OK, thanks for that but can u answer my first question please.
Bugger, I know how to and will Format the PC if necessary. But if I must take that action, would I be able to connect my External HDD to backup files, just my site and stuff like that, no programs, without it being infected?
Thanks,
Dan
Sorry I have changed my mind, I would rather try and clean the PC, rather than formatting it.
OK Dan, we can do that, since a bit of time has passed and malware changes quickly, I would like you to remove the version of combofix report and a new HJT log. Please remember to keep the computer offline except when troubleshooting until we have kicked this junk out, it may download more.
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here or Here to your Desktop.
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
ComboFix Log:
ComboFix 07-11-08.1 - Dan 2007-11-14 15:54:47.4 - NTFSx86
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\windows\system32\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.
2007-11-14 15:32 30,841 --a------ C:\WINDOWS\system32\dskfhfab.exe
2007-11-13 18:24 31,622 --a------ C:\WINDOWS\system32\tutrge.exe
2007-11-11 17:17 2,432 --a------ C:\WINDOWS\system32\unpr.sys
2007-11-08 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 16:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 15:52 32,768 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-05 18:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 18:40 85,568 --a------ C:\WINDOWS\system32\fbydlbaw.dll
2007-11-05 15:27 83,008 --a------ C:\WINDOWS\system32\wqridibx.dll
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\rc.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-11-03 14:13 52,224 --a------ C:\WINDOWS\system32\rasmoesa.dll
2007-11-03 14:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-03 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-03 13:48 <DIR> d-------- C:\Program Files\Photoshop
2007-11-01 18:27 <DIR> dr-hs---- C:\Volume Information
2007-11-01 18:26 <DIR> d-------- C:\WINDOWS\Instant Lock
2007-11-01 18:26 <DIR> d-------- C:\Program Files\Instant Lock
2007-10-31 15:32 <DIR> d-------- C:\Program Files\DriveMounter
2007-10-28 17:42 <DIR> d-------- C:\Program Files\Mac Startup Screen
2007-10-28 17:40 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Nubs
2007-10-28 17:34 <DIR> d-------- C:\Program Files\Concentrate
2007-10-28 17:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-28 17:27 <DIR> d-------- C:\Program Files\Finderbar 1.5
2007-10-28 17:27 46,592 --a------ C:\WINDOWS\zipinst.exe
2007-10-28 17:21 <DIR> d-------- C:\Program Files\ICO-PNG
2007-10-27 13:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-26 22:29 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Alien Skin
2007-10-23 21:02 <DIR> d-------- C:\Program Files\RK Launcher
2007-10-23 20:06 <DIR> d-------- C:\Program Files\RocketDock
2007-10-22 20:30 <DIR> d-------- C:\Program Files\Atlantis Xtreme V0.9.1
2007-10-21 12:02 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\HP
2007-10-21 11:47 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-20 18:35 <DIR> d-------- C:\Program Files\Star Trek Legacy
2007-10-20 13:20 177,496 --a------ C:\WINDOWS\system32\wdfproc.dll
2007-10-18 13:41 85,848 --a------ C:\WINDOWS\system32\drivers\pwipf6.sys
2007-10-16 17:49 <DIR> d-------- C:\Program Files\Activision
2007-10-16 17:39 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-10-16 17:32 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-16 16:39 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\DivX
2007-10-16 16:36 <DIR> d-------- C:\Program Files\Google
2007-10-15 18:24 <DIR> d-------- C:\Program Files\DivX
2007-10-15 13:03 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-10-15 13:03 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-10-15 12:12 <DIR> d-------- C:\Program Files\Xvid
2007-10-15 12:08 28,672 --a------ C:\WINDOWS\system32\Alphablending.dll
2007-10-15 11:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-15 10:54 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\CandyLabs
2007-10-14 18:10 <DIR> d-------- C:\Program Files\MSBuild
2007-10-14 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-14 17:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-10-14 17:58 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 09:01 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-11 08:14 --------- d-----w C:\Documents and Settings\Dan\Application Data\Azureus
2007-11-09 13:22 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-11-09 13:17 --------- d-----w C:\Program Files\Avanquest update
2007-11-09 09:49 4,624,384 ----a-w C:\WINDOWS\system32\logonuiX.exe
2007-11-09 09:46 163,840 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-11-08 11:06 --------- d-----w C:\Documents and Settings\Dan\Application Data\LimeWire
2007-11-07 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-06 09:49 --------- d-----w C:\Program Files\Webroot
2007-11-03 01:59 --------- d-----w C:\Program Files\Trillian
2007-10-31 08:57 --------- d-----w C:\Documents and Settings\Dan\Application Data\Matrix Y2K
2007-10-28 09:18 --------- d-----w C:\Program Files\iTunes
2007-10-21 02:45 164 ----a-w C:\install.dat
2007-10-17 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-16 07:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-15 01:53 --------- d-----w C:\Program Files\WS_FTP Pro
2007-10-14 12:36 --------- d-----w C:\Program Files\Common Files\Stardock
2007-10-14 12:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 12:30 --------- d-----w C:\Program Files\Macromedia
2007-10-14 12:26 --------- d-----w C:\Program Files\AutoSizer
2007-10-11 08:17 --------- d-----w C:\Program Files\Matrix Y2K
2007-10-10 11:25 --------- d-----w C:\Documents and Settings\Dan\Application Data\SmartFTP
2007-10-09 13:06 --------- d-----w C:\Program Files\Azureus
2007-10-09 02:54 --------- d-----w C:\Documents and Settings\Dan\Application Data\CyberLink
2007-10-02 16:32 --------- d-----w C:\Program Files\Bonjour
2007-10-01 08:40 1,526,072 ----a-w C:\WINDOWS\WRSetup.dll
2007-10-01 08:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 08:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 08:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-29 12:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-29 12:26 --------- d-----w C:\Documents and Settings\Dan\Application Data\SpinTop
2007-09-29 12:25 94,208 ----a-w C:\WINDOWS\system32\ScrUnZip.dll
2007-09-29 12:25 908,716 ----a-w C:\WINDOWS\system32\GFC 2006.SCR
2007-09-29 12:25 129,536 ----a-w C:\WINDOWS\system32\IJL15.dll
2007-09-29 10:54 --------- d-----w C:\Program Files\ChaosAbout100
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-28 16:07 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-28 16:07 532,480 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-28 13:23 --------- d-----w C:\Documents and Settings\Dan\Application Data\Talkback
2007-09-28 09:31 --------- d-----w C:\Program Files\iPod
2007-09-26 06:42 58,792 ----a-w C:\WINDOWS\system32\wbload.dll
2007-09-22 12:41 --------- d-----w C:\Program Files\LemonCord
2007-09-22 09:23 --------- d-----w C:\Program Files\Desktop Icon Toy
2007-09-15 03:36 --------- d-----w C:\Program Files\Styler
2007-09-14 12:26 --------- d-----w C:\Program Files\finexer
2007-09-14 12:11 --------- d-----w C:\Documents and Settings\Dan\Application Data\AveDesk
2007-09-14 12:04 --------- d-----w C:\Documents and Settings\Dan\Application Data\FindeXer
2007-09-14 11:32 --------- d-----w C:\Documents and Settings\Dan\Application Data\Styler
2007-09-14 09:46 --------- d-----w C:\Program Files\avedesk13
2007-09-14 09:16 --------- d-----w C:\Program Files\YzShadow
2007-09-14 09:16 --------- d-----w C:\Program Files\WinRoll
2007-09-14 09:16 --------- d-----w C:\Program Files\UberIcon
2007-09-14 09:16 --------- d-----w C:\Program Files\Tiger System Preferences v2
2007-09-02 07:27 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-08-27 09:47 7,852 ----a-w C:\WINDOWS\system32\mcdmsg7.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-02 09:48 92,064 ----a-w C:\Documents and Settings\Dan\mqdmmdm.sys
2007-08-02 09:48 9,232 ----a-w C:\Documents and Settings\Dan\mqdmmdfl.sys
2007-08-02 09:48 79,328 ----a-w C:\Documents and Settings\Dan\mqdmserd.sys
2007-08-02 09:48 66,656 ----a-w C:\Documents and Settings\Dan\mqdmbus.sys
2007-08-02 09:48 6,208 ----a-w C:\Documents and Settings\Dan\mqdmcmnt.sys
2007-08-02 09:48 5,936 ----a-w C:\Documents and Settings\Dan\mqdmwhnt.sys
2007-08-02 09:48 4,048 ----a-w C:\Documents and Settings\Dan\mqdmcr.sys
2007-08-02 09:48 25,600 ----a-w C:\Documents and Settings\Dan\usbsermptxp.sys
2007-08-02 09:48 22,768 ----a-w C:\Documents and Settings\Dan\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{264426f7-9772-43c1-a02e-14bcb29bda36}]
2007-11-05 15:27 83008 --a------ C:\WINDOWS\system32\wqridibx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320635D7-379D-48C3-B183-ABD0C4B20E69}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C87FA4A3-2474-4a3f-B413-67D515905024}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ImageShackUtil"="C:\Program Files\ImageShack\QuickShot\QuickShot.exe" []
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [2007-10-20 13:20]
"System Files Updater"="C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" [2006-01-15 15:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 14:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 19:38]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"d0ed3d80"="rundll32.exe" [2004-08-12 23:04 C:\WINDOWS\system32\rundll32.exe]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 17:21]
"Windows Logon Application"="C:\WINDOWS\system32\logon.exe" [2007-06-13 19:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Windows Explorer"="C:\WINDOWS\system32\explorer.exe" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 17:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24]
"DesktopIconToy"="C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 22:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll 2007-09-24 20:08 229376 C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"
.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 09:52:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 08:00:22 C:\WINDOWS\Tasks\wrSpySweeper_L5D90EFAFC01D49D88C2490292CB7F309.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 16:02:26
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-14 16:04:12
.
--- E O F ---
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:30 PM, on 14/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dskfhfab.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\Dan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Flash Module - {C87FA4A3-2474-4a3f-B413-67D515905024} - rasmoesa.dll (file missing)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9225 bytes
Thanks for returning the fresh information, let's start like this:
1) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm
2) To disable SpySweeper: <<< may be old instructions but turn it off until you are done and then back on to continue your realtime protection.
Open the program
On the left, click: Options, then > Program Options
Uncheck: Load at windows startup
Again on the left click: Shields and uncheck all items there.
Uncheck: Home Page Shield
Uncheck: Automatically restore default without notification
3) Thanks to andymanchesta and anyone else who helped with the fix.
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/R...ools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
This is a start, you have other infections.
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
SDFix:
SDFix: Version 1.114
Run by Dan on Thu 15/11/2007 at 04:09 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\logon.exe - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rasmoesa.dll - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 16:25:11
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:41,63,05,f0,07,12,e5,1a,b4,af,53,f6,e1,25,16,af,da,bc,6c,b1,6b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:41,63,05,f0,07,12,e5,1a,b4,af,53,f6,e1,25,16,af,da,bc,6c,b1,6b,..
scanning hidden registry entries ...
scanning hidden files ...
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\chevron8653@hotmail.com\DFSR\Staging\CS{5AA6FED8-7CBB-ED5C-EF09-256C4E790D86}\01\29-{5AA6FED8-7CBB-ED5C-EF09-256C4E790D86}-v1-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\chevron8653@hotmail.com\DFSR\Staging\CS{5AA6FED8-7CBB-ED5C-EF09-256C4E790D86}\53\353-{74EE1628-3DE3-44BB-BE92-96BC5C9F44A3}-v353-{74EE1628-3DE3-44BB-BE92-96BC5C9F44A3}-v353-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1400 bytes hidden from API
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\martouf_of_tokra@hotmail.com\DFSR\Staging\CS{372F4939-D34C-5F6B-D909-099612CAD1CF}\01\10-{372F4939-D34C-5F6B-D909-099612CAD1CF}-v1-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\martouf_of_tokra@hotmail.com\DFSR\Staging\CS{372F4939-D34C-5F6B-D909-099612CAD1CF}\11\11-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v11-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 4
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Thu 12 Aug 2004 100,352 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sat 22 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 14 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT44.tmp"
Wed 14 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ecdaae76294ae865d5456738faf3aa2e\BIT43.tmp"
Tue 6 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT3E.tmp"
Finished!
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:46 PM, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Dan.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8455 bytes
Thanks for returning your information, let's do this now:
1) see this: http://forums.spybot.info/showpost.p...80&postcount=2
C:\Program Files\Java\jre1.6.0_01\ <<< update your Java program and uninstall all old versions in Add Remove programs.
2) C:\Program Files\Styler\Styler.exe <<< assure me this is a valid program.
3) Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
(fsbl.exe) and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.
(don't fix anything, just post the log)
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
5) SpySweeper turned off please.
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\fbydlbaw.dll <<< delete that file if there.
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer, post the report from BlackLight, a new HJT log and some feedback. How is the computer running.
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
Styler is a program i use, it is safe. And I don't have time at the moment to follow the steps, ill do it on Saturday night.
thanks,
Dan
Ive hit a snag. i installed the latest java and i opened the cmd window and typed in what you said, hit enter but nothing happened.
Posting Permissions
