
  • 51 posts

Posted 05 April 2009 - 03:49 PM

Here is the Malware log. however, when I am running combo fix it says I do not have windows recovery console which I know I have and then requests me to install it. I know I have this because I have used it before. And that it was showing I have kaspersky and avast running. I turned off avast but I don't have kaspersky. whats going on. tnks for your help. I'll keep my pc on before I proceed as directed.


Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

4/4/2009 6:31:00 PM
mbam-log-2009-04-04 (18-31-00).txt

Scan type: Quick Scan
Objects scanned: 94377
Time elapsed: 12 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#4 larsky

larsky

    Active Member

  • Active Members
  • 51 posts

Posted 05 April 2009 - 04:21 PM

Now here is the combo fix log and the new HJT log

ComboFix 09-04-04.01 - Owner 2009-04-05 9:00:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.197 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Antivirus.malware installers\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 081231-1] *On-access scanning disabled* (Outdated)
AV: Kaspersky Anti-Virus 6.0 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\ss.sys

.
((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-05 08:36 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-03-12 19:46 . 2009-03-12 19:58 <DIR> d-------- c:\documents and settings\Owner\Application Data\U3
2009-03-11 15:16 . 2009-03-11 15:16 <DIR> d--hs---- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 15:48 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-04-05 01:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-01 15:58 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-26 23:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 18:20 --------- d-----w c:\program files\WMR11
2009-03-22 23:23 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-03-02 05:57 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-02 05:57 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-03-02 05:56 --------- d-----w c:\program files\GameHouse
2009-02-25 06:34 --------- d-----w c:\documents and settings\Owner\Application Data\mjusbsp
2009-02-21 22:23 45,056 ----a-w c:\windows\system32\UTSCSI.EXE
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 19:40 --------- d-----w c:\program files\Lexmark X1100 Series
2009-02-05 07:11 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-12-09 16:13 1,388 -c--a-w c:\documents and settings\Owner\Application Data\ViewerApp.dat
2008-06-07 18:14 0 -c--a-w c:\program files\temp01
2008-04-03 04:06 284 -c--a-w c:\documents and settings\cutiepie\Application Data\ViewerApp.dat
2006-10-14 14:44 24,192 ----a-w c:\documents and settings\Owner\usbsermptxp.sys
2006-10-14 14:44 22,768 ----a-w c:\documents and settings\Owner\usbsermpt.sys
2006-07-29 22:49 24,192 ----a-w c:\documents and settings\Amo\usbsermptxp.sys
2006-07-29 22:49 22,768 ----a-w c:\documents and settings\Amo\usbsermpt.sys
2008-07-17 04:39 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-07-17 04:39 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-17 04:39 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-07-17 04:39 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-07-17 04:39 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-05-14 00:12 217,073 --sha-r c:\windows\meta4.exe
2005-07-14 19:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r c:\windows\system32\cygz.dll
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2004-01-25 07:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2005-02-28 20:16 240,128 --sha-r c:\windows\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
2007-05-26 15:11 5,193,248 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-05-26 15:01 110,880 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2008-05-13 507904]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-07-21 20036648]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDTray"="c:\program files\HP CD-DVD\Umbrella\DVDTray.exe" [2003-02-20 53248]
"DVDBitSet"="c:\program files\HP CD-DVD\Umbrella\DVDBitSet.exe" [2003-07-18 204800]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"VMSnap3"="c:\windows\VMSnap3.exe" [2006-07-18 49152]
"Domino"="c:\windows\Domino.exe" [2006-07-03 49152]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-10-27 151552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-10-21 1183744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=WIKI.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"d:\\VLC\\vlc.exe"=
"c:\\Program Files\\HP CD-DVD\\Umbrella\\MyDrive.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58878:TCP"= 58878:TCP:*:Disabled:Pando P2P TCP Listening Port
"58878:UDP"= 58878:UDP:*:Disabled:Pando P2P UDP Listening Port
"5060:UDP"= 5060:UDP:magicjack 5060
"5070:UDP"= 5070:UDP:magicjack5070

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2007-10-27 18110]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-17 78416]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2007-10-27 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2007-10-27 423454]
R2 Airlink101 USB XR Adapter WLService;Airlink101 USB XR Adapter WLService;c:\program files\Airlink101\AWLL5025\WLService.exe [2008-09-27 49152]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-07-17 20560]
R2 Audsub3;Audsub3;c:\windows\system32\drivers\Audsub3.sys [2007-06-06 2785]
R2 SDPASVC;SDPAUMS server service;c:\windows\system32\sdpasvc.exe -service --> c:\windows\system32\sdpasvc.exe -service [?]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 vvftav303;vvftav303;c:\windows\system32\drivers\vvftav303.sys [2008-11-23 480128]
S3 ZSMC0303;A4 TECH PC Camera H;c:\windows\system32\drivers\usbVM303.sys [2008-11-23 1472768]
S3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [2006-07-19 91263]
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2006-11-06 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-05-31 02:04]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://203.190.75.220/scripts/adstracker/ad.php?url=http://www.itpros.ph/certifyit
uInternet Settings,ProxyOverride = cdn
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com \reg
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6q3qyepf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?client=firefox-a&rls=org.mozilla:en-US:official&channel=s&hl=en&btnG=Google+Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 09:02:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,bd,a7,92,6b,c8,
77,e1,d2,e2,63,26,f1,3f,c8,ff,68,59,4e,61,c5,52,2c,18,23,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,45,1a,a0,7f,43,
bf,f9,4f,6a,9c,d6,61,af,45,84,18,05,66,0d,6f,ae,f5,cb,ff,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,26,46,ec,6b,e4,
18,91,50,ff,7c,85,e0,43,d4,0e,fe,69,56,eb,ac,7e,25,35,95,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,75,3e,ae,7a,fa,
c2,f7,5a,86,8c,21,01,be,91,eb,e7,98,e8,ad,2a,96,36,e5,43,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,ca,61,a2,2f,81,
bd,ae,52,f5,1d,4d,73,a8,13,5c,05,a1,b9,d3,0d,3e,ba,ce,16,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,58,f2,63,c3,f7,
19,cf,90,df,20,58,62,78,6b,cf,c8,5e,65,3f,17,28,e0,05,81,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,d2,e9,44,54,10,
a1,e7,a9,fb,a7,78,e6,12,2f,9a,ea,d6,bf,3d,71,7f,f5,99,eb,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,c8,08,67,20,ef,
74,b8,ed,01,3a,48,fc,e8,04,4a,f1,01,47,b8,15,17,98,8b,1f,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,8d,95,9b,9e,01,
58,bd,a7,f6,0f,4e,58,98,5b,89,c9,47,1c,47,2c,f0,cb,78,ab,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,c4,9e,74,dc,51,
df,d4,a5,3d,ce,ea,26,2d,45,aa,78,7d,75,cb,f9,4c,18,ee,68,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,f0,7a,28,ed,d9,
ba,67,8b,2a,b7,cc,b5,b9,7f,41,e7,fa,57,9e,a2,b5,ee,43,67,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,7f,ff,01,c2,77,
0e,6c,23,6c,43,2d,1e,aa,22,2f,9c,01,b7,90,91,aa,2b,5e,e0,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-04-05 9:05:28
ComboFix-quarantined-files.txt 2009-04-05 16:04:27

Pre-Run: 6,338,895,872 bytes free
Post-Run: 11,159,113,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

242 --- E O F --- 2009-03-13 10:01:38










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:38 AM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Airlink101\AWLL5025\WLService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Airlink101\AWLL5025\AWLL5025.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://203.190.75.22...os.ph/certifyit
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [Orb] C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Picture Package Menu.lnk = ?
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: my.magicjack.com
O15 - Trusted Zone: reg.talk4free.com
O20 - AppInit_DLLs: WIKI.DLL
O23 - Service: Airlink101 USB XR Adapter WLService - Unknown owner - C:\Program Files\Airlink101\AWLL5025\WLService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 7935 bytes





#5 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • General Admin
  • 15,881 posts

Posted 06 April 2009 - 03:50 PM

THe ComboFix and HJT logs are clean. Combofix did remove two files. Are you still having the same problem?


Also, please post the MSRT log file. You will find it at C:\Windows\Debug\mrt.log


#6 larsky

larsky

    Active Member

  • Active Members
  • 51 posts

Posted 06 April 2009 - 04:32 PM

That's great, however, I still cannot do windows update, when I go to the site it say's this

Thank you for your interest in obtaining updates from our site.

To use this site, you must be running Microsoft Internet Explorer 5 or later.

To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.

If you prefer to use a different web browser, you can obtain updates from the Microsoft Download Center or you can stay up to date with the latest critical and security updates by using Automatic Updates. To turn on Automatic Updates:

1. Click Start, and then click Control Panel.
2. Depending on which Control Panel view you use, Classic or Category, do one of the following:
* Click System, and then click the Automatic Updates tab.
* Click Performance and Maintenance, click System, and then click the Automatic Updates tab.
3. Click the option that you want. Make sure Automatic Updates is not turned off.



here is the MRT log


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.18, July 2006
Started On Thu Aug 03 09:05:22 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Aug 03 09:05:30 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.19, August 2006
Started On Thu Aug 10 03:00:30 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Aug 10 03:00:41 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.20, September 2006
Started On Wed Sep 13 03:00:18 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 13 03:00:29 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.30, June 2007
Started On Thu Jun 28 16:03:45 2007
->Scan ERROR: resource file://C:\Documents and Settings\Owner\Desktop\utorrent.exe (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Jun 28 16:04:16 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.31, July 2007
Started On Tue Jul 10 21:25:58 2007
->Scan ERROR: resource file://C:\Documents and Settings\Owner\Desktop\utorrent.exe (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Jul 10 21:26:21 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.32, August 2007
Started On Wed Aug 15 03:01:23 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 15 03:01:59 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.33, September 2007
Started On Wed Sep 12 03:00:24 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 12 03:00:55 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.34, October 2007
Started On Fri Oct 05 23:09:23 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Oct 05 23:09:59 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.35, November 2007
Started On Wed Nov 14 00:42:55 2007
->Scan ERROR: resource file://C:\Program Files\eRightSoft\SUPER\SUPER.exe->(tElock v0.98) (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 14 00:43:37 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.36, December 2007
Started On Tue Dec 11 17:58:30 2007
->Scan ERROR: resource file://C:\Program Files\eRightSoft\SUPER\SUPER.exe->(tElock v0.98) (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Dec 11 17:59:14 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.37, January 2008
Started On Wed Jan 09 00:03:15 2008
->Scan ERROR: resource file://C:\Program Files\eRightSoft\SUPER\SUPER.exe->(tElock v0.98) (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 09 00:04:07 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.38, February 2008
Started On Wed Feb 13 21:27:01 2008
->Scan ERROR: resource file://C:\Program Files\eRightSoft\SUPER\SUPER.exe->(tElock v0.98) (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Feb 13 21:27:57 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.39, March 2008
Started On Tue Mar 11 12:32:46 2008
->Scan ERROR: resource file://C:\Program Files\Google\Google Desktop Search\GoogleDesktopSearchSetup.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\Google\Google Desktop Search\GoogleDesktopSearchSetup.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\eRightSoft\SUPER\SUPER.exe->(tElock v0.98) (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Mar 11 12:34:06 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.40, April 2008
Started On Tue Apr 08 21:57:52 2008
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGamesInstaller.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGamesInstaller.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGamesInstaller.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGames.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\WebUpdater.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\Google\Google Desktop Search\GoogleDesktopSearchSetup.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\Google\Google Desktop Search\GoogleDesktopSearchSetup.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\eRightSoft\SUPER\SUPER.exe->(tElock v0.98) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGames.exe (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Apr 08 21:59:25 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.41, May 2008
Started On Mon May 19 12:05:10 2008
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGamesInstaller.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGamesInstaller.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGamesInstaller.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGames.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\WebUpdater.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\eRightSoft\SUPER\SUPER.exe->(tElock v0.98) (code 0x0000000D (13))
->Scan ERROR: resource file://c:\Program Files\iWin Games\iWinGames.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGames.exe (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Mon May 19 12:06:35 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.42, June 2008
Started On Wed Jun 11 00:08:44 2008
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGamesInstaller.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGamesInstaller.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGamesInstaller.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGames.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\WebUpdater.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\eRightSoft\SUPER\SUPER.exe->(tElock v0.98) (code 0x0000000D (13))
->Scan ERROR: resource file://c:\Program Files\iWin Games\iWinGames.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\iWin Games\iWinGames.exe (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 11 00:09:50 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.0, July 2008
Started On Tue Jul 08 22:19:04 2008

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Jul 08 22:20:00 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.1, August 2008
Started On Thu Aug 14 21:50:12 2008

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Aug 14 21:51:18 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.2, September 2008
Started On Wed Sep 10 03:01:29 2008
->Scan ERROR: resource process://pid:3104 (code 0x00000057 (87))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 10 03:03:00 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.3, October 2008
Started On Wed Oct 15 18:25:53 2008

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 15 18:28:22 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.4, November 2008
Started On Tue Nov 11 22:04:04 2008

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Nov 11 22:05:38 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.5, December 2008
Started On Wed Dec 10 21:37:59 2008

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Dec 10 21:40:00 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.6, January 2009
Started On Wed Jan 14 20:47:12 2009

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 14 20:48:23 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.7, February 2009
Started On Thu Feb 12 03:01:24 2009

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Feb 12 03:02:59 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009
Started On Fri Mar 13 03:00:24 2009

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Mar 13 03:01:37 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009
Started On Fri Apr 03 16:06:32 2009
->Scan ERROR: resource process://pid:3668 (code 0x00000057 (87))
->Scan ERROR: resource process://pid:2276 (code 0x00000057 (87))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Apr 03 16:14:12 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009
Started On Fri Apr 03 16:14:29 2009

Extended Scan Results
----------------
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
Found malware: TrojanDownloader:Win32/Zlob.gen!BN in file://C:\Documents and Settings\cutiepie\Local Settings\Temp\h9ytugxl.exe->(nsis-6-$(PLUGINSDIR)\gala.dll)
->Scan ERROR: resource file://C:\Documents and Settings\Owner\Application Data\Skype\larypl\profile256.dbb (code 0x0000001E (30))
->Scan ERROR: resource file://C:\Documents and Settings\Owner\Application Data\Skype\larypl\voicemail256.dbb (code 0x0000001E (30))

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009
Started On Fri Apr 03 19:54:28 2009

Extended Scan Results
----------------
->Scan ERROR: resource process://pid:2848 (code 0x00000057 (87))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
Found malware: TrojanDownloader:Win32/Zlob.gen!BN in file://C:\Documents and Settings\cutiepie\Local Settings\Temp\h9ytugxl.exe->(nsis-6-$(PLUGINSDIR)\gala.dll)
->Scan ERROR: resource file://C:\Documents and Settings\Owner\Application Data\Skype\larypl\profile256.dbb (code 0x0000001E (30))
->Scan ERROR: resource file://C:\Documents and Settings\Owner\Application Data\Skype\larypl\voicemail256.dbb (code 0x0000001E (30))

Extended Scan Removal Results
----------------
Start 'remove' for file://\\?\C:\Documents and Settings\cutiepie\Local Settings\Temp\h9ytugxl.exe->(nsis-6-$(PLUGINSDIR)\gala.dll)
Operation failed (code=0x8026), please use a full antivirus product ! !


Results Summary:
----------------
Found TrojanDownloader:Win32/Zlob.gen!BN, partially removed.

Return code: 7
Microsoft Windows Malicious Software Removal Tool Finished On Sat Apr 04 09:49:41 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009
Started On Sun Apr 05 13:07:16 2009

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sun Apr 05 13:08:42 2009



#7 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • General Admin
  • 15,881 posts

Posted 07 April 2009 - 03:21 PM

With the exception of the update issue, we are done.

Try the info on this link: http://support.microsoft.com/kb/817144

#8 larsky

larsky

    Active Member

  • Active Members
  • 51 posts

Posted 09 April 2009 - 03:42 PM

Thanks for your help.

Will try your suggestions and will let you know. Anyway one thing that has been happpening is that I have been getting BSOD the last couple of days and the PC locks up.

#9 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • General Admin
  • 15,881 posts

Posted 11 April 2009 - 03:48 PM

It may be time to reforamt and re-install. It is possible that the system has become corrupted.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users