WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Unknown Virus/Trojan

3 posters

descriptionUnknown Virus/Trojan EmptyUnknown Virus/Trojan2nd June 2009, 11:39 pm

more_horiz
I was referred here from a friend. So basically, I used Symantec to try and identify the virus or malware whatever it's called, but it found nothing. It's been popping up ads on my computer via internet explorer, i use mozilla. Also when i'm on google and i click a link after i search, it redirects me to another BS site like chatonline etc. I have no idea what to do. Any suggestions on what i should first use to scan my computer to identify the problem?

thanks,
mmmikeal

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan3rd June 2009, 12:09 am

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

Unknown Virus/Trojan 2wg6fte

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan3rd June 2009, 12:52 am

more_horiz
thanks, ill get right on it

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan3rd June 2009, 12:55 am

more_horiz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:50 PM, on 6/2/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Ventrilo\Ventrilo.exe
c:\program files\TokBox\TokBox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
C:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_16\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=1607
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: TokBox.lnk = C:\Program Files\TokBox\TokBox.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O13 - Gopher Prefix:
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9139 bytes

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan3rd June 2009, 2:29 am

more_horiz

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
    O1 - Hosts: 94.232.248.66 antivirprotection.com
    O1 - Hosts: 94.232.248.66 www.antivirprotection.com
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



  • Press "Fix Checked"
  • Close Hijack This.




1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

Unknown Virus/Trojan 2wg6fte

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan3rd June 2009, 4:24 am

more_horiz
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "adgrvs39" found!
Could not open driver adgrvs39 for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Hidden driver "aily2eq7" found!
Could not open driver aily2eq7 for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan5th June 2009, 6:17 am

more_horiz
-bump- i won't be home tomorrow so im gonna bump this right now -bump-

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan5th June 2009, 8:52 am

more_horiz

  • Download combofix from here
    Link 1
    Link 2
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (Symantec)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Unknown Virus/Trojan Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Unknown Virus/Trojan Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Unknown Virus/Trojan DXwU4
Unknown Virus/Trojan VvYDg

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 12:49 am

more_horiz
ComboFix 09-06-05.05 - Michael 06/05/2009 17:38.1 - NTFSx86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6000.0.1252.1.1033.18.1982.918 [GMT -7:00]
Running from: c:\users\Michael\Desktop\combofixz.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\UACdnpbontfilesrkt.sys
c:\windows\system32\UACbyjubuepahiwipx.dll
c:\windows\system32\UACcqdrmvgsutsrijf.dll
c:\windows\system32\UACearoednutipcuev.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmbsvmfsnofbcqou.log
c:\windows\system32\UACmwxfcqhwvruxrbb.dat
c:\windows\system32\UACqjlyppdqoppgmwq.log
c:\windows\system32\UACqkggosvqctvcuqf.log
c:\windows\system32\UACvvejpgbkxrqabnu.dll
c:\windows\system32\UACxccimvydpnaxamo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))
.

2009-06-06 00:43 . 2009-06-06 00:43 -------- d-----w- C:\temp
2009-06-06 00:43 . 2009-06-06 00:43 -------- d-----w- \temp
2009-06-06 00:43 . 2009-06-06 00:44 -------- d-----w- c:\users\Michael\AppData\Local\temp
2009-06-06 00:43 . 2009-06-06 00:43 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-06-06 00:29 . 2009-06-06 00:44 -------- d-s---w- \combofixz
2009-06-06 00:22 . 2009-06-06 00:28 -------- d-----w- \Qoobox
2009-06-06 00:20 . 2009-06-05 09:07 1342 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\tmp581b.tmp\cur.scr
2009-06-05 23:54 . 2009-06-05 23:54 -------- d-----w- c:\program files\TokBox
2009-06-03 04:22 . 2009-06-03 04:24 -------- d-----w- \Avenger
2009-06-03 00:56 . 2009-06-03 00:56 -------- d-----w- c:\program files\Trend Micro
2009-05-16 03:05 . 2009-03-16 08:00 89104 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\naveng.sys
2009-05-16 03:05 . 2009-03-16 08:00 876144 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\navex15.sys
2009-05-16 03:05 . 2009-03-16 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\naveng32.dll
2009-05-16 03:05 . 2009-03-16 08:00 1181040 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\navex32a.dll
2009-05-16 03:05 . 2009-03-16 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\eeCtrl.sys
2009-05-16 03:05 . 2009-03-16 08:00 2414128 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\cceraser.dll
2009-05-16 03:05 . 2009-03-16 08:00 101936 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\ERASER.sys
2009-05-16 03:05 . 2008-11-20 09:00 259368 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\ecmsvr32.dll
2009-05-09 05:52 . 2009-03-16 08:00 89104 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090508.003\naveng.sys
2009-05-09 05:52 . 2009-03-16 08:00 876144 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090508.003\navex15.sys
2009-05-09 05:52 . 2009-03-16 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090508.003\naveng32.dll
2009-05-09 05:52 . 2009-03-16 08:00 1181040 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090508.003\navex32a.dll
2009-05-09 05:52 . 2009-03-16 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090508.003\eeCtrl.sys
2009-05-09 05:52 . 2009-03-16 08:00 2414128 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090508.003\cceraser.dll
2009-05-09 05:52 . 2009-03-16 08:00 101936 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090508.003\ERASER.sys
2009-05-09 05:52 . 2008-11-20 09:00 259368 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090508.003\ecmsvr32.dll
2009-05-08 03:56 . 2009-03-19 23:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-08 03:56 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-05-08 03:56 . 2009-05-08 03:56 -------- d-----w- c:\program files\iPod
2009-05-08 03:56 . 2009-05-08 03:56 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-08 03:56 . 2009-05-08 03:56 -------- d-----w- c:\program files\iTunes
2009-05-08 03:55 . 2009-05-08 03:55 -------- d-----w- c:\program files\Bonjour
2009-05-08 03:54 . 2009-05-08 03:54 -------- d-----w- c:\program files\QuickTime
2009-05-08 03:45 . 2009-05-08 03:45 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 00:37 . 2007-04-12 11:58 2392719360 --sha-w- \pagefile.sys
2009-06-06 00:26 . 2008-02-23 07:23 -------- d-----w- c:\program files\Norton Security Scan
2009-06-06 00:26 . 2007-04-29 06:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-05 05:26 . 2007-12-15 02:48 -------- d-----w- c:\program files\Warcraft III
2009-06-05 03:39 . 2008-09-27 19:27 -------- d-----w- c:\program files\Garena
2009-05-27 03:25 . 2007-06-26 21:44 -------- d-----w- c:\program files\Steam
2009-05-22 05:19 . 2008-08-28 02:32 -------- d-----w- c:\users\Michael\AppData\Roaming\FrostWire
2009-05-08 03:56 . 2007-09-18 07:10 -------- d-----w- c:\program files\Common Files\Apple
2009-04-25 05:22 . 2009-04-24 01:08 -------- d-----w- c:\programdata\NOS
2009-04-25 05:22 . 2009-04-24 01:08 -------- d-----w- c:\program files\NOS
2009-04-24 01:16 . 2009-04-24 01:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-19 18:18 . 2007-09-14 22:26 -------- d-----w- c:\program files\Common Files\Steam
2009-04-12 21:49 . 2009-04-12 21:48 34 ----a-w- c:\users\Michael\jagex_runescape_preferences.dat
2009-04-07 22:01 . 2009-04-07 03:44 77055 ----a-w- c:\windows\War3Unin.dat
2009-04-07 03:47 . 2009-04-07 03:44 2829 ----a-w- c:\windows\War3Unin.pif
2009-04-07 03:47 . 2009-04-07 03:44 139264 ----a-w- c:\windows\War3Unin.exe
2009-03-26 22:23 . 2009-03-26 22:23 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-03-26 22:23 . 2009-03-26 22:23 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-16 08:00 . 2009-03-16 08:00 89104 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng.sys
2009-03-16 08:00 . 2009-03-16 08:00 876144 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex15.sys
2009-03-16 08:00 . 2009-03-16 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\eeCtrl.sys
2009-03-16 08:00 . 2009-03-16 08:00 2414128 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\cceraser.dll
2009-03-16 08:00 . 2009-03-16 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng32.dll
2009-03-16 08:00 . 2009-03-16 08:00 1181040 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex32a.dll
2009-03-16 08:00 . 2009-03-16 08:00 101936 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.sys
2009-03-14 05:07 . 2009-03-14 05:07 15440 ----a-w- c:\windows\system32\drivers\hamachi.sys
2008-07-07 03:14 . 2008-07-07 03:14 8 --sha-r- c:\windows\System32\B80BE66F79.sys
2008-07-07 04:11 . 2008-07-07 03:14 2516 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-04-12 19:56 . 2007-04-12 19:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 12:49 am

more_horiz
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-12-12 273864]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-17 486856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-15 2407184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_16\bin\jusched.exe" [2008-05-28 75256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]

c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TokBox.lnk - c:\program files\TokBox\TokBox.exe [2009-6-5 95744]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-12 45056]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-12 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A2D7434F-3124-4E4D-9FA1-3A7CBF579077}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{B8F783D6-A38C-4FA0-A0DD-ADA9FF3BB54B}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{120CA787-A512-44D9-979D-F0C3C2C49D61}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{E3A798B5-7427-41CE-866A-049DC2412B94}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"TCP Query User{0515D08A-7B2C-49C3-940C-26C12B390210}c:\\stubinstaller.exe"= UDP:C:\stubinstaller.exe:LimeWire swarmed installer
"UDP Query User{3A90F21B-2D8B-4EF1-A1F1-D52AAD9C242C}c:\\stubinstaller.exe"= TCP:C:\stubinstaller.exe:LimeWire swarmed installer
"TCP Query User{B59D2092-A14F-457E-B6FA-553C9E182459}c:\\users\\michael\\desktop\\limewire\\limewire.exe"= UDP:c:\users\michael\desktop\limewire\limewire.exe:limewire.exe
"UDP Query User{89DD243C-A3F4-4CA6-8D54-0BF76C9A333C}c:\\users\\michael\\desktop\\limewire\\limewire.exe"= TCP:c:\users\michael\desktop\limewire\limewire.exe:limewire.exe
"TCP Query User{36DB7E36-0E01-40A7-89C8-7BBD11B8A375}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{FAA3E0AF-2AE5-488E-B70A-E2F7DFF1E7AA}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"{4F3C97ED-B456-4B36-A8A9-120D0271F3D6}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{C6FF993A-A000-41F6-837C-1506E2183C91}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{F2C9B5C6-ACD5-4E98-B15F-88D48EBAFD77}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{363E3118-F62E-4230-A15E-6BF61B076580}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{915F5D43-81E2-4ADA-8396-979B319DF602}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{B57C4BE5-2652-44BE-86E3-5FA3CE0DC1C8}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{18818A99-7423-4D13-902F-01A69BFD0BA7}"= UDP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{64FAB89A-CFDF-4CBC-9310-509AF2831E94}"= TCP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"TCP Query User{FA1C5933-DA7C-4F78-ADC0-8CC69611C674}c:\\program files\\swiftswitch\\swiftswitch.exe"= UDP:c:\program files\swiftswitch\swiftswitch.exe:World Switcher for RuneScape
"UDP Query User{604419F6-C91D-49B8-8B91-E96969B37CE2}c:\\program files\\swiftswitch\\swiftswitch.exe"= TCP:c:\program files\swiftswitch\swiftswitch.exe:World Switcher for RuneScape
"TCP Query User{C2119F67-BA08-432E-ABFF-881989311F9F}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{CA79C40E-64A2-4ADE-990C-4A4B26ACEB52}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"{222D201C-8826-472D-94AE-8B31CDE79E53}"= UDP:c:\program files\Steam\Steam.exe:Steam Client
"{FE22940A-FA55-432C-80B1-1DA923C2AC2B}"= TCP:c:\program files\Steam\Steam.exe:Steam Client
"{53B2688D-6870-4F0B-87C1-514579C8C1C1}"= UDP:c:\nexon\KartRider\NMService.exe:Nexon Messenger Core
"{7D2FB9FA-647E-4247-9163-35CE9A825FCA}"= TCP:c:\nexon\KartRider\NMService.exe:Nexon Messenger Core
"TCP Query User{081B639A-069D-41B8-AADB-9E6B0A486F3D}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{49DF69FE-EE69-474B-A4A3-B1EA72910B3C}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{81ED5947-AD58-49DF-BDCA-6681E1819FBF}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{35165E5E-AF5F-44E6-804B-878592FA5A1A}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{080EB661-6AFA-442D-B839-DDB3E781E891}"= UDP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{CA2DDE5E-FB53-4DEE-BAF8-AE9F8F510503}"= TCP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{C54D57B5-F1BC-4E6B-AD42-7D079DCAA732}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{FBCBEBC9-4E8A-47A6-9625-325AF1C5A0E3}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{54243C78-1E5D-4412-B98B-FA52AC521ACF}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{B8EBCA04-6010-4D8A-8C3D-A8BC76C88EB0}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{71FAC19E-F722-408B-859E-C2B386E62E78}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{1304E72F-D067-46B4-8AE8-F402CA277FBD}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{B7D27902-3D26-4C3F-869E-D1FA3816983E}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{D40FDC8D-6DC7-40FD-AF10-FC4E4D074BE4}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{8443CB31-F367-48FF-A017-226410DC1A7E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2A60F4E8-A184-4D8D-BBE9-8EF595DCE228}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{199AEB4C-5BFF-460C-9F33-9FAC4C066243}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{834CF976-7CA7-437F-8C8F-F0C6544C4BE9}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/1/2009 11:32 AM 99376]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/28/2006 6:34 AM 122008]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [1/9/2007 3:32 PM 38200]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/3/2008 7:05 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10910
*Deregistered* - sptd
.
Contents of the 'Scheduled Tasks' folder

2009-06-06 c:\windows\Tasks\Norton Security Scan for Michael.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 11:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
SafeBoot-procexp90.Sys

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 12:49 am

more_horiz
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=1607
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\pattcwprt.att
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\fvy9j0cg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 17:44
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\users\Michael\AppData\Local\Temp\ZOG3A22.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-06 17:45
ComboFix-quarantined-files.txt 2009-06-06 00:45

Pre-Run: 165,964,959,744 bytes free
Post-Run: 166,106,619,904 bytes free

302 --- E O F --- 2009-06-05 03:13

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 1:25 am

more_horiz
Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Folder::
c:\program files\FrostWire
c:\program files\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{B59D2092-A14F-457E-B6FA-553C9E182459}c:\\users\\michael\\desktop\\limewire\\limewire.exe"=-
"UDP Query User{89DD243C-A3F4-4CA6-8D54-0BF76C9A333C}c:\\users\\michael\\desktop\\limewire\\limewire.exe"=-
"{81ED5947-AD58-49DF-BDCA-6681E1819FBF}"=-
"{35165E5E-AF5F-44E6-804B-878592FA5A1A}"=-
"{080EB661-6AFA-442D-B839-DDB3E781E891}"=-
"{CA2DDE5E-FB53-4DEE-BAF8-AE9F8F510503}"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\GarenaPEngine]

DDS::
uStart Page = hxxp://www.ask.com?o=1607


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Unknown Virus/Trojan Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Unknown Virus/Trojan DXwU4
Unknown Virus/Trojan VvYDg

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 3:39 am

more_horiz
i did everything, but after the reboot, as it was about to give me my logfile, my computer bluescreened with some problem and crashed. I had to restart and now i have no log file, should i redo the above steps?

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 3:46 am

more_horiz
No you can find the ComboFix log somewhere in your C:\ drive.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

Unknown Virus/Trojan 2wg6fte

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 3:54 am

more_horiz
//wasnt there so i just redid it, heres the log file//

ComboFix 09-06-05.05 - Michael 06/05/2009 20:44.3 - NTFSx86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1136 [GMT -7:00]
Running from: c:\users\Michael\Desktop\combofixz.exe
Command switches used :: c:\users\Michael\Desktop\CFScript.txt
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
---- Previous Run -------
.
c:\program files\FrostWire
c:\program files\FrostWire\aopalliance.jar
c:\program files\FrostWire\clink.jar
c:\program files\FrostWire\commons-codec-1.3.jar
c:\program files\FrostWire\commons-logging.jar
c:\program files\FrostWire\daap.jar
c:\program files\FrostWire\EULA.txt
c:\program files\FrostWire\forms.jar
c:\program files\FrostWire\foxtrot.jar
c:\program files\FrostWire\FrostWire.exe
c:\program files\FrostWire\FrostWire.ico
c:\program files\FrostWire\FrostWire.jar
c:\program files\FrostWire\gettext-commons.jar
c:\program files\FrostWire\GPL2.txt
c:\program files\FrostWire\guice-1.0.jar
c:\program files\FrostWire\hashes
c:\program files\FrostWire\httpclient-4.0-alpha3.jar
c:\program files\FrostWire\httpcore-4.0-beta2.jar
c:\program files\FrostWire\httpcore-nio-4.0-beta2.jar
c:\program files\FrostWire\httpcore-niossl-4.0-alpha7.jar
c:\program files\FrostWire\icu4j.jar
c:\program files\FrostWire\inspection.props
c:\program files\FrostWire\jaudiotagger.jar
c:\program files\FrostWire\jcraft.jar
c:\program files\FrostWire\jdic.dll
c:\program files\FrostWire\jdic.jar
c:\program files\FrostWire\jdic_stub.jar
c:\program files\FrostWire\jflac.jar
c:\program files\FrostWire\jl.jar
c:\program files\FrostWire\jmdns.jar
c:\program files\FrostWire\jogg.jar
c:\program files\FrostWire\jorbis.jar
c:\program files\FrostWire\jython.jar
c:\program files\FrostWire\launch.properties
c:\program files\FrostWire\log.txt
c:\program files\FrostWire\log4j.jar
c:\program files\FrostWire\log4j.properties
c:\program files\FrostWire\looks.jar
c:\program files\FrostWire\lw-all.jar
c:\program files\FrostWire\messages.jar
c:\program files\FrostWire\mp3spi.jar
c:\program files\FrostWire\onion-common.jar
c:\program files\FrostWire\onion-fec.jar
c:\program files\FrostWire\pmf.ico
c:\program files\FrostWire\ProgressTabs.jar
c:\program files\FrostWire\seenMessages.dat
c:\program files\FrostWire\SystemUtilities.dll
c:\program files\FrostWire\SystemUtilitiesA.dll
c:\program files\FrostWire\themes.jar
c:\program files\FrostWire\tray.dll
c:\program files\FrostWire\tritonus.jar
c:\program files\FrostWire\Uninstall.exe
c:\program files\FrostWire\vorbisspi.jar
c:\program files\LimeWire
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-alpha5-20080522.192134-5.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire.exe

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 3:54 am

more_horiz
.
((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))
.

2009-06-06 03:48 . 2009-06-06 03:48 -------- d-sh--w- \$RECYCLE.BIN
2009-06-06 03:47 . 2009-06-06 03:48 -------- d-----w- c:\users\Michael\AppData\Local\temp
2009-06-06 03:47 . 2009-06-06 03:47 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-06-06 03:47 . 2009-06-06 03:47 -------- d-----w- C:\temp
2009-06-06 03:47 . 2009-06-06 03:47 -------- d-----w- \temp
2009-06-06 03:42 . 2009-06-06 03:48 -------- d-s---w- \combofixz
2009-06-06 03:01 . 2009-03-16 08:00 89104 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090605.003\naveng.sys
2009-06-06 03:01 . 2009-03-16 08:00 876144 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090605.003\navex15.sys
2009-06-06 03:01 . 2009-03-16 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090605.003\eeCtrl.sys
2009-06-06 03:01 . 2009-03-16 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090605.003\naveng32.dll
2009-06-06 03:01 . 2009-03-16 08:00 1181040 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090605.003\navex32a.dll
2009-06-06 03:01 . 2009-03-16 08:00 101936 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090605.003\ERASER.sys
2009-06-06 03:01 . 2008-11-20 09:00 259368 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090605.003\ecmsvr32.dll
2009-06-06 03:01 . 2009-03-16 08:00 2414128 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090605.003\cceraser.dll
2009-06-06 00:22 . 2009-06-06 03:43 -------- d-----w- \Qoobox
2009-06-06 00:20 . 2009-06-05 09:07 1342 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\tmp581b.tmp\cur.scr
2009-06-05 23:54 . 2009-06-05 23:54 -------- d-----w- c:\program files\TokBox
2009-06-03 04:22 . 2009-06-03 04:24 -------- d-----w- \Avenger
2009-06-03 00:56 . 2009-06-03 00:56 -------- d-----w- c:\program files\Trend Micro
2009-05-16 03:05 . 2009-03-16 08:00 89104 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\naveng.sys
2009-05-16 03:05 . 2009-03-16 08:00 876144 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\navex15.sys
2009-05-16 03:05 . 2009-03-16 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\naveng32.dll
2009-05-16 03:05 . 2009-03-16 08:00 1181040 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\navex32a.dll
2009-05-16 03:05 . 2009-03-16 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\eeCtrl.sys
2009-05-16 03:05 . 2009-03-16 08:00 2414128 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\cceraser.dll
2009-05-16 03:05 . 2009-03-16 08:00 101936 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\ERASER.sys
2009-05-16 03:05 . 2008-11-20 09:00 259368 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090515.003\ecmsvr32.dll
2009-05-08 03:56 . 2009-03-19 23:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-08 03:56 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-05-08 03:56 . 2009-05-08 03:56 -------- d-----w- c:\program files\iPod
2009-05-08 03:56 . 2009-05-08 03:56 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-08 03:56 . 2009-05-08 03:56 -------- d-----w- c:\program files\iTunes
2009-05-08 03:55 . 2009-05-08 03:55 -------- d-----w- c:\program files\Bonjour
2009-05-08 03:54 . 2009-05-08 03:54 -------- d-----w- c:\program files\QuickTime
2009-05-08 03:45 . 2009-05-08 03:45 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 03:47 . 2007-04-12 11:58 2392719360 --sha-w- \pagefile.sys
2009-06-06 00:26 . 2008-02-23 07:23 -------- d-----w- c:\program files\Norton Security Scan
2009-06-06 00:26 . 2007-04-29 06:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-05 05:26 . 2007-12-15 02:48 -------- d-----w- c:\program files\Warcraft III
2009-06-05 03:39 . 2008-09-27 19:27 -------- d-----w- c:\program files\Garena
2009-05-27 03:25 . 2007-06-26 21:44 -------- d-----w- c:\program files\Steam
2009-05-22 05:19 . 2008-08-28 02:32 -------- d-----w- c:\users\Michael\AppData\Roaming\FrostWire
2009-05-08 03:56 . 2007-09-18 07:10 -------- d-----w- c:\program files\Common Files\Apple
2009-04-25 05:22 . 2009-04-24 01:08 -------- d-----w- c:\programdata\NOS
2009-04-25 05:22 . 2009-04-24 01:08 -------- d-----w- c:\program files\NOS
2009-04-24 01:16 . 2009-04-24 01:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-19 18:18 . 2007-09-14 22:26 -------- d-----w- c:\program files\Common Files\Steam
2009-04-12 21:49 . 2009-04-12 21:48 34 ----a-w- c:\users\Michael\jagex_runescape_preferences.dat
2009-04-07 22:01 . 2009-04-07 03:44 77055 ----a-w- c:\windows\War3Unin.dat
2009-04-07 03:47 . 2009-04-07 03:44 2829 ----a-w- c:\windows\War3Unin.pif
2009-04-07 03:47 . 2009-04-07 03:44 139264 ----a-w- c:\windows\War3Unin.exe
2009-03-26 22:23 . 2009-03-26 22:23 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-03-26 22:23 . 2009-03-26 22:23 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-16 08:00 . 2009-03-16 08:00 89104 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng.sys
2009-03-16 08:00 . 2009-03-16 08:00 876144 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex15.sys
2009-03-16 08:00 . 2009-03-16 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\eeCtrl.sys
2009-03-16 08:00 . 2009-03-16 08:00 2414128 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\cceraser.dll
2009-03-16 08:00 . 2009-03-16 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng32.dll
2009-03-16 08:00 . 2009-03-16 08:00 1181040 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex32a.dll
2009-03-16 08:00 . 2009-03-16 08:00 101936 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.sys
2009-03-14 05:07 . 2009-03-14 05:07 15440 ----a-w- c:\windows\system32\drivers\hamachi.sys
2008-07-07 03:14 . 2008-07-07 03:14 8 --sha-r- c:\windows\System32\B80BE66F79.sys
2008-07-07 04:11 . 2008-07-07 03:14 2516 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-04-12 19:56 . 2007-04-12 19:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-06-06_00.44.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-12 12:35 . 2009-06-06 03:34 55808 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2007-04-15 01:44 . 2009-06-06 03:34 14770 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3350525115-1583221867-2151667216-1000_UserData.bin
- 2007-04-15 01:35 . 2009-06-05 23:56 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-04-15 01:35 . 2009-06-06 03:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-04-15 01:35 . 2009-06-06 03:42 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-04-15 01:35 . 2009-06-05 23:56 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-15 01:35 . 2009-06-06 03:42 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-04-15 01:35 . 2009-06-05 23:56 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:05 . 2009-06-06 03:39 134934 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-12-12 273864]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-17 486856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-15 2407184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_16\bin\jusched.exe" [2008-05-28 75256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]

c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TokBox.lnk - c:\program files\TokBox\TokBox.exe [2009-6-5 95744]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-12 45056]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-12 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 3:54 am

more_horiz
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A2D7434F-3124-4E4D-9FA1-3A7CBF579077}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{B8F783D6-A38C-4FA0-A0DD-ADA9FF3BB54B}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{120CA787-A512-44D9-979D-F0C3C2C49D61}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{E3A798B5-7427-41CE-866A-049DC2412B94}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"TCP Query User{0515D08A-7B2C-49C3-940C-26C12B390210}c:\\stubinstaller.exe"= UDP:C:\stubinstaller.exe:LimeWire swarmed installer
"UDP Query User{3A90F21B-2D8B-4EF1-A1F1-D52AAD9C242C}c:\\stubinstaller.exe"= TCP:C:\stubinstaller.exe:LimeWire swarmed installer
"TCP Query User{36DB7E36-0E01-40A7-89C8-7BBD11B8A375}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{FAA3E0AF-2AE5-488E-B70A-E2F7DFF1E7AA}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"{4F3C97ED-B456-4B36-A8A9-120D0271F3D6}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{C6FF993A-A000-41F6-837C-1506E2183C91}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{F2C9B5C6-ACD5-4E98-B15F-88D48EBAFD77}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{363E3118-F62E-4230-A15E-6BF61B076580}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{915F5D43-81E2-4ADA-8396-979B319DF602}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{B57C4BE5-2652-44BE-86E3-5FA3CE0DC1C8}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{18818A99-7423-4D13-902F-01A69BFD0BA7}"= UDP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{64FAB89A-CFDF-4CBC-9310-509AF2831E94}"= TCP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"TCP Query User{FA1C5933-DA7C-4F78-ADC0-8CC69611C674}c:\\program files\\swiftswitch\\swiftswitch.exe"= UDP:c:\program files\swiftswitch\swiftswitch.exe:World Switcher for RuneScape
"UDP Query User{604419F6-C91D-49B8-8B91-E96969B37CE2}c:\\program files\\swiftswitch\\swiftswitch.exe"= TCP:c:\program files\swiftswitch\swiftswitch.exe:World Switcher for RuneScape
"TCP Query User{C2119F67-BA08-432E-ABFF-881989311F9F}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{CA79C40E-64A2-4ADE-990C-4A4B26ACEB52}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"{222D201C-8826-472D-94AE-8B31CDE79E53}"= UDP:c:\program files\Steam\Steam.exe:Steam Client
"{FE22940A-FA55-432C-80B1-1DA923C2AC2B}"= TCP:c:\program files\Steam\Steam.exe:Steam Client
"{53B2688D-6870-4F0B-87C1-514579C8C1C1}"= UDP:c:\nexon\KartRider\NMService.exe:Nexon Messenger Core
"{7D2FB9FA-647E-4247-9163-35CE9A825FCA}"= TCP:c:\nexon\KartRider\NMService.exe:Nexon Messenger Core
"TCP Query User{081B639A-069D-41B8-AADB-9E6B0A486F3D}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{49DF69FE-EE69-474B-A4A3-B1EA72910B3C}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{C54D57B5-F1BC-4E6B-AD42-7D079DCAA732}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{FBCBEBC9-4E8A-47A6-9625-325AF1C5A0E3}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{54243C78-1E5D-4412-B98B-FA52AC521ACF}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{B8EBCA04-6010-4D8A-8C3D-A8BC76C88EB0}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{71FAC19E-F722-408B-859E-C2B386E62E78}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{1304E72F-D067-46B4-8AE8-F402CA277FBD}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{B7D27902-3D26-4C3F-869E-D1FA3816983E}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{D40FDC8D-6DC7-40FD-AF10-FC4E4D074BE4}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{8443CB31-F367-48FF-A017-226410DC1A7E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2A60F4E8-A184-4D8D-BBE9-8EF595DCE228}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{199AEB4C-5BFF-460C-9F33-9FAC4C066243}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{834CF976-7CA7-437F-8C8F-F0C6544C4BE9}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/5/2009 8:01 PM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/28/2006 6:34 AM 122008]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [1/9/2007 3:32 PM 38200]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/3/2008 7:05 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd
.
Contents of the 'Scheduled Tasks' folder

2009-06-06 c:\windows\Tasks\Norton Security Scan for Michael.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 11:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\pattcwprt.att
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\fvy9j0cg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 20:48
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(9140)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Logitech\QuickCam\LU\LULnchr.exe
c:\program files\Logitech\QuickCam\LU\LogitechUpdate.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\program files\Java\jre1.5.0_16\bin\jucheck.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-06 20:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-06 03:54
ComboFix2.txt 2009-06-06 00:45

Pre-Run: 166,936,190,976 bytes free
Post-Run: 166,897,790,976 bytes free

425 --- E O F --- 2009-06-05 03:13

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 3:56 am

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

Unknown Virus/Trojan 2wg6fte

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 4:04 am

more_horiz
Malwarebytes' Anti-Malware 1.37
Database version: 2235
Windows 6.0.6000

6/5/2009 9:06:00 PM
mbam-log-2009-06-05 (21-06-00).txt

Scan type: Quick Scan
Objects scanned: 82682
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 4:44 am

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Unknown Virus/Trojan CF_Cleanup

This will also reset your restore points.

How is the machine running now?

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

Unknown Virus/Trojan 2wg6fte

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 6:59 pm

more_horiz
beautifully, thank you. i'll be sure to comeback and donate when i get my creditcard this summer =]

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan6th June 2009, 7:07 pm

more_horiz
Need to uninstall a few things now.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Unknown Virus/Trojan DXwU4
Unknown Virus/Trojan VvYDg

descriptionUnknown Virus/Trojan EmptyRe: Unknown Virus/Trojan

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum