having trouble with virus

Status
Not open for further replies.
Okay, I have done what you said. Here is the Combofix log:

ComboFix 08-06-01.6 - Ken Graf 2008-06-04 19:28:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.448 [GMT -4:00]
Running from: C:\Documents and Settings\Ken Graf\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ken Graf\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\fccbXrOH.dll
C:\WINDOWS\system32\qaovuxif.dll
C:\WINDOWS\system32\tuvVNhec.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\06_Winter_031208.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\06_Winter_121807.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\06_Winter_121807_Mask.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\06_Winter_Mask_031208.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\102x96_Allergy.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\102x96_Allergy2.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\102x96_BeachAndBoating.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\102x96_Disney_Chance2Win.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\102x96_DisneyRoadTrip.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\102x96_GrHog_tile.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\102x96PlusMobile.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60_blueyellow.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60_blueyellow_mask.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60_Generic200_Spring_Mask_031908.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60_Generic2007_Spring_031908.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ACE_Hardware-PYP0508.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ACE_Hardware-PYP0508.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ACE_Hardware_Dig.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ACE_Hardware_Dig.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ACE_HelpMyHome.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ACE_HelpMyHome.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-AceHardware_Leap.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-AceHardware_Leap.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Andromeda-2nghtOvrl0508.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Andromeda-2nghtOvrl0508.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Andromeda-MonReg0508.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Andromeda-MonReg0508.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Andromeda-TmrOvrl0508.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Andromeda-TmrOvrl0508.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ChantixAge_0108.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ChantixAge_0108.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ChantixDMA_0108.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-ChantixDMA_0108.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-KraftHoneyBunches.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-KraftHoneyBunches.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Orlando.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Orlando_MASK.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Vicks1007.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales-Vicks1007.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales_Alaway_mask.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales_Alaway_shell.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales_Sudafed_MASK.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\60Sales_Sudafed_shell.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\GoToMeeting.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\GoToMeeting_Mask.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Hartford_Insurance_Approved.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Hartford_Insurance_MASK.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Kmart.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Kmart_Mask.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\LocalWeather.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\LocalWeather_Mask.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Lowes_APPROVED.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Lowes_MASK.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Lowes_Mask_NoShadow.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Lowes_Skin_NoShadow.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\nav_07182007.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Take-Me-Fishing_APPROVED.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Take Me Fishing_MASK.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\topnav_Business.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Verizon_Bubble_0208.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\Verizon_Bubble_0208_MASK.bmp
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\WeatherAlert.jpg
C:\Documents and Settings\Ken Graf\Application Data\WeatherBug\WeatherAlert_Mask.bmp
C:\Program Files\MyWebSearchWB
C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL
C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
C:\Program Files\MyWebSearchWB\bar\1.bin\W6FFXTBR.JAR
C:\Program Files\MyWebSearchWB\bar\1.bin\W6NTSTBR.JAR
C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL
C:\Program Files\MyWebSearchWB\bar\1.bin\W6WBTEMP.DLL
C:\Program Files\MyWebSearchWB\bar\Cache\0000F1E1.bin
C:\Program Files\MyWebSearchWB\bar\Cache\000175C7.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00022E0B.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00024D89.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0002BA8C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\000720E3.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00078D69.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00089D71.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00190834.bin
C:\Program Files\MyWebSearchWB\bar\Cache\001C481C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\001E4D72.bin
C:\Program Files\MyWebSearchWB\bar\Cache\001EE760.bin
C:\Program Files\MyWebSearchWB\bar\Cache\001FA253.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0020112A.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0037C43E.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00393533.bin
C:\Program Files\MyWebSearchWB\bar\Cache\003A6CF8.bin
C:\Program Files\MyWebSearchWB\bar\Cache\003A6E7F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\003A6FB7.bin
C:\Program Files\MyWebSearchWB\bar\Cache\003A7044.bin
C:\Program Files\MyWebSearchWB\bar\Cache\003A71AB.bin
C:\Program Files\MyWebSearchWB\bar\Cache\003CED88.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0053CF62.bin
C:\Program Files\MyWebSearchWB\bar\Cache\005450C7.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0058BBA3.bin
C:\Program Files\MyWebSearchWB\bar\Cache\006D62EE.bin
C:\Program Files\MyWebSearchWB\bar\Cache\006D63F7.bin
C:\Program Files\MyWebSearchWB\bar\Cache\006D75AA.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00704EFA.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0070509F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\008F22B3.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00D87C59.bin
C:\Program Files\MyWebSearchWB\bar\Cache\010B8FF8.bin
C:\Program Files\MyWebSearchWB\bar\Cache\01800DEE.bin
C:\Program Files\MyWebSearchWB\bar\Cache\01C12A05.bin
C:\Program Files\MyWebSearchWB\bar\Cache\02122CBB.bin
C:\Program Files\MyWebSearchWB\bar\Cache\02302A09.bin
C:\Program Files\MyWebSearchWB\bar\Cache\02896906.bin
C:\Program Files\MyWebSearchWB\bar\Cache\028E3C31.bin
C:\Program Files\MyWebSearchWB\bar\Cache\03750A8E.bin
C:\Program Files\MyWebSearchWB\bar\Cache\05309280
C:\Program Files\MyWebSearchWB\bar\Cache\05753C33.bin
C:\Program Files\MyWebSearchWB\bar\Cache\05C6C483.bin
C:\Program Files\MyWebSearchWB\bar\Cache\063F4E2E.bin
C:\Program Files\MyWebSearchWB\bar\Cache\06C8CF3A.bin
C:\Program Files\MyWebSearchWB\bar\Cache\06FB2C8A.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0AF87BEC.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0B519494.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0D72CF31.bin
C:\Program Files\MyWebSearchWB\bar\Cache\11D62087.bin
C:\Program Files\MyWebSearchWB\bar\Cache\18F6935D.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1BD6DDF7.bin
C:\Program Files\MyWebSearchWB\bar\Cache\23D3D793.bin
C:\Program Files\MyWebSearchWB\bar\Cache\24AFA683.bin
C:\Program Files\MyWebSearchWB\bar\Cache\files.ini
C:\Program Files\MyWebSearchWB\bar\History\search
C:\Program Files\MyWebSearchWB\bar\Settings\prevcfg.htm
C:\WINDOWS\system32\blackster.scr

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-04 19:31 . 2008-06-04 19:33 <DIR> d-------- C:\Documents and Settings\Ken Graf\Application Data\WeatherBug
2008-05-28 16:03 . 2008-05-28 16:07 191 --a------ C:\WINDOWS\wininit.ini
2008-05-28 15:38 . 2008-05-28 15:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-28 15:38 . 2008-05-28 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-28 14:15 . 2008-05-28 14:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-28 14:15 . 2008-05-28 14:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 21:52 . 2008-05-24 21:52 <DIR> d-------- C:\Documents and Settings\Ken Graf\LocalLow
2008-05-24 21:52 . 2008-05-24 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-05-24 21:46 . 2008-05-24 21:46 <DIR> d-------- C:\Program Files\SopCast
2008-05-24 21:46 . 2008-05-24 21:47 <DIR> d-------- C:\Documents and Settings\Ken Graf\Application Data\SopCast
2008-05-04 13:38 . 2008-05-28 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-14 20:12 --------- d-----w C:\Program Files\Songbird
2008-04-21 20:37 --------- d-----w C:\Program Files\iTunes
2008-04-21 20:37 --------- d-----w C:\Program Files\iPod
2008-04-21 20:36 --------- d-----w C:\Program Files\QuickTime
2008-04-21 20:33 --------- d-----w C:\Program Files\Apple Software Update
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-04 22:52 286,720 ----a-w C:\WINDOWS\system32\libcurl.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Ken Graf\LocalLow ----

2008-05-24 22:48 194414 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\ChannelList.xml
2008-05-24 22:33 228 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\PeerList.xml
2008-05-24 22:17 2614272 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\TVU
2008-05-24 21:53 898 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\5225.png
2008-05-24 21:53 851 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\5455.png
2008-05-24 21:53 619 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\MAVTV.png
2008-05-24 21:53 585 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\9000.png
2008-05-24 21:53 574 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\640.png
2008-05-24 21:53 547 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\620.png
2008-05-24 21:53 536 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\CNA.png
2008-05-24 21:53 502 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\8670.png
2008-05-24 21:53 485 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\212.png
2008-05-24 21:53 474 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\CNTV.png
2008-05-24 21:53 402 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\Nostalgia.png
2008-05-24 21:53 317 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\5933.png
2008-05-24 21:53 1434 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\570.png
2008-05-24 21:53 1339 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\530.png
2008-05-24 21:53 13312 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\DownDatabase.Xml
2008-05-24 21:53 1285 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\TV9.gif
2008-05-24 21:53 1175 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\ETTV.png
2008-05-24 21:52 611 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\5500.png
2008-05-24 21:52 566 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\4000.png
2008-05-24 21:52 510 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\ANTV.png
2008-05-24 21:52 409 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\PDTV.png
2008-05-24 21:52 3684 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\OCJ.png
2008-05-24 21:52 1348 --a------ C:\Documents and Settings\Ken Graf\LocalLow\TVU Networks\TVUPlayer\logo\270.png


((((((((((((((((((((((((((((( snapshot@2008-06-03_17.56.50.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 21:51:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 23:31:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 21:07 389120]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 16:02 1343488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-30 16:40 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42 1404928]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 15:53 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-26 18:51 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-20 23:15:54 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 18:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 12:17:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 19:31:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-04 19:37:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 23:37:23
ComboFix2.txt 2008-06-03 21:57:04

Pre-Run: 71,640,195,072 bytes free
Post-Run: 71,800,778,752 bytes free

277 --- E O F --- 2008-06-03 13:00:49

It turns out I can't post both logs in the same post because there is too many characters.
 
Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:42:04 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ken Graf\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


I just realized I forgot to remove Weatherbug. Will I need to rescan Hijackthis?
 
Step1 | MBAM Scan

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step2 | Kasperky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Logs Required In Next Post
------------------------------

MBAM Scan Log
Kasperky Scan Log
 
Okay I did a scan with MBAM. Now when I clicked on accept for the Kaspersky online scanner, it does not do anything. Nothing came up about wanting me to install an activex component.
 
Please post the MBAM Scan Log. Follow this for a scan instead:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Please post up both logs when finished with the scans.
 
Here is the MBAM scan:

Malwarebytes' Anti-Malware 1.14
Database version: 826

7:58:16 PM 6/4/2008
mbam-log-6-4-2008 (19-58-16).txt

Scan type: Quick Scan
Objects scanned: 34419
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbtoolbar.temperaturebarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbtoolbar.temperaturebarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Do I need to sign up to use Panda? Is it free to sign up?
 
Yes it is free to use Panda. No you do not have to register.

Just put in the information that it requests.
 
That's the thing, it does not request for me to enter any information.

After I click the scan your pc now button, it opens up a new window and after I click on scan now button, it starts scanning and after it's done, there is no see report button and it says I am not infected.
 
Just follow these steps and we can call your computer fully clean. :D

Step1 | ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step2 | Reset Restore Points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  5. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  6. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  9. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  10. Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
 
Okay, I am not able to do that right now, he needs to use the pc. I will try to do that sometime tomorrow.

Do I still need to use Panda?

I think he may have got infected from Spyware Doctor. He installed the free version but stuff kept coming up about wanting him to pay for it. Have you ever had any problems with Spyware Doctor?
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
Back
Top Bottom