-
cont.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-07-05 19:45:13 450560]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-06-25 23:05:30 155715]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-10-02 17:08:08 57344]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 00:03:20 69632]
SMC2862W-G EZ Connect g 802.11g Wireless USB Utility.lnk - C:\Program Files\SMC\SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2005-10-17 16:10:34 421888]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-04-24 12:13 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
"LoadAppInit_DLLs"=1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=C:\WINDOWS\pss\Forget Me Not.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\awtqn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2006-12-12 14:45 21464 C:\Program Files\Zune\ZuneLauncher.exe
R0 sojubus;sojubus;C:\WINDOWS\system32\DRIVERS\sojubus.sys [2003-10-05 10:41]
R0 sojuscsi;sojuscsi;C:\WINDOWS\system32\DRIVERS\sojuscsi.sys [2003-09-28 10:57]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 14:46]
R2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\CFusionMX\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent" []
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-04-10 09:01]
S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;C:\WINDOWS\system32\DRIVERS\2862WICB.sys [2005-11-15 22:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56014d2e-1ff4-11db-8d13-000ea65cb895}]
\Shell\AutoRun\command - H:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb86e361-07c3-11db-8cf0-000ea65cb895}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 07:30:27 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-02 16:37:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 11:42:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msk\msksrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\MemoKit\memokit2.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Microsoft Office System Information Worker Feedback Program\WfpSaS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2008-02-02 11:52:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 16:51:59
.
2008-01-30 17:44:07 --- E O F ---
-
Hi
Please post back a fresh HijackThis log :)
-
fresh hijack part 1
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:31 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msk\msksrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\SMC\SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft Office System Information Worker Feedback Program\wfpscheduler.exe
C:\Program Files\MemoKit\memokit2.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\nsga1.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\LORI\Application Data\Mozilla\Profiles\default\ie2qxrqv.slt\prefs.js)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [RegistryMechanic] "C:\Program Files\Registry Mechanic\RegMech.exe" /QS
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\SMC\SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [McWebDownlMgr] C:\WINDOWS\TEMP\McDMTemp007 (2)\DwnldMgr.exe /runkey (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [McWebDownlMgr] C:\WINDOWS\TEMP\McDMTemp007 (2)\DwnldMgr.exe /runkey (User 'Default user')
O4 - Startup: Kaboom! Jr. Control Panel.lnk = C:\Documents and Settings\Lori\My Documents\My Music\KAB_JR\KABOOM.EXE
O4 - Startup: MemoKit.lnk = C:\Program Files\MemoKit\mk.exe
-
fresh hijack part 2
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Startup: Office Information Worker Feedback Program.lnk = C:\Program Files\Microsoft Office System Information Worker Feedback Program\wfpscheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SMC2862W-G EZ Connect g 802.11g Wireless USB Utility.lnk = C:\Program Files\SMC\SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim .exe
O9 - Extra button: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe
O9 - Extra 'Tools' menuitem: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.vip.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.malden.mec.edu/iNotes.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://mycampus.phoenix.edu/support...oad/CVALAX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151289857000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151290801484
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/download...ameManager.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoshare.microgaming.com/...re/FlashAX.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - c:\program files\mcafee\msk\msksrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 18497 bytes
-
Hi
You have vundo file infector which might result in reinstalling some startup programs later.
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Open notepad and copy/paste the text in the quotebox below into it:
Code:
RenV::
----a-w 620,152 2007-12-30 01:02:58 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 57,344 2008-01-09 03:09:18 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w 67,488 2007-12-30 01:03:04 C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy .exe
----a-w 40,048 2007-12-30 01:02:55 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 67,112 2008-01-07 05:39:30 C:\Program Files\AIM95\aim .exe
----a-w 335,872 2008-01-07 20:53:33 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 2,321,600 2008-01-07 05:39:38 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 94,208 2008-01-05 19:00:53 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 28,672 2008-01-09 03:09:08 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w 278,528 2008-01-09 03:09:07 C:\Program Files\DIGStream\digstream .exe
----a-w 101,888 2008-01-09 03:09:12 C:\Program Files\ESPNRunTime\DIGServices .exe
----a-w 68,856 2008-01-09 03:09:21 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 49,152 2008-01-09 03:09:19 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 267,048 2008-01-16 21:29:06 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2008-01-09 03:09:13 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 231,952 2008-01-22 10:35:41 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w 67,128 2008-01-07 05:39:23 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
----a-w 582,992 2008-01-22 10:34:22 C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w 5,674,352 2008-01-07 05:39:49 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 286,720 2008-01-10 03:15:50 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-10 03:15:50 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-10 03:15:50 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-11 13:47:40 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-10 03:15:50 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-10 03:15:51 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-10 03:15:51 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-10 03:15:51 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-11 13:47:41 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-10 03:15:52 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-10 03:15:52 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-10 03:15:52 C:\Program Files\QuickTime\qttask .exe
----a-w 36,904 2008-01-09 03:09:11 C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w 5,367,608 2008-01-23 00:48:54 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w 158,208 2008-01-21 17:15:05 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 28,672 2008-01-07 05:38:44 C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w 15,360 2008-01-22 10:35:18 C:\WINDOWS\system32\ctfmon .exe
----a-w 114,688 2008-01-07 05:38:43 C:\WINDOWS\system32\hkcmd .exe
File::
C:\WINDOWS\system32\xnoxrbby.ini
C:\WINDOWS\system32\hwifxssq.ini
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v6...s/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
-
ComboFix 08-02.02.5 - Lori 2008-02-03 10:43:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1412 [GMT -5:00]
Running from: C:\Documents and Settings\Lori\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\system32\hwifxssq.ini
C:\WINDOWS\system32\xnoxrbby.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\hwifxssq.ini
C:\WINDOWS\system32\xnoxrbby.ini
.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.
2008-02-03 10:34 . 2008-02-03 10:52 124 --a------ C:\WINDOWS\_WVINUSE.ini
2008-01-30 21:21 . 2008-01-30 21:21 <DIR> d-------- C:\Documents and Settings\Noelle\Application Data\Talkback
2008-01-21 19:55 . 2008-02-02 10:55 7,741,472 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-21 19:55 . 2008-02-02 10:55 1,054,752 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-21 19:55 . 2008-02-02 10:55 105,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-21 19:55 . 2008-02-02 10:55 101,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-21 19:54 . 2008-01-21 19:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 19:49 . 2008-01-21 19:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-21 19:49 . 2008-01-21 19:49 <DIR> d-------- C:\KAV
2008-01-21 12:29 . 2008-01-21 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prism
2008-01-21 12:28 . 2005-11-15 22:16 357,632 -ra------ C:\WINDOWS\system32\drivers\2862WICB.sys
2008-01-21 12:27 . 2008-01-21 12:27 <DIR> d-------- C:\Program Files\SMC
2008-01-21 12:27 . 2008-01-21 12:27 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-01-21 12:15 . 2008-01-21 12:15 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-21 10:51 . 2008-01-21 10:51 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\HPAppData
2008-01-19 07:29 . 2008-01-23 22:31 1,357 --a------ C:\WINDOWS\wininit.ini
2008-01-19 06:30 . 2008-01-19 06:30 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Talkback
2008-01-18 16:57 . 2008-01-19 05:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-18 16:57 . 2008-01-19 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-16 16:29 . 2008-01-16 16:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 16:29 . 2008-01-16 16:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 15:57 . 2008-01-16 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-01-15 23:14 . 2008-01-15 23:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-15 23:12 . 2003-12-02 16:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-01-15 23:11 . 2008-01-15 23:11 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-11 23:08 . 2008-01-22 05:42 <DIR> d-------- C:\VundoFix Backups
2008-01-06 13:39 . 2008-01-06 13:39 <DIR> d-------- C:\Documents and Settings\Noelle\Application Data\HPAppData
2008-01-06 00:43 . 2008-01-06 00:43 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-01-05 23:49 . 2007-03-07 23:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-01-05 23:48 . 2008-01-05 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-01-05 23:48 . 2007-03-07 23:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-01-05 23:45 . 2007-05-02 03:56 954,368 -ra------ C:\WINDOWS\system32\hpotiop5.dll
2008-01-05 23:45 . 2007-05-02 04:01 675,840 -ra------ C:\WINDOWS\system32\hpowiax5.dll
2008-01-05 23:45 . 2007-03-07 23:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-01-05 23:45 . 2007-03-07 23:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-01-05 23:45 . 2007-05-02 04:00 303,104 -ra------ C:\WINDOWS\system32\hpovst12.dll
2008-01-05 23:45 . 2007-03-07 23:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-01-05 23:25 . 2008-01-05 23:25 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\HP
2008-01-05 23:19 . 2008-01-05 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-01-05 23:12 . 2008-01-05 23:14 146,986 --------- C:\WINDOWS\hpoins21.dat.temp
2008-01-05 23:12 . 2007-05-15 05:10 8,138 --------- C:\WINDOWS\hpomdl21.dat.temp
2008-01-05 22:49 . 2008-01-05 22:49 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\HPAppData
2008-01-05 21:59 . 2008-01-05 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-01-05 21:59 . 2008-01-05 22:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-01-05 21:58 . 2008-01-05 21:58 <DIR> d-------- C:\Program Files\Common Files\HP
2008-01-05 21:57 . 2008-01-05 21:57 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-05 21:56 . 2008-01-05 21:56 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-05 21:54 . 2008-01-05 23:19 <DIR> d-------- C:\Program Files\HP
2008-01-05 21:52 . 2008-01-06 00:01 147,669 --a------ C:\WINDOWS\hpoins21.dat
2008-01-05 21:52 . 2007-05-15 05:10 8,138 --------- C:\WINDOWS\hpomdl21.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 15:51 22 ----a-w C:\qpmd8376.bin
2008-02-03 15:43 --------- d-----w C:\Program Files\QuickTime
2008-02-03 15:42 --------- d-----w C:\Program Files\MSN Messenger
2008-02-03 15:42 --------- d-----w C:\Program Files\iTunes
2008-02-03 15:42 --------- d-----w C:\Program Files\ESPNRunTime
2008-02-03 15:42 --------- d-----w C:\Program Files\DIGStream
2008-02-03 15:42 --------- d-----w C:\Program Files\AIM95
2008-02-03 15:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-03 09:46 --------- d-----w C:\Documents and Settings\Lori\Application Data\SiteAdvisor
2008-02-02 18:54 --------- d-----w C:\Program Files\VIP Casinos
2008-02-02 03:11 --------- d-----w C:\Documents and Settings\Bob\Application Data\SiteAdvisor
2008-01-31 04:17 --------- d-----w C:\Documents and Settings\Noelle\Application Data\SiteAdvisor
2008-01-21 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 17:15 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2008-01-17 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-17 01:48 --------- d-----w C:\Documents and Settings\Lori\Application Data\McAfee
2008-01-11 03:31 --------- d-----w C:\Program Files\WhiteSmoke
2008-01-09 03:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-01-05 01:56 1,526,640 ----a-w C:\WINDOWS\WRSetup.dll
2008-01-05 01:34 23,920 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-05 01:34 21,872 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-05 01:34 20,336 ----a-w C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-05 01:34 163,696 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-04 01:45 --------- d-----w C:\Program Files\DL_cats
2008-01-03 04:30 --------- d-----w C:\Program Files\Casino Share Flash Casino
2008-01-02 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGS
2007-12-31 05:29 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-31 05:23 --------- d-----w C:\Program Files\Dell_Photo AIO Printer 962
2007-12-30 17:30 --------- d-----w C:\Program Files\Dell_ENA
2007-12-30 17:30 --------- d-----w C:\Program Files\Dell
2007-12-30 16:05 --------- d-----w C:\Program Files\KeyGen Crack
2007-12-30 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\espionServerData
2007-12-30 00:38 --------- d-----w C:\Documents and Settings\Lori\Application Data\AdobeUM
2007-12-28 02:04 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-28 01:56 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-12-27 23:32 --------- d-----w C:\Documents and Settings\Lori\Application Data\Apple Computer
2007-12-23 00:02 --------- d-----w C:\Program Files\BatchPhoto
2007-12-23 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-21 04:02 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-09 21:11 --------- d-----w C:\Program Files\PhotoFiltre
2007-12-08 05:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-09 01:13 164 ----a-w C:\install.dat
2002-05-19 05:57 944,797 ----a-w C:\Program Files\wrar300.exe
2002-05-15 04:37 473 ----a-w C:\Program Files\rarregkey.txt
2002-04-01 13:43 11,264 ----a-w C:\Program Files\readme.wri
.
Code:
<pre>
----a-w 286,720 2008-01-11 13:47:40 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-11 13:47:41 C:\Program Files\QuickTime\qttask .exe
----a-w 5,367,608 2008-01-23 00:48:54 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w 155,648 2008-01-07 05:38:41 C:\WINDOWS\system32\igfxtray .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-16 16:42 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [ ]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2006-10-30 13:12 2287152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"PRISMSVR.EXE"="C:\Program Files\SMC\SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter\PRISMSVR.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2008-01-08 22:09 28672]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-01-22 05:34 582992]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-08 22:09 68856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"McWebDownlMgr"="C:\WINDOWS\TEMP\McDMTemp007 (2)\DwnldMgr.exe" [ ]
C:\Documents and Settings\Lori\Start Menu\Programs\Startup\
Kaboom! Jr. Control Panel.lnk - C:\Documents and Settings\Lori\My Documents\My Music\KAB_JR\KABOOM.EXE [2007-03-04 19:28:55 5072]
MemoKit.lnk - C:\Program Files\MemoKit\mk.exe [2004-04-19 11:58:34 21504]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-06-25 23:05:30 155715]
Office Information Worker Feedback Program.lnk - C:\Program Files\Microsoft Office System Information Worker Feedback Program\wfpscheduler.exe [2006-04-22 10:46:30 106496]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-07-05 19:45:13 450560]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-06-25 23:05:30 155715]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-10-02 17:08:08 57344]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 00:03:20 69632]
SMC2862W-G EZ Connect g 802.11g Wireless USB Utility.lnk - C:\Program Files\SMC\SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2005-10-17 16:10:34 421888]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-04-24 12:13 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=C:\WINDOWS\pss\Forget Me Not.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-08 22:09 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2006-12-12 14:45 21464 C:\Program Files\Zune\ZuneLauncher.exe
R0 sojubus;sojubus;C:\WINDOWS\system32\DRIVERS\sojubus.sys [2003-10-05 10:41]
R0 sojuscsi;sojuscsi;C:\WINDOWS\system32\DRIVERS\sojuscsi.sys [2003-09-28 10:57]
-
new combo fix part2
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 14:46]
R2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\CFusionMX\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent" []
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-04-10 09:01]
S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;C:\WINDOWS\system32\DRIVERS\2862WICB.sys [2005-11-15 22:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56014d2e-1ff4-11db-8d13-000ea65cb895}]
\Shell\AutoRun\command - H:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb86e361-07c3-11db-8cf0-000ea65cb895}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 07:30:27 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-03 15:53:54 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 10:52:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msk\msksrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\MemoKit\memokit2.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Microsoft Office System Information Worker Feedback Program\WfpSaS.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2008-02-03 11:01:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 16:01:53
ComboFix2.txt 2008-02-02 16:52:06
.
2008-01-30 17:44:07 --- E O F ---
-
hjt pt 1
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:30 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msk\msksrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SMC\SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\MemoKit\memokit2.exe
C:\Program Files\Microsoft Office System Information Worker Feedback Program\wfpscheduler.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Microsoft Office System Information Worker Feedback Program\WfpSaS.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\nsga1.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\LORI\Application Data\Mozilla\Profiles\default\ie2qxrqv.slt\prefs.js)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [RegistryMechanic] "C:\Program Files\Registry Mechanic\RegMech.exe" /QS
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\SMC\SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [McWebDownlMgr] C:\WINDOWS\TEMP\McDMTemp007 (2)\DwnldMgr.exe /runkey (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [McWebDownlMgr] C:\WINDOWS\TEMP\McDMTemp007 (2)\DwnldMgr.exe /runkey (User 'Default user')
O4 - Startup: Kaboom! Jr. Control Panel.lnk = C:\Documents and Settings\Lori\My Documents\My Music\KAB_JR\KABOOM.EXE
O4 - Startup: MemoKit.lnk = C:\Program Files\MemoKit\mk.exe
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Startup: Office Information Worker Feedback Program.lnk = C:\Program Files\Microsoft Office System Information Worker Feedback Program\wfpscheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SMC2862W-G EZ Connect g 802.11g Wireless USB Utility.lnk = C:\Program Files\SMC\SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim .exe (file missing)
O9 - Extra button: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe
O9 - Extra 'Tools' menuitem: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.vip.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.malden.mec.edu/iNotes.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://mycampus.phoenix.edu/support...oad/CVALAX.CAB
-
htj pt2
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151289857000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151290801484
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/download...ameManager.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoshare.microgaming.com/...re/FlashAX.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - c:\program files\mcafee\msk\msksrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 18565 bytes
-
Hi
Not 100% success, but better.
Open notepad and copy/paste the text in the quotebox below into it:
Code:
RenV::
----a-w 286,720 2008-01-11 13:47:40 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-11 13:47:41 C:\Program Files\QuickTime\qttask .exe
----a-w 5,367,608 2008-01-23 00:48:54 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w 155,648 2008-01-07 05:38:41 C:\WINDOWS\system32\igfxtray .exe
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v6...s/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.