WiredWX Hobby Weather ToolsLog in

 


descriptionHelp Virus Unknown EmptyHelp Virus Unknown

more_horiz
Can someone help me. I can't get on websites without some adware stuff comes up and messes up my computer. I can't even download anti virus due to this as well



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:59 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winloggn.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\802.11g Wireless LAN\Monitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\user\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [a017e528] rundll32.exe "C:\WINDOWS\system32\fylolrca.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\user\LOCALS~1\Temp\winloggn.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm186YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/WebfettiInitialSetup1.0.1.0.cab
O18 - Filter hijack: text/html - {20151c04-6020-402e-aee8-5b23bc7a5d09} - C:\WINDOWS\system32\mst122.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8037 bytes

descriptionHelp Virus Unknown EmptyRe: Help Virus Unknown

more_horiz

  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Help Virus Unknown Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Help Virus Unknown Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionHelp Virus Unknown EmptyRe: Help Virus Unknown

more_horiz
ComboFix 08-12-16.03 - user 2008-12-21 20:07:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1749 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\combogpfix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\user\Application Data\FunWebProducts
c:\documents and settings\user\Application Data\FunWebProducts\Data\user\avatar.dat
c:\documents and settings\user\Application Data\FunWebProducts\Data\user\register.dat
c:\documents and settings\user\Application Data\FunWebProducts\Data\user\zbucks.dat
c:\documents and settings\user\Application Data\gadcom
c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
C:\setup.exe
c:\windows\system32\acrlolyf.ini
c:\windows\system32\ceedgMoq.ini
c:\windows\system32\ceedgMoq.ini2
c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\fylolrca.dll
c:\windows\system32\nzojvx.dll
c:\windows\system32\qoMgdeec.dll
c:\windows\system32\qoywpnke.dll
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSScfmn.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxcp.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoity.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvoql.dll
c:\windows\system32\TDSSxhyf.log
c:\windows\system32\tyshb36rfjdf.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-21 19:44 . 2008-12-21 19:44 d-------- c:\program files\Trend Micro
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\program files\Lavasoft
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-21 18:46 . 2008-12-21 18:46 d-------- c:\program files\SpywareBlaster
2008-12-21 18:46 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2008-12-21 18:46 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2008-12-21 18:25 . 2008-12-21 18:31 d-------- c:\windows\SxsCaPendDel
2008-12-21 18:25 . 2008-12-21 18:25 0 --a------ c:\windows\nsreg.dat
2008-12-21 18:15 . 2008-12-21 18:15 d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-12-21 18:13 . 2008-12-21 18:13 d-------- c:\program files\Common Files\iS3
2008-12-21 18:13 . 2008-12-21 18:21 d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-21 13:26 . 2008-12-21 13:26 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal
2008-12-21 13:25 . 2008-12-21 13:25 d-------- c:\program files\Defender
2008-12-21 12:52 . 2008-12-21 12:52 57,856 --a------ c:\windows\system32\tuvWpNee.dll
2008-12-21 12:49 . 2008-12-21 12:49 d-------- c:\documents and settings\user\Application Data\Skype
2008-12-21 12:46 . 2008-12-21 12:46 57,856 --a------ c:\windows\system32\tuvSkIcc.dll
2008-12-21 12:38 . 2008-12-21 12:38 57,856 --a------ c:\windows\system32\pmnoLcbb.dll
2008-12-21 12:38 . 2008-12-21 12:38 45,056 --a------ c:\windows\system32\ddccCRjH.dll
2008-12-15 15:51 . 2008-12-21 20:07 d-------- c:\program files\Common
2008-12-14 20:40 . 2008-12-14 20:40 151 --a------ c:\windows\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 23:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 02:15 --------- d-----w c:\program files\Shockwave.com
2008-11-14 02:15 --------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2008-11-14 01:04 --------- d-----w c:\documents and settings\user\Application Data\cerasus.media
2008-11-06 00:15 --------- d-----w c:\documents and settings\user\Application Data\Microsoft Games
2008-11-06 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Games
2008-11-06 00:13 --------- d-----w c:\program files\Microsoft Games
2008-10-27 01:43 --------- d-----w c:\documents and settings\user\Application Data\Aveyond II
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40AB7707-3AF4-4F7C-BDB9-8F02B1BA2875}]
2008-12-21 20:11 292352 --a------ c:\windows\system32\awtsPGWn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-21 12:38 57856 --a------ c:\windows\system32\pmnoLcbb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-14 155648]
"a017e528"="c:\windows\system32\itthomlg.dll" [2008-12-21 95744]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-04-12 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

c:\documents and settings\user\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\802.11g Wireless LAN\Monitor.exe [2004-12-02 917504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\pmnoLcbb.dll" [2008-12-21 57856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnoLcbb]
2008-12-21 12:38 57856 c:\windows\system32\pmnoLcbb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\awtsPGWn

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 Klmc;Klmc;c:\windows\system32\drivers\klmc.sys [2004-06-23 9939]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\iutlljbm.job
- c:\windows\system32\rundll32.exe [2006-02-28 06:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9AC34F41-52B5-4903-9DBF-45EB642A53D3} - c:\windows\system32\qoMgdeec.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm186YYUS
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com

O16 -: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/WebfettiInitialSetup1.0.1.0.cab
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jysowtdi.default\
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 20:11:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\user\LOCALS~1\Temp\NEW3.tmp 3021 bytes
c:\windows\system32\nWGPstwa.ini 369 bytes
c:\windows\system32\nWGPstwa.ini2 369 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\pmnoLcbb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-12-21 20:13:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 02:13:47

Pre-Run: 234,681,655,296 bytes free
Post-Run: 235,047,612,416 bytes free

226 --- E O F --- 2008-12-18 09:00:45

descriptionHelp Virus Unknown EmptyRe: Help Virus Unknown

more_horiz
Hello.
Looking better, but still some crap to get rid of.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
PciCon

File::
c:\windows\system32\tuvWpNee.dll
c:\windows\system32\tuvSkIcc.dll
c:\windows\system32\pmnoLcbb.dll
c:\windows\system32\ddccCRjH.dll
c:\windows\system32\awtsPGWn.dll
c:\windows\system32\pmnoLcbb.dll
c:\windows\system32\itthomlg.dll
c:\windows\Tasks\iutlljbm.job
c:\docume~1\user\LOCALS~1\Temp\NEW3.tmp
c:\windows\system32\nWGPstwa.ini
c:\windows\system32\nWGPstwa.ini2
D:\PciCon.sys

Folder::
c:\program files\Common

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40AB7707-3AF4-4F7C-BDB9-8F02B1BA2875}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a017e528"=-
[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnoLcbb]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"="msv1_0"


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Help Virus Unknown Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Please post a new Hijack This log too.

descriptionHelp Virus Unknown EmptyRe: Help Virus Unknown

more_horiz
ComboFix 08-12-16.03 - user 2008-12-21 20:25:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1505 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\combogpfix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\docume~1\user\LOCALS~1\Temp\NEW3.tmp
c:\windows\system32\awtsPGWn.dll
c:\windows\system32\ddccCRjH.dll
c:\windows\system32\itthomlg.dll
c:\windows\system32\nWGPstwa.ini
c:\windows\system32\nWGPstwa.ini2
c:\windows\system32\pmnoLcbb.dll
c:\windows\system32\tuvSkIcc.dll
c:\windows\system32\tuvWpNee.dll
c:\windows\Tasks\iutlljbm.job
D:\PciCon.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\windows\system32\awtsPGWn.dll
c:\windows\system32\ddccCRjH.dll
c:\windows\system32\dhpmnb.dll
c:\windows\system32\erphvusq.dll
c:\windows\system32\glmohtti.ini
c:\windows\system32\itthomlg.dll
c:\windows\system32\nWGPstwa.ini
c:\windows\system32\nWGPstwa.ini2
c:\windows\system32\pmnoLcbb.dll
c:\windows\system32\tuvSkIcc.dll
c:\windows\system32\tuvWpNee.dll
c:\windows\Tasks\iutlljbm.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PCICON
-------\Service_PciCon


((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-21 20:20 . 2008-12-21 20:20 d-------- c:\program files\Spybot - Search & Destroy
2008-12-21 20:20 . 2008-12-21 20:27 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 19:44 . 2008-12-21 19:44 d-------- c:\program files\Trend Micro
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\program files\Lavasoft
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-21 18:46 . 2008-12-21 18:46 d-------- c:\program files\SpywareBlaster
2008-12-21 18:46 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2008-12-21 18:46 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2008-12-21 18:25 . 2008-12-21 18:31 d-------- c:\windows\SxsCaPendDel
2008-12-21 18:25 . 2008-12-21 18:25 0 --a------ c:\windows\nsreg.dat
2008-12-21 18:15 . 2008-12-21 18:15 d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-12-21 18:13 . 2008-12-21 18:13 d-------- c:\program files\Common Files\iS3
2008-12-21 18:13 . 2008-12-21 18:21 d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-21 13:26 . 2008-12-21 13:26 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal
2008-12-21 13:25 . 2008-12-21 13:25 d-------- c:\program files\Defender
2008-12-21 12:49 . 2008-12-21 12:49 d-------- c:\documents and settings\user\Application Data\Skype
2008-12-14 20:40 . 2008-12-14 20:40 151 --a------ c:\windows\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 23:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 02:15 --------- d-----w c:\program files\Shockwave.com
2008-11-14 02:15 --------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2008-11-14 01:04 --------- d-----w c:\documents and settings\user\Application Data\cerasus.media
2008-11-06 00:15 --------- d-----w c:\documents and settings\user\Application Data\Microsoft Games
2008-11-06 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Games
2008-11-06 00:13 --------- d-----w c:\program files\Microsoft Games
2008-10-27 01:43 --------- d-----w c:\documents and settings\user\Application Data\Aveyond II
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-14 155648]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-04-12 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

c:\documents and settings\user\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\802.11g Wireless LAN\Monitor.exe [2004-12-02 917504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dhpmnb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_SZ msv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 Klmc;Klmc;c:\windows\system32\drivers\klmc.sys [2004-06-23 9939]
.
- - - - ORPHANS REMOVED - - - -

BHO-{33ef43f2-13ee-4479-b8a0-5d9d223b6c51} - c:\windows\system32\dhpmnb.dll
BHO-{FCDFBE4A-876C-46A0-85C1-C74CD6F7F695} - c:\windows\system32\awtsPGWn.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm186YYUS
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jysowtdi.default\
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 20:27:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-12-21 20:29:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 02:29:43
ComboFix2.txt 2008-12-22 02:13:53

Pre-Run: 234,951,430,144 bytes free
Post-Run: 234,936,078,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

204 --- E O F --- 2008-12-18 09:00:45

descriptionHelp Virus Unknown EmptyRe: Help Virus Unknown

more_horiz
Hello.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""


  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


Please post a fresh Hijack This log.

descriptionHelp Virus Unknown EmptyRe: Help Virus Unknown

more_horiz
Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

descriptionHelp Virus Unknown EmptyRe: Help Virus Unknown

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum