can't see c drive, virus alert in taskbar, same fixes as i read won't work

Question

Cabinboy 0 Newbie Poster

16 Years Ago

well i don't know what i did, ran some exe file from a movie i downloaded and bam, was supposed to generate a password for an rar file, i ran hijack this and thought maybe somone could help me, i've run a bunch of programs i had installed, nod, adware, spybot, so some things are fixed but now i can't install things i found here like mbam, says i can't modify the registry for some reason, my start menu has changed, can't see c drive in explorer, websites won't load, i have to keep reloading them or i get this thing that wants me to d/l some virus software, please help me! i am grateful for you folks being here and anyone who can help me, thanks, Larry

here's my hijack this log and some others i've seen asked for, i can't install some programs for some reason

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:10: , on 9/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KDX .9 Server\KDXServer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\KDX 1.5 Server\KDXServer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SoulseekNS\slsk.exe
C:\Program Files\FerretSoft\WebFerret\WebFerret.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar

5.0\aoltb.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0

\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: QXK Olive - {E6FF4428-A6FA-4934-96B1-5D43F3359A25} - C:\WINDOWS\vanwxemgpab.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-

Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program

Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-

Page\EPSON Web-To-Page.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: gksraemq - {3CC64413-8D34-4336-A176-4DA5F7C147F1} - C:\WINDOWS\gksraemq.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0

\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON

Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35

"EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-

Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lphcvnkj0e79g] C:\WINDOWS\system32\lphcvnkj0e79g.exe
O4 - HKLM\..\Run: [inrhcrnkj0e79g] C:\Documents and Settings\Administrator\Local Settings\Temp\.tt15A.tmp.exe
O4 - HKLM\..\Run: [\VIE89C2.exe] C:\Windows\System32\VIE89C2.exe
O4 - HKLM\..\Run: [\VIE89C6.exe] C:\Windows\System32\VIE89C6.exe
O4 - HKLM\..\Run: [\VIE89D0.exe] C:\Windows\System32\VIE89D0.exe
O4 - HKLM\..\Run: [\VIE89DB.exe] C:\Windows\System32\VIE89DB.exe
O4 - HKLM\..\Run: [\VIE8A8E.exe] C:\Windows\System32\VIE8A8E.exe
O4 - HKLM\..\Run: [\VIE10.exe] C:\Windows\System32\VIE10.exe
O4 - HKLM\..\Run: [\VIE14.exe] C:\Windows\System32\VIE14.exe
O4 - HKLM\..\Run: [\VIE15C.exe] C:\Windows\System32\VIE15C.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35

"EPSON Stylus CX4800 Series (Copy 1)" /M "Stylus CX4800" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [\VIE89C2.exe] C:\Windows\System32\VIE89C2.exe
O4 - HKCU\..\Run: [\VIE89C6.exe] C:\Windows\System32\VIE89C6.exe
O4 - HKCU\..\Run: [\VIE89D0.exe] C:\Windows\System32\VIE89D0.exe
O4 - HKCU\..\Run: [\VIE89DB.exe] C:\Windows\System32\VIE89DB.exe
O4 - HKCU\..\Run: [\VIE8A8E.exe] C:\Windows\System32\VIE8A8E.exe
O4 - HKCU\..\Run: [\VIE10.exe] C:\Windows\System32\VIE10.exe
O4 - HKCU\..\Run: [\VIE11.exe] C:\Windows\System32\VIE11.exe
O4 - HKCU\..\Run: [\VIE12.exe] C:\Windows\System32\VIE12.exe
O4 - HKCU\..\Run: [\VIE13.exe] C:\Windows\System32\VIE13.exe
O4 - HKCU\..\Run: [\VIE1236.exe] C:\Windows\System32\VIE1236.exe
O4 - HKCU\..\Run: [\VIE14.exe] C:\Windows\System32\VIE14.exe
O4 - HKCU\..\Run: [\VIE15C.exe] C:\Windows\System32\VIE15C.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Shortcut to .9 KDXClient.lnk = C:\Program Files\KDX .9 Client\KDXClient.exe
O4 - Startup: Shortcut to .9 KDXServer.lnk = C:\Program Files\KDX .9 Server\KDXServer.exe
O4 - Startup: Shortcut to 1.5 KDXClient.lnk = C:\Program Files\KDX 1.5 Client\KDXClient.exe
O4 - Startup: Shortcut to 1.5 KDXServer.lnk = C:\Program Files\KDX 1.5 Server\KDXServer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480

\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02

\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0

\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file

missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

(file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) -

http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) -

http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) -

http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) -

http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) -

http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) -

http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O21 - SSODL: xrdwbfgn - {F8D1EF17-A8CE-4AAD-913E-D64AB99058DF} - C:\WINDOWS\xrdwbfgn.dll (file missing)
O21 - SSODL: dgksvbpn - {AB3099B3-70D6-426D-B625-265C91F88199} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program

Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Cat Soft - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program

Files\Sygate\SPF\smc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/03/clip_image001.jpg

--
End of file - 17245 bytes

SmitFraudFix v2.345

Scan done at 22:27:15.12, Wed 09/03/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KDX .9 Server\KDXServer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\KDX 1.5 Server\KDXServer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SoulseekNS\slsk.exe
C:\Program Files\FerretSoft\WebFerret\WebFerret.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/03/clip_image001.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/03/clip_image001.jpg"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: vanwxemgpab.dll
BHO: QXK Olive - {E6FF4428-A6FA-4934-96B1-5D43F3359A25}
TypeLib: {54C49BD2-3717-4745-AA45-FD4266AF99AE}
Interface: {5D715E01-2461-4FBC-8083-94713C094CDE}
Interface: {B9A6AE5D-00B0-4701-B4AF-1AEBF84A8BA9}

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{94DCB784-3B49-434E-9D80-159BEBA09F66}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{94DCB784-3B49-434E-9D80-159BEBA09F66}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{94DCB784-3B49-434E-9D80-159BEBA09F66}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

ComboFix 08-09-03.03 - Administrator 09/03/2008 22:30:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.589 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\M7JHLEV8\bin.clearspring.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\M7JHLEV8\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\M7JHLEV8\interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\M7JHLEV8\interclick.com\ud.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\vanwxemgpab.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-04 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-04 14:25 --------- d-----w C:\Program Files\Lavasoft
2008-09-04 14:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-04 14:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-09-04 13:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-04 05:39 --------- d-----w C:\Program Files\MSA
2008-09-04 05:27 7,878 ----a-w C:\WINDOWS\system32\tmp.reg
2008-09-04 05:10 --------- d-----w C:\Program Files\Trend Micro
2008-09-04 04:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Soulseek
2008-09-03 06:58 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-03 03:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 03:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:43 --------- d-----w C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-02 23:51 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-09-02 23:16 --------- d-----w C:\Program Files\DC++
2008-09-02 21:31 86,016 ----a-w C:\WINDOWS\sxmaokgf.exe
2008-09-01 04:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-08-29 05:36 82,432 ----a-w C:\WINDOWS\system32\IEDFix.C.exe
2008-08-28 13:46 --------- d-----w C:\Program Files\ICQ6
2008-08-27 00:34 --------- d-----w C:\Program Files\ESET
2008-08-27 00:31 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-08-27 00:31 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-08-27 00:31 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-08-27 00:22 --------- d-----w C:\Program Files\Unlocker
2008-08-19 19:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-08-19 16:41 --------- d-----w C:\Program Files\eMule
2008-08-19 02:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AccurateRip
2008-08-18 19:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe
2008-08-16 21:47 --------- d-----w C:\Program Files\FLAC
2008-08-12 16:32 --------- d-----w C:\Program Files\Advanced Disk Catalog
2008-08-10 04:50 --------- d-----w C:\Program Files\Soulseek
2008-08-07 21:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-08-03 01:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-28 21:41 --------- d-----w C:\Program Files\iTunes
2008-07-28 21:41 --------- d-----w C:\Program Files\iPod
2008-07-28 21:38 --------- d-----w C:\Program Files\Bonjour
2008-07-28 21:37 --------- d-----w C:\Program Files\QuickTime
2008-07-28 21:35 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-28 21:35 --------- d-----w C:\Program Files\Apple Software Update
2008-07-28 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Snapfish
2008-07-12 23:15 --------- d-----w C:\Program Files\Exact Audio Copy
2008-07-12 23:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AD ON Multimedia
2008-07-12 23:08 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-12 23:08 --------- d-----w C:\Program Files\NCH Software
2008-07-12 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-12 23:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-07-10 16:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-06 23:42 --------- d-----w C:\Program Files\SoulseekNS
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-03-05 15:05 93,792 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-12-10 02:25 634 ----a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"= "C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll" [03/07/2008 06:55: 1090912]

[HKEY_CLASSES_ROOT\clsid\{ea756889-2338-43db-8f07-d1ca6fb9c90d}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{371A6A18-2D6A-4DF8-A4AA-61CA349B3C70}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 12:00: 15360]
"EPSON Stylus CX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [02/01/2005 12:00: 98304]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 16:45: 313472]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [04/17/2008 16:27: 9117696]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [08/24/2008 08:14: 173304]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/18/2008 18:41: 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 21:56: 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/10/2005 03:06: 7311360]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [02/08/2004 17:30: 73728]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [08/27/2005 06:09: 139264]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/14/2002 00:42: 212992]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 21:24: 32768]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [10/27/2005 17:17: 8740864]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [06/30/2004 16:56: 2376928]
"NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [03/03/2006 12:27: 806912]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/10/2005 03:06: 86016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 23:46: 57344]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [02/01/2005 12:00: 98304]
"EPSON Stylus CX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [02/01/2005 12:00: 98304]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50: 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [08/26/2008 17:31: 949376]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [08/10/2004 12:00: 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/10/2004 12:00: 59392]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [04/29/2008 19:56: 158624]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47: 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50: 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51: 289064]
"nwiz"="nwiz.exe" [12/10/2005 03:06: 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [04/17/2008 16:27: 9117696]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Shortcut to .9 KDXClient.lnk - C:\Program Files\KDX .9 Client\KDXClient.exe [2/23/2006 14:28:16 896512]
Shortcut to .9 KDXServer.lnk - C:\Program Files\KDX .9 Server\KDXServer.exe [2/23/2006 14:27:13 553984]
Shortcut to 1.5 KDXClient.lnk - C:\Program Files\KDX 1.5 Client\KDXClient.exe [2/23/2006 14:28:46 1219584]
Shortcut to 1.5 KDXServer.lnk - C:\Program Files\KDX 1.5 Server\KDXServer.exe [2/23/2006 14:29:00 666112]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/6/2007 21:27:58 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 22:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2/17/2006 23:46:42 1742384]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2/26/2006 15:58:46 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 0 (0x0)
"NoDispCPL"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoStartMenuMorePrograms"= 0 (0x0)
"NoSetFolders"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1140818125\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1140818125\\ee\\aim6.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUAdmin.exe"=
"C:\\Program Files\\KDX 1.5 Server\\KDXServer.exe"=
"C:\\Program Files\\KDX 1.5 Client\\KDXClient.exe"=
"C:\\Program Files\\KDX .9 Client\\KDXClient.exe"=
"C:\\Program Files\\KDX .9 Server\\KDXServer.exe"=
"C:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"C:\\Program Files\\FerretSoft\\WebFerret\\WebFerret.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\SoulseekNS\\slsk.exe"=

R2 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [06/24/2005 17:22: 3364352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [01/04/2007 14:38: 24652]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [04/29/2008 19:39: 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [04/29/2008 19:56: 61856]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [ ]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [04/29/2008 19:56: 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95ad4e39-e363-11da-b78b-00038a000015}]
\Shell\AutoRun\command - L:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d235aac-eab4-11dc-ba97-00167602e097}]
\Shell\AutoRun\command - L:\SysWin32.exe
\Shell\explorer\command - L:\SysWin32.exe
\Shell\open\command - L:\SysWin32.exe

*Newly Created Service* - AAWSERVICE
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{E6FF4428-A6FA-4934-96B1-5D43F3359A25} - C:\WINDOWS\vanwxemgpab.dll
Toolbar-{3CC64413-8D34-4336-A176-4DA5F7C147F1} - C:\WINDOWS\gksraemq.dll
HKCU-Run-\VIE89C2.exe - C:\Windows\System32\VIE89C2.exe
HKCU-Run-\VIE89C6.exe - C:\Windows\System32\VIE89C6.exe
HKCU-Run-\VIE89D0.exe - C:\Windows\System32\VIE89D0.exe
HKCU-Run-\VIE89DB.exe - C:\Windows\System32\VIE89DB.exe
HKCU-Run-\VIE8A8E.exe - C:\Windows\System32\VIE8A8E.exe
HKCU-Run-\VIE10.exe - C:\Windows\System32\VIE10.exe
HKCU-Run-\VIE11.exe - C:\Windows\System32\VIE11.exe
HKCU-Run-\VIE12.exe - C:\Windows\System32\VIE12.exe
HKCU-Run-\VIE13.exe - C:\Windows\System32\VIE13.exe
HKCU-Run-\VIE1236.exe - C:\Windows\System32\VIE1236.exe
HKCU-Run-\VIE14.exe - C:\Windows\System32\VIE14.exe
HKCU-Run-\VIE15C.exe - C:\Windows\System32\VIE15C.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
HKLM-Run-HP Component Manager - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
HKLM-Run-HPDJ Taskbar Utility - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
HKLM-Run-HP Software Update - C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
HKLM-Run-Pure Networks Port Magic - C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
HKLM-Run-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
HKLM-Run-AVG7_EMC - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
HKLM-Run-AVG7_RegCleaner - C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe
HKLM-Run-CaISSDT - C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
HKLM-Run-eTrustPPAP - C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
HKLM-Run-lphcvnkj0e79g - C:\WINDOWS\system32\lphcvnkj0e79g.exe
HKLM-Run-inrhcrnkj0e79g - C:\Documents and Settings\Administrator\Local Settings\Temp\.tt15A.tmp.exe
HKLM-Run-\VIE89C2.exe - C:\Windows\System32\VIE89C2.exe
HKLM-Run-\VIE89C6.exe - C:\Windows\System32\VIE89C6.exe
HKLM-Run-\VIE89D0.exe - C:\Windows\System32\VIE89D0.exe
HKLM-Run-\VIE89DB.exe - C:\Windows\System32\VIE89DB.exe
HKLM-Run-\VIE8A8E.exe - C:\Windows\System32\VIE8A8E.exe
HKLM-Run-\VIE10.exe - C:\Windows\System32\VIE10.exe
HKLM-Run-\VIE14.exe - C:\Windows\System32\VIE14.exe
HKLM-Run-\VIE15C.exe - C:\Windows\System32\VIE15C.exe
HKLM-Run-SigmatelSysTrayApp - sttray.exe
SSODL-xrdwbfgn-{F8D1EF17-A8CE-4AAD-913E-D64AB99058DF} - C:\WINDOWS\xrdwbfgn.dll
SSODL-dgksvbpn-{AB3099B3-70D6-426D-B625-265C91F88199} - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Search Bar = hxxp://google.icq.com/search/search_frame.php
R0 -: HKCU-Main,Start Page = about:blank
R1 -: HKCU-Internet Settings,ProxyOverride = localhost;*.local
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 -: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 -: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 -: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 -: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 -: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 -: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

- C:\WINDOWS\Downloaded Program Files\RhapX.inf
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 22:37:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\VIE89C2.exe"="C:\\Windows\\System32\\VIE89C2.exe"
"\\VIE89C6.exe"="C:\\Windows\\System32\\VIE89C6.exe"
"\\VIE89D0.exe"="C:\\Windows\\System32\\VIE89D0.exe"
"\\VIE89DB.exe"="C:\\Windows\\System32\\VIE89DB.exe"
"\\VIE8A8E.exe"="C:\\Windows\\System32\\VIE8A8E.exe"
"\\VIE10.exe"="C:\\Windows\\System32\\VIE10.exe"
"\\VIE14.exe"="C:\\Windows\\System32\\VIE14.exe"
"\\VIE15C.exe"="C:\\Windows\\System32\\VIE15C.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\VIE89C2.exe"="C:\\Windows\\System32\\VIE89C2.exe"
"\\VIE89C6.exe"="C:\\Windows\\System32\\VIE89C6.exe"
"\\VIE89D0.exe"="C:\\Windows\\System32\\VIE89D0.exe"
"\\VIE89DB.exe"="C:\\Windows\\System32\\VIE89DB.exe"
"\\VIE8A8E.exe"="C:\\Windows\\System32\\VIE8A8E.exe"
"\\VIE10.exe"="C:\\Windows\\System32\\VIE10.exe"
"\\VIE11.exe"="C:\\Windows\\System32\\VIE11.exe"
"\\VIE12.exe"="C:\\Windows\\System32\\VIE12.exe"
"\\VIE13.exe"="C:\\Windows\\System32\\VIE13.exe"
"\\VIE1236.exe"="C:\\Windows\\System32\\VIE1236.exe"
"\\VIE14.exe"="C:\\Windows\\System32\\VIE14.exe"
"\\VIE15C.exe"="C:\\Windows\\System32\\VIE15C.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\NetLimiter\nl_lsp.dll
-> C:\WINDOWS\system32\nl_msgc.dll
.
Completion time: 09/03/2008 22:39:34
ComboFix-quarantined-files.txt 2008-09-04 05:39:29

Pre-Run: 5,409,116,160 bytes free
Post-Run: 5,491,490,816 bytes free

306 --- E O F --- 2008-08-15 13:13:52

windows-virus

3 Contributors
7 Replies
344 Views
3 Weeks Discussion Span
Latest Post 16 Years Ago Latest Post by Dro3

Doctor Inferno 27 Posting Whiz in Training

16 Years Ago

Open HijackThis and do a scan, place a check beside these entries:

O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O3 - Toolbar: gksraemq - {3CC64413-8D34-4336-A176-4DA5F7C147F1} - C:\WINDOWS\gksraemq.dll (file missing)

O4 - HKLM\..\Run: [lphcvnkj0e79g] C:\WINDOWS\system32\lphcvnkj0e79g.exe
O4 - HKLM\..\Run: [inrhcrnkj0e79g] C:\Documents and Settings\Administrator\Local Settings\Temp\.tt15A.tmp.exe
O4 - HKLM\..\Run: [\VIE89C2.exe] C:\Windows\System32\VIE89C2.exe
O4 - HKLM\..\Run: [\VIE89C6.exe] C:\Windows\System32\VIE89C6.exe
O4 - HKLM\..\Run: [\VIE89D0.exe] C:\Windows\System32\VIE89D0.exe
O4 - HKLM\..\Run: [\VIE89DB.exe] C:\Windows\System32\VIE89DB.exe
O4 - HKLM\..\Run: [\VIE8A8E.exe] C:\Windows\System32\VIE8A8E.exe
O4 - HKLM\..\Run: [\VIE10.exe] C:\Windows\System32\VIE10.exe
O4 - HKLM\..\Run: [\VIE14.exe] C:\Windows\System32\VIE14.exe
O4 - HKLM\..\Run: [\VIE15C.exe] C:\Windows\System32\VIE15C.exe
O4 - HKCU\..\Run: [\VIE89C2.exe] C:\Windows\System32\VIE89C2.exe
O4 - HKCU\..\Run: [\VIE89C6.exe] C:\Windows\System32\VIE89C6.exe
O4 - HKCU\..\Run: [\VIE89D0.exe] C:\Windows\System32\VIE89D0.exe
O4 - HKCU\..\Run: [\VIE89DB.exe] C:\Windows\System32\VIE89DB.exe
O4 - HKCU\..\Run: [\VIE8A8E.exe] C:\Windows\System32\VIE8A8E.exe
O4 - HKCU\..\Run: [\VIE10.exe] C:\Windows\System32\VIE10.exe
O4 - HKCU\..\Run: [\VIE11.exe] C:\Windows\System32\VIE11.exe
O4 - HKCU\..\Run: [\VIE12.exe] C:\Windows\System32\VIE12.exe
O4 - HKCU\..\Run: [\VIE13.exe] C:\Windows\System32\VIE13.exe
O4 - HKCU\..\Run: [\VIE1236.exe] C:\Windows\System32\VIE1236.exe
O4 - HKCU\..\Run: [\VIE14.exe] C:\Windows\System32\VIE14.exe
O4 - HKCU\..\Run: [\VIE15C.exe] C:\Windows\System32\VIE15C.exe

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/03/clip_image001.jpg

Doctor Inferno 27 Posting Whiz in Training

16 Years Ago

‡‡Please print out or copy this page to Notepad since you cannot have any browsers open while you are fixing this and try to follow it as closely as possible taking it step by step.

‡‡Update your Antivirus program.

‡‡Please download Spybot Search and Destroy install it and update the program.

http://www.safer-networking.org/en/mirrors/index.html

‡‡Please download VundoFix.exe to your desktop. Ignore the AntiVirus warnings and download it anyway because you need to run it. Wait on installation and running.

http://www.atribune.org/ccount/click.php?id=4

‡‡Download CleanUp! and install it. Wait on installation and running.

http://www.stevengould.org/downloads/cleanup/CleanUp452.exe

‡‡Please download following program CWSHREDDER. Wait on installation and running.

http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

‡‡Download about:Buster and save it to your desktop. When it has finished downloading, unzip the folder to your desktop as well. You should now be left with an aboutbuster folder on your desktop.Wait on installation and running.

http://www.malwarebytes.org/AboutBuster.zip

‡‡I would suggest though that you download CCleaner. It is a great little program that I use every time I close my browser to get rid of temporary files. I usually just run the cleaner part every time I'm done with the browser.During the install there will be check marks for checking for updates that part I do not use and also to install a tool bar for yahoo or something. Make sure those are unchecked unless you want another tool bar, It is a very safe program and it is free.(CCleaner Quick Setup: Go to > Options > Advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware. files!)

http://www.ccleaner.com/

_____________________________________________________________

‡‡Now make sure no files are hidden. To do this:
For XP go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
For Vista go to the Control Panel->Appearance and Personalization
Under the Folder Options, click Show Hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
You may change the above options back after your log is clean.

‡‡Turn off system restore.

Steps to turn off System Restore for XP:
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.
Steps to turn off System Restore for Vista:
1. Control Panel -> System Maintenance -> Back Up and Restore Center
2. On the right column, click on "create a restore point or change settings" (this requires administrator's password if set)
3. Uncheck all drives.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.

‡‡Do all steps below in safe mode except for at the end when you generate a new HiJackThis log.

‡‡Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (Repeatedly).

3) Instead of Windows loading as normal, a menu should appear

4) Use the up arrow key to highlight Safe Mode and press Enter.

‡‡Run your Antivirus and do a full scan remember this is all in safe mode.

‡‡Run Spybot Search and Destroy and do a full scan remember this is all in safe mode.

‡‡Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

*Click "Options..."

*Move the arrow down to "Custom CleanUp!"

*Only Check the following for now:

-Empty Recycle Bins

-Delete Cookies

-Delete Prefetch Files

-Clean up All Users

*Uncheck the following:

-Delete Newsgroup cache

-Delete Newsgroup Subscriptions

*Press the Temporary Files Tab and check.

-Scan drives for files matching

Click OK

Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup or MOVE THEM out of the Temp folder before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

‡‡Install and run CWSHREDDER

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

‡‡Double-click on the AbouBuster.exe icon.

Click Begin scan. Close when completed.

It is advised that you run the AbouBuster twice in a row to make sure you get all the infections.

_____________________________________________________________

‡‡Double-click VundoFix.exe to run it(Do this a few times until nothing shows up).

‡‡Then install CCleaner but note it installs the Yahoo Toolbar as an option which IS check marked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option.

Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours

Then select the items you wish to clean up.

In the Windows Tab:

* Clean all entries in the "Internet Explorer" section except Cookies.

* Clean all the entries in the "Windows Explorer" section.

* Clean all entries in the "System" section.

* Clean all entries in the "Advanced" section.

* Clean any others that you choose.

In the Applications Tab:

* Clean all except cookies in the Firefox/Mozilla section if you use it.

* Clean all in the Opera section if you use it.

* Clean Sun Java in the Internet Section.

* Clean any others that you choose.

Click the "Run Cleaner" button.

A pop-up box will appear advising this process will permanently delete files from your system.

Click "OK" and it will scan and clean your system.

Click the "Issues" button.

Click the "Scan For Issues" button.

Click the "Fix Selected Issues" button.

Click the "Fix All Selected Issues" button.

Click "OK"

Click "Close" when done.

‡‡Reboot into Normal Mode. Turn System Restore back on and create a restore point.

Steps to turn on System Restore For XP:
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
4. Click OK.

After a few moments, the System Properties dialog box closes.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.

To create a Restore point for Vista:
1.Control Panel – System Maintenance – Back Up and Restore Center. On the right column, click on "Create A Restore Point Or Change Settings" (This requires Administrator's password if set.) Put a check on the drive your OS is on. Then click on the Create button. Type in a name and then click OK.

‡‡Do another scan with HiJackThis in normal windows mode and post your new log file here for final verification. Make sure it is a new log file.

Also let me know how the systems overall condition is now.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Cabinboy 0 Newbie Poster · Answer 1 · 2008-09-05T10:49:04+00:00

can someone help me now to get my c drive back, i don't know how to edit the registry to get it back, i saw someones directions but couldn't figure it out, can i get some more help! thanks for the help so far i think the virus is gone

Cabinboy 0 Newbie Poster · Answer 2 · 2008-09-05T10:56:17+00:00

i will also add that i don't see as much under that explorer tab in regedit as i did in another users complaint about the same thing, here's a screen shot

Cabinboy 0 Newbie Poster · Answer 3 · 2008-09-05T11:00:51+00:00

don't think that worked, , here's what i see and tks for any help so far, default reg_sz value not set and nodrivetypeautorun reg_dword 0x000000b5 (181)

Cabinboy 0 Newbie Poster · Answer 4 · 2008-09-08T19:51:41+00:00

wanted to say thank you for your help, man you are very busy on here, and all your own time, i am very grateful for your help, had to work the past couple of days so i'm still at this, i'll follow your instructions today, thanks again!

Dro3 0 Newbie Poster · Answer 5 · 2008-10-01T03:13:36+00:00

Hi,

I have the same problem as Cabinboy. Doctor Inferno, I followed your instructions, minus the following two parts:

- ‡‡Please download VundoFix.exe to your desktop. Ignore the AntiVirus warnings and download it anyway because you need to run it. Wait on installation and running.

For some reason this program would not install

- ‡‡Run Spybot Search and Destroy and do a full scan remember this is all in safe mode.

This program would not run while I was in safe mode. I ran it normally however and it seemed to work...

I followed all your other instructions (which were very clear and easy to follow btw), but I don't see any difference. The VIRUS ALERT message is still there, the time is still in military time, I'm still getting alerts that somebody is trying to attack my computer, I still cannot access my c-drive, etc.

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:11: VIRUS ALERT!, on 9/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Vahid Azimi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: peltodgx - {0FA15166-39DA-4DAB-9B1A-0DDDBACA8BD5} - C:\WINDOWS\peltodgx.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Vahid Azimi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O21 - SSODL: rwlfsdmk - {344545D9-F517-4BE5-9822-0A7788ADA65B} - C:\WINDOWS\rwlfsdmk.dll
O21 - SSODL: onfwbsak - {1DC416D9-DA00-4ACF-ADE4-28B024C76F1A} - C:\WINDOWS\onfwbsak.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

--
End of file - 13172 bytes