WiredWX Hobby Weather ToolsLog in

 


descriptionUnsure about safety EmptyUnsure about safety

more_horiz
Yesterday(January 8th, 2010) I was downloading some risky seeming files(MW2 hacks :S), being sure to scan them with jotti.org's free scanner and they all came up clean, a few of the exes would not do anything but start a process and go into startup, I would clear both. Today I was transfering some files from my flash drive and AVG Free kept comming up with autorun.inf as a virus everytime it recreated itself. I am just sort of worried I didn't clean off everything.

p.s. the file with the prefix [cerberus] when I go to that location the file win32.exe has the same icon as one the exes I downloaded, and yes I promise to not DL these files again Goofy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:34 PM, on 1/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\msnmsgupdater.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tay\My Documents\Downloads\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Cerberus] C:\Cerberus\win32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [msnmsgupdate] msnmsgupdater.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Tay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Cerberus] C:\Cerberus\win32.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\Logishrd\eReg\SetPoint\eReg.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

--
End of file - 6238 bytes

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
ComboFix 10-01-04.01 - Tay 01/10/2010 20:47:51.2.3 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2789 [GMT -6:00]
Running from: c:\documents and settings\Tay\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tay\Application Data\TGSVIPCracked.exe
c:\documents and settings\Tay\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
C:\install.exe
c:\windows\system32\vbzlib1.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-10 03:33 . 2010-01-10 03:41 -------- d-----w- c:\documents and settings\Tay\Application Data\Crayon Physics Deluxe
2010-01-10 03:33 . 2010-01-10 03:41 -------- d-----w- c:\program files\Crayon Physics Deluxe
2010-01-10 00:06 . 2010-01-10 00:06 13836 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-09 04:21 . 2009-12-23 10:10 971030 --sh--r- c:\windows\msnmsgupdater.exe
2010-01-09 03:50 . 2010-01-09 03:50 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-01-09 03:50 . 2010-01-09 03:50 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-01-09 03:50 . 2010-01-09 03:50 -------- d-----w- c:\program files\OpenAL
2010-01-09 03:24 . 2010-01-09 03:24 -------- d-----r- C:\Cerberus
2010-01-09 02:10 . 2010-01-09 02:51 -------- d-----w- c:\documents and settings\Tay\Application Data\FileZilla
2010-01-09 02:10 . 2010-01-09 02:10 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-08 22:20 . 2010-01-09 01:36 -------- d-----w- c:\documents and settings\Tay\Application Data\Ventrilo
2010-01-08 22:20 . 2010-01-08 22:20 -------- d-----w- c:\program files\Ventrilo
2010-01-08 22:20 . 2010-01-08 22:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-06 22:49 . 2010-01-06 22:49 -------- d-----w- C:\.jagex_cache_32
2010-01-06 02:53 . 2010-01-06 02:53 -------- d-----w- c:\documents and settings\Tay\Application Data\Logitech
2010-01-06 02:53 . 2010-01-06 02:53 -------- d-----w- c:\documents and settings\Tay\Application Data\Leadertech
2010-01-06 02:52 . 2008-09-26 15:52 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-01-06 02:51 . 2008-11-07 22:37 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2010-01-06 02:51 . 2008-11-07 22:38 84496 ----a-w- c:\windows\system32\KemXML.dll
2010-01-06 02:51 . 2008-11-07 22:38 117264 ----a-w- c:\windows\system32\KemWnd.dll
2010-01-06 02:51 . 2008-11-07 22:38 145936 ----a-w- c:\windows\system32\KemUtil.dll
2010-01-06 02:51 . 2008-11-07 22:38 170512 ----a-w- c:\windows\system32\kemutb.dll
2010-01-06 02:50 . 2010-01-06 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-01-06 02:50 . 2010-01-06 02:53 -------- d-----w- c:\program files\Common Files\Logishrd
2010-01-06 02:50 . 2010-01-06 02:50 -------- d-----w- c:\program files\Logitech
2010-01-06 02:50 . 2010-01-06 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-01-05 23:57 . 2010-01-05 23:57 -------- d-----w- c:\program files\Lame for Audacity
2010-01-05 22:05 . 2010-01-05 22:05 -------- d-----w- c:\program files\DsNET Corp
2010-01-05 21:56 . 2010-01-06 02:01 -------- d-----w- c:\documents and settings\Tay\Application Data\Audacity
2010-01-04 21:55 . 2010-01-04 21:55 1956072 ----a-w- c:\documents and settings\Tay\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-04 21:06 . 2010-01-04 21:06 -------- d-----w- c:\windows\Sun
2010-01-04 09:34 . 2010-01-04 09:34 -------- d-----w- c:\program files\Sun
2010-01-04 09:30 . 2010-01-10 08:58 69 ----a-w- c:\documents and settings\Tay\jagex_runescape_preferences2.dat
2010-01-04 09:29 . 2010-01-10 08:56 39 ----a-w- c:\documents and settings\Tay\jagex_runescape_preferences.dat
2010-01-04 09:29 . 2010-01-06 22:52 -------- d-----w- c:\windows\.jagex_cache_32
2010-01-04 09:01 . 2010-01-04 09:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-04 06:20 . 2010-01-04 06:20 -------- d--h--w- c:\windows\PIF
2010-01-04 06:09 . 2010-01-04 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-04 06:03 . 2010-01-08 05:58 -------- d-----w- c:\documents and settings\Tay\Local Settings\Application Data\Adobe
2010-01-04 06:02 . 2010-01-04 06:02 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-01-04 06:00 . 2010-01-04 06:07 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-04 05:55 . 2010-01-04 05:55 -------- d-----w- c:\documents and settings\Tay\Local Settings\Application Data\Blizzard Entertainment
2010-01-04 05:50 . 2010-01-04 05:50 -------- d-----w- c:\documents and settings\Tay\Local Settings\Application Data\Identities
2010-01-04 05:47 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-04 05:47 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-04 05:47 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-01-04 05:47 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-01-04 01:54 . 2010-01-04 01:54 -------- d-----w- c:\documents and settings\Tay\Local Settings\Application Data\RapidShare_
2010-01-03 22:44 . 2010-01-03 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-01-03 22:38 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-03 22:38 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-03 15:22 . 2010-01-03 03:30 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-03 15:22 . 2010-01-03 03:30 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-01-03 15:22 . 2010-01-03 03:30 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-01-03 15:22 . 2010-01-03 03:30 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-01-03 15:22 . 2010-01-03 03:30 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2010-01-03 15:22 . 2010-01-03 03:30 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-01-03 09:00 . 2010-01-03 09:00 152576 ----a-w- c:\documents and settings\Tay\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-03 09:00 . 2010-01-03 09:00 79488 ----a-w- c:\documents and settings\Tay\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-03 06:03 . 2010-01-04 06:22 -------- d-----w- c:\program files\World of Warcraft
2010-01-03 06:03 . 2010-01-03 06:03 -------- d-----w- c:\program files\Opera
2010-01-03 06:00 . 2010-01-03 06:00 -------- d-sh--w- c:\documents and settings\Tay\PrivacIE
2010-01-03 05:59 . 2010-01-03 05:59 -------- d-sh--w- c:\documents and settings\Tay\IETldCache
2010-01-03 05:48 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-01-03 05:47 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-01-03 05:47 . 2010-01-03 05:47 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-03 05:46 . 2010-01-03 05:47 -------- d-----w- C:\4191be0998e37806ab20
2010-01-03 05:46 . 2010-01-03 05:47 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-01-03 05:46 . 2010-01-03 05:46 -------- d-----w- c:\windows\system32\LogFiles
2010-01-03 05:44 . 2010-01-10 00:04 -------- d-----w- c:\documents and settings\Tay\Application Data\Apple Computer
2010-01-03 05:44 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-03 05:44 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-03 05:43 . 2010-01-03 05:43 -------- d-----w- c:\program files\iPod
2010-01-03 05:43 . 2010-01-03 05:44 -------- d-----w- c:\program files\iTunes
2010-01-03 05:43 . 2010-01-03 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-03 05:43 . 2010-01-03 05:43 -------- d-----w- c:\program files\Bonjour
2010-01-03 05:43 . 2010-01-03 05:43 -------- d-----w- c:\program files\QuickTime
2010-01-03 05:43 . 2010-01-03 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-03 05:43 . 2010-01-03 05:43 -------- d-----w- c:\documents and settings\Tay\Local Settings\Application Data\Apple
2010-01-03 05:43 . 2010-01-03 05:43 -------- d-----w- c:\program files\Apple Software Update
2010-01-03 05:42 . 2010-01-03 05:43 -------- d-----w- c:\program files\Common Files\Apple
2010-01-03 05:42 . 2010-01-03 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-03 05:42 . 2010-01-10 00:08 -------- d-----w- c:\documents and settings\Tay\Local Settings\Application Data\Apple Computer
2010-01-03 05:41 . 2009-10-11 10:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-03 05:40 . 2010-01-04 09:34 -------- d-----w- c:\program files\Java
2010-01-03 05:40 . 2010-01-03 05:40 152576 ----a-w- c:\documents and settings\Tay\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-03 05:40 . 2010-01-03 05:40 -------- d-----w- c:\windows\ie8updates
2010-01-03 05:39 . 2010-01-03 05:41 -------- d-----w- c:\program files\LimeWire
2010-01-03 05:39 . 2010-01-03 05:57 -------- dc-h--w- c:\windows\ie8
2010-01-03 05:34 . 2010-01-03 05:34 -------- d-----w- c:\documents and settings\Tay\Local Settings\Application Data\Temp
2010-01-03 05:34 . 2010-01-03 05:34 -------- d-----w- c:\documents and settings\Tay\Local Settings\Application Data\Google
2010-01-03 05:22 . 2010-01-06 03:24 -------- d-----w- c:\documents and settings\Tay\Tracing
2010-01-03 05:22 . 2010-01-03 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-01-03 05:22 . 2010-01-04 01:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-03 05:20 . 2010-01-03 05:20 -------- d-----w- c:\program files\Microsoft
2010-01-03 05:20 . 2010-01-03 13:04 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-01-03 05:20 . 2010-01-03 05:20 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-03 05:19 . 2010-01-03 05:22 -------- d-----w- c:\program files\Windows Live
2010-01-03 05:14 . 2010-01-03 05:14 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-03 05:04 . 2010-01-03 05:04 -------- d-----w- c:\windows\system32\scripting
2010-01-03 05:04 . 2010-01-03 05:04 -------- d-----w- c:\windows\l2schemas
2010-01-03 05:04 . 2010-01-03 05:04 -------- d-----w- c:\windows\system32\en
2010-01-03 05:04 . 2010-01-03 05:04 -------- d-----w- c:\windows\system32\bits
2010-01-03 04:56 . 2010-01-03 04:56 -------- d-----w- c:\windows\EHome
2010-01-03 04:36 . 2009-10-29 07:45 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-03 04:36 . 2009-10-29 07:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-03 04:36 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-03 04:36 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-03 04:36 . 2009-10-29 07:45 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-03 04:36 . 2009-10-29 07:45 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-03 04:35 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-03 04:26 . 2010-01-03 04:26 -------- d-----w- c:\windows\system32\Lang
2010-01-03 04:20 . 2008-04-13 18:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-01-03 04:20 . 2008-04-13 19:17 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-01-03 04:20 . 2008-04-13 18:45 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-01-03 04:20 . 2008-04-13 18:45 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-01-03 04:20 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-01-03 04:20 . 2008-04-13 18:45 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2010-01-03 04:20 . 2008-04-13 18:45 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-01-03 04:20 . 2008-04-13 19:15 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2010-01-03 04:20 . 2008-04-13 18:39 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2010-01-03 04:20 . 2008-04-13 18:39 5376 ----a-w- c:\windows\system32\drivers\mspclock.sys
2010-01-03 04:20 . 2008-04-13 18:39 4992 ----a-w- c:\windows\system32\drivers\mspqm.sys
2010-01-03 04:19 . 2010-01-03 04:19 -------- d-----w- c:\windows\system32\RTCOM
2010-01-03 04:19 . 2008-04-14 00:11 4096 ----a-w- c:\windows\system32\ksuser.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 02:44 . 2010-01-05 21:58 -------- d-----w- c:\documents and settings\Tay\Application Data\LimeWire
2010-01-06 02:51 . 2010-01-06 02:51 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-01-06 02:51 . 2010-01-06 02:51 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-01-06 02:51 . 2010-01-06 02:51 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-01-04 10:28 . 2010-01-03 03:05 13688 ----a-w- c:\documents and settings\Tay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 09:03 . 2010-01-04 09:03 -------- d-----w- c:\program files\MSBuild
2010-01-04 09:03 . 2010-01-04 09:03 -------- d-----w- c:\program files\Reference Assemblies
2010-01-03 05:06 . 2010-01-03 03:00 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-25 03:50 . 2010-01-03 03:12 4463104 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-11-25 03:27 . 2010-01-03 03:12 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-11-25 03:26 . 2010-01-03 03:12 300032 ----a-w- c:\windows\system32\ati2dvag.dll
2009-11-25 03:11 . 2010-01-03 03:12 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2009-11-25 03:11 . 2010-01-03 03:12 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-11-25 03:10 . 2010-01-03 03:12 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-11-25 03:10 . 2010-01-03 03:12 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-11-25 03:10 . 2010-01-03 03:12 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-11-25 03:09 . 2010-01-03 03:12 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-11-25 03:07 . 2010-01-03 03:12 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-11-25 02:59 . 2010-01-03 03:12 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-11-25 02:59 . 2010-01-03 03:12 3538496 ----a-w- c:\windows\system32\ati3duag.dll
2009-11-25 02:44 . 2010-01-03 03:12 13533184 ----a-w- c:\windows\system32\atioglxx.dll
2009-11-25 02:43 . 2010-01-03 03:12 2142848 ----a-w- c:\windows\system32\ativvaxx.dll
2009-11-25 02:42 . 2010-01-03 03:12 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-11-25 02:42 . 2010-01-03 03:12 3 ----a-w- c:\windows\system32\ativva5x.dat
2009-11-25 02:26 . 2010-01-03 03:12 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-11-25 02:26 . 2010-01-03 03:12 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-11-25 02:21 . 2010-01-03 03:12 565248 ----a-w- c:\windows\system32\atikvmag.dll
2009-11-25 02:20 . 2010-01-03 03:12 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-11-25 02:20 . 2010-01-03 03:12 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-11-25 02:19 . 2010-01-03 03:12 176128 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:18 . 2010-01-03 03:12 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-11-25 02:18 . 2010-01-03 03:12 3612672 ----a-w- c:\windows\system32\aticaldd.dll
2009-11-25 02:18 . 2010-01-03 03:12 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-11-25 02:17 . 2010-01-03 03:12 397312 ----a-w- c:\windows\system32\atiok3x2.dll
2009-11-25 02:12 . 2010-01-03 03:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-11-24 23:40 . 2010-01-03 04:18 838176 ----a-w- c:\windows\RtlExUpd.dll
2009-11-18 13:17 . 2010-01-03 04:18 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2009-11-18 13:16 . 2010-01-03 04:18 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2010-01-03 04:36 916480 ------w- c:\windows\system32\SET231.tmp
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45 . 2010-01-03 04:36 1208832 ------w- c:\windows\system32\SET232.tmp
2009-10-29 07:45 . 2010-01-03 04:36 5940736 ------w- c:\windows\system32\SET234.tmp
2009-10-29 07:45 . 2010-01-03 04:36 594432 ------w- c:\windows\system32\SET236.tmp
2009-10-29 07:45 . 2010-01-03 04:36 55296 ------w- c:\windows\system32\SET235.tmp
2009-10-29 07:45 . 2010-01-03 04:36 1985536 ------w- c:\windows\system32\SET239.tmp
2009-10-29 07:45 . 2010-01-03 04:36 11069952 ------w- c:\windows\system32\SET23B.tmp
2009-10-22 15:59 . 2010-01-03 03:12 196565 ----a-w- c:\windows\system32\atiicdxx.dat
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Tay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-03 135664]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-03 2033432]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-26 18789408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"Cerberus"="c:\cerberus\win32.exe" [2006-03-23 135168]
"msnmsgupdate"="msnmsgupdater.exe" [2009-12-23 971030]

c:\documents and settings\Tay\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-1-5 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-03 03:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 22:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cerberus]
2006-03-23 20:40 135168 --sha-r- c:\cerberus\win32.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steamapps\\shockz13\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\zero gear\\ZeroGear.bat"=
"c:\\Program Files\\Steam\\steamapps\\common\\zero gear\\Server\\iw4mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/2/2010 9:30 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/2/2010 9:30 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/2/2010 9:30 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/2/2010 9:30 PM 285392]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/5/2010 8:52 PM 10384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/2/2010 10:18 PM 1691480]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{L1AHD1IR-4L6I-20VY-Y15I-AE72550302OE}]
2006-03-23 20:40 135168 --sha-r- c:\cerberus\win32.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1035525444-725345543-1004Core.job
- c:\documents and settings\Tay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-03 05:34]

2010-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1035525444-725345543-1004UA.job
- c:\documents and settings\Tay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-03 05:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Tay\Application Data\Mozilla\Firefox\Profiles\50rkp6kf.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Tay\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-csrsx - c:\documents and settings\Tay\Application Data\TGSVIPCracked.exe
AddRemove-HijackThis - c:\documents and settings\Tay\My Documents\Downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-01-10 20:50:57
ComboFix-quarantined-files.txt 2010-01-11 02:50

Pre-Run: 337,024,434,176 bytes free
Post-Run: 337,445,666,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E2E70702EC6850A1955A954DBB82BDFE

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
Unsure about safety Mbamicontw5 Please download Malwarebytes Anti-Malware from here.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
Malwarebytes' Anti-Malware 1.44
Database version: 3540
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/11/2010 12:35:14 PM
mbam-log-2010-01-11 (12-35-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 189986
Time elapsed: 23 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{l1ahd1ir-4l6i-20vy-y15i-ae72550302oe} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Cerberus\win32.exe (Generic.Bot.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5163ACC-B4EC-462D-89DD-ED5BB98B4656}\RP27\A0005193.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5163ACC-B4EC-462D-89DD-ED5BB98B4656}\RP38\A0006662.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5163ACC-B4EC-462D-89DD-ED5BB98B4656}\RP38\A0006763.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tay\My Documents\downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


BTW there was a log.dat file and inside is everything i've typed since i DLed that including steam passwords and google searches, like I'm really pissed now but win32.exe is deleted and i never let it run so hopefully nȯne got sent. Also luckily it was encrypting my world of warcraft logins. But damn.. that sucks but also the person who gave me it fails because they left the keystrokes file on my computer for me to see.

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


==

Please download the Kaspersky AVP Tool from Kaspersky-labs.com.
  • Save it to your desktop.
  • Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked:

    • System Memory
    • Startup Objects
    • Disk Boot Sectors.
    • My Computer.
    • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.

==

Make sure the Kaspersky AVP log, the HijackThis log, and the SDFix log are included in your next reply. You may have to use more than one post to get all the data in.

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
SDFix: Version 1.240
Run by Tay on Mon 01/11/2010 at 03:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 16:01:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden services & system hive ...

scanning hȋdden registry entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden processes: 0
hȋdden services: 0
hȋdden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"="C:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe:*:Enabled:Call of Duty: Modern Warfare 2"
"C:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"="C:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe:*:Enabled:Call of Duty: Modern Warfare 2 - Multiplayer"
"C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"="C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe:*:Enabled:Left 4 Dead 2"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\World of Warcraft\\Launcher.exe"="C:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\\Program Files\\Steam\\steamapps\\shockz13\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\shockz13\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"="C:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\\Program Files\\Steam\\steamapps\\common\\zero gear\\ZeroGear.bat"="C:\\Program Files\\Steam\\steamapps\\common\\zero gear\\ZeroGear.bat:*:Enabled:Zero Gear Demo"
"C:\\Program Files\\Steam\\steamapps\\common\\zero gear\\Server\\iw4mp.exe"="C:\\Program Files\\Steam\\steamapps\\common\\zero gear\\Server\\iw4mp.exe:*:Enabled:iw4mp"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with hȋdden Attributes :

Wed 23 Dec 2009 971,030 ..SHR --- "C:\WINDOWS\msnmsgupdater.exe"
Sat 2 Jan 2010 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 24 Sep 2008 926,760 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\37175e0036c29cc08080fca13a678d2a\BIT8.tmp"

Finished!

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
Post the remaining when ready.

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
Kaspersky AVP didn't show a log, I followed instructions but theres no option to see a log or anything(Your instructions are out of date BTW). It didn't say it found anything though. Heres my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:17 PM, on 1/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\msnmsgupdater.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Tay\My Documents\Downloads\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [msnmsgupdate] msnmsgupdater.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Tay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

--
End of file - 5724 bytes

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
Please perform a scan with Kaspersky Online Virus Scanner.
alternate link for scan

  • Before starting your scan, disable antivirus or antispyware software.
  • Read the "Advantages - Requirements and Limitations" then press the ACCEPT... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the SETTINGS... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the SAVE... button afterwards:

    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases:

  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste the contents of that file in your next reply.

*Note: This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools. Some online scanners will detect existing anti-virus software and they may interfere or stop the scan. If that occurs, disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, January 11, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 12, 2010 02:51:16
Records in database: 3300157
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 79359
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:23:25

No threats found. Scanned area is clean.

Selected area has been scanned.

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
Download LockSearch to your desktop

  • A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
  • A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply


==

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
LockSearch by jpshortstuff (05.11.09.1)
Log created at 15:25 on 12/01/2010 (Tay)
Scanning C:\


C:\pagefile.sys
-------------------------

-=E.O.F=-

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
OK. All clean.

descriptionUnsure about safety EmptyRe: Unsure about safety

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum