View Full Version : Virtumonde and Smithfraud-c toolbar problems
hi... recently when I came scanned using spybot, there are two things that are really pesky in my system at the moment:
1. two files that are infected by virtumonde can't be deleted
2. the Smitfraud-c toolbar.888 thing keeps on reappearing.
I tried doing an online scan here: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx, but it's saying "service unavailable..."
here's the hijackThis! log:
Logfile of HijackThis v1.99.1
Scan saved at 8:43:31 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\vmwarruq.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Giganology\Gigaget\GigagetShell.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DesuBuddy\DesuBuddy.exe
C:\WINDOWS\system32\taskmgr1.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JUNE BENIDECT\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.dlsu.edu.ph/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\system32\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [Media Office] C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smart Watch Dog] -C:\Program Files\Compal Electronics, INC\Smart Watchdog\SmartWD.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [CASS] C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
O4 - HKLM\..\Run: [Microsoft System Service] taskmgr1.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\pniwtcuk.dll",realset
O4 - HKLM\..\RunServices: [Microsoft System Service] taskmgr1.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182483029468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182482710750
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263A94E7-891B-42D3-B9BE-D3CC299A14EF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\vmwarruq.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Watchdog Service (Smart Watchdog) - Unknown owner - C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
I hope there is still something to be done about this... o.0;;
random/random
2007-07-07, 16:05
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
Hide extensions for known file types
Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
Show hidden files and folders
Click Apply and then click OK
Then please upload this file:
C:\windows\system32\taskmgr1.exe
To either jotti (http://virusscan.jotti.org/) or virustotal (http://www.virustotal.com/en/indexf.html), and copy and paste the results as a reply to this topic
here's are the results of the scan from http://virusscan.jotti.org/
Scan taken on 07 Jul 2007 13:22:52 (GMT)
A-Squared Found nothing
AntiVir Found TR/Agent.1304064
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found DeepScan:Generic.Malware.G!SI!!FWX!!Bprng.D7805A87
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found W32/Generic!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Trj/DNSChanger.RV
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
this is a bad thing... right?
random/random
2007-07-07, 16:37
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum
Download the latest version of ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
here are the requested logs.. I'll be posting them on separate posts if you dont mind of course...
SDFix log
SDFix: Version 1.90
Run by JUNE BENIDECT on Sat 07/07/2007 at 09:47 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
Checking C:\WINDOWS
C:\WINDOWS
No streams found.
Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.
Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Giganology\\Gigaget\\Gigaget.exe"="C:\\Program Files\\Giganology\\Gigaget\\Gigaget.exe:*:Enabled:Gigaget"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"="C:\\Program Files\\Macromedia\\Flash MX\\Flash.exe:*:Enabled:Flash 6.0 r25"
"C:\\WINDOWS\\system32\\vmwarruq.exe"="C:\\WINDOWS\\system32\\vmw"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
Files with Hidden Attributes:
C:\Program Files\eRightSoft\SUPER\cygwin1.dll
C:\Program Files\eRightSoft\SUPER\cygz.dll
C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll
C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll
C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\msfDX.dll
C:\Program Files\eRightSoft\SUPER\Setup.exe
C:\WINDOWS\system32\taskmgr1.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\JUNE BENIDECT\My Documents\dlsu files\~WRL0004.tmp
Finished
ComboFix log
"JUNE BENIDECT" - 2007-07-07 22:06:54 - ComboFix 07-07-07.3 - Service Pack 2
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\dyyblqmf.dll
C:\WINDOWS\system32\fomkdyem.dll
C:\WINDOWS\system32\irlowpbg.dll
C:\WINDOWS\system32\pniwtcuk.dll
C:\WINDOWS\system32\xfmdrvjy.dll
C:\WINDOWS\system32\xsssrnka.dll
C:\WINDOWS\system32\ktbkrbwk.exe
C:\WINDOWS\system32\ktbwqykc.exe
C:\WINDOWS\system32\seylchiv.exe
C:\WINDOWS\system32\teakkskt.exe
C:\WINDOWS\system32\rqrqoon.dll
C:\WINDOWS\system32\fmqlbyyd.ini
C:\WINDOWS\system32\meydkmof.ini
C:\WINDOWS\system32\gbpwolri.ini
C:\WINDOWS\system32\kuctwinp.ini
C:\WINDOWS\system32\nqstv.bak1
C:\WINDOWS\system32\nqstv.bak2
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\nqstv.tmp
C:\WINDOWS\system32\yjvrdmfx.ini
C:\WINDOWS\system32\aknrsssx.ini
C:\WINDOWS\system32\nqstv.bak1
C:\WINDOWS\system32\nqstv.bak2
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\nqstv.bak1
C:\WINDOWS\system32\nqstv.bak2
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\vtsqn.dll
C:\WINDOWS\system32\efccdbb.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\ravmone.exe
C:\WINDOWS\temp\_istmpi.dir
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DNSCON
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETMANAGER
-------\dnscon
-------\DomainService
-------\NetManager
((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))
2007-07-07 22:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 21:45 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-07 12:21 50,708 --a------ C:\WINDOWS\system32\wlevrmyw.exe
2007-07-06 10:14 50,708 --a------ C:\WINDOWS\system32\vmwarruq.exe
2007-07-06 08:51 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-07-06 08:50 <DIR> d-------- C:\Program Files\IVT Corporation
2007-07-06 08:14 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-07-06 08:14 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2007-07-06 08:14 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2007-07-06 08:14 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2007-07-06 08:14 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2007-07-06 08:14 100,992 --a------ C:\WINDOWS\system32\drivers\bthpan.sys
2007-07-06 08:13 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-07-06 08:13 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2007-07-05 20:28 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Comodo
2007-07-03 21:19 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-03 21:19 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-07-03 21:19 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-07-03 21:19 471,552 --a------ C:\WINDOWS\system32\Smab.dll
2007-07-03 21:19 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2007-07-03 21:19 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-07-03 21:19 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-07-03 21:19 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-07-03 21:19 217,073 --a------ C:\WINDOWS\meta4.exe
2007-07-03 21:19 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2007-07-03 21:19 <DIR> d-------- C:\Program Files\eRightSoft
2007-07-03 21:19 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-06-29 20:10 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\AdobeUM
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Comodo
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-29 10:53 <DIR> d-------- C:\Program Files\Comodo
2007-06-28 23:04 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-27 12:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Ahead
2007-06-25 21:42 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-25 05:59 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\MEGAUPLOADTOOLBAR
2007-06-24 17:33 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-06-24 16:41 <DIR> d-------- C:\Program Files\DesuBuddy
2007-06-24 16:30 <DIR> d-------- C:\Program Files\MegauploadToolbar
2007-06-24 16:30 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\MegauploadToolbar
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Azureus
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-24 16:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-24 15:59 <DIR> d-------- C:\Program Files\Bonjour
2007-06-24 15:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-24 08:57 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-23 21:19 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Help
2007-06-23 18:58 <DIR> d-------- C:\Program Files\MSBuild
2007-06-23 18:54 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-06-23 18:53 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-06-23 18:52 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-06-23 17:17 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-23 17:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2007-06-23 17:01 <DIR> d-------- C:\Program Files\Giganology
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Shared
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Incomplete
2007-06-23 16:58 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\LimeWire
2007-06-23 16:31 <DIR> d-------- C:\Program Files\AnalogX
2007-06-23 16:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-23 16:11 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-23 16:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-23 16:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-23 16:06 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-23 15:49 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-06-23 15:30 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-06-23 15:30 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-06-23 15:30 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-06-23 14:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-23 12:27 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-23 11:41 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Yahoo!
2007-06-23 11:40 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Google
2007-06-23 10:37 90,496 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2007-06-23 10:37 <DIR> d-------- C:\Program Files\Realtek
2007-06-22 23:08 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Media Player Classic
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Yahoo!
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-22 21:35 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-06-22 21:35 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-06-22 21:35 <DIR> d-------- C:\Program Files\DivX
2007-06-22 21:34 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-22 21:34 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-06-22 21:34 6,144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-06-22 21:34 540,178 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-06-22 21:34 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll
2007-06-22 21:34 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-22 21:34 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-22 21:34 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-06-22 21:34 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-06-22 21:34 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-22 21:34 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2007-06-22 21:34 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2007-06-22 21:34 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-06-22 21:33 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-06-22 21:31 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-22 21:31 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-22 21:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-22 21:23 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-22 21:23 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-06-22 21:21 <DIR> d-------- C:\WINDOWS\system32\LogFiles
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2004-08-04 12:00:00 1,304,064 --sha-r C:\WINDOWS\system32\taskmgr1.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2007-03-21 05:39 803864 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{111CAA23-6F4F-42AC-8555-B48C1D87BBAB}]
2006-01-09 15:01 86016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
2007-06-20 06:48 1936840 --a------ C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A263CF7-56A6-4D68-A8CF-345BE45BC911}]
2007-02-24 07:04 140840 --a------ C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-11-01 04:33 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-05-03 03:14 434279 --a------ C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-04-17 13:32 323904 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-06-20 12:24 2403392 -ra------ c:\program files\google\googletoolbar1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 23:28 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 00:43 C:\WINDOWS\ALCMTR.EXE]
"Media Office"="C:\Program Files\Compal Electronics" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 13:50 C:\WINDOWS\AGRSMMSG.exe]
"Smart Watch Dog"="-C:\Program Files\Compal Electronics" []
"KTPWare"="C:\Program Files\Elantech\ktp.exe" [2006-03-29 01:36]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 14:25]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 14:25]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 14:29]
"CASS"="C:\Program Files\Compal Electronics" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-22 07:09]
"Gigaget"="C:\Program Files\Giganology\Gigaget\GigagetShell.exe" [2006-02-07 10:28]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 06:22]
"DesuBuddy"="C:\Program Files\DesuBuddy\DesuBuddy.exe" [2007-05-25 17:07]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-29 10:53]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 20:00 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-06-16 14:38]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}]
AutoRun\command- E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1f-1ec1-11dc-a374-0019d232e170}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ffdc91c-1e77-11dc-a373-0019d232e170}]
Auto\command- RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
Browser\command- RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b748aec-25fc-11dc-a3a2-0016d4a89b07}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56b83a91-1ecf-11dc-a375-0019d232e170}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f2f61c7-22a7-11dc-a38d-0016d4a89b07}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb437a33-29fc-11dc-a3b2-0016d4a89b07}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd336402-2b54-11dc-a3b8-0016d4a89b07}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf19f2aa-2438-11dc-a394-0016d4a89b07}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9168117-2a8d-11dc-a3b4-0016d4a89b07}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9168122-2a8d-11dc-a3b4-0016d4a89b07}]
AutoRun\command- New Folder.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f525ca78-2477-11dc-a396-0016d4a89b07}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f525ca79-2477-11dc-a396-0016d4a89b07}]
AutoRun\command- RootFolder.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f525ca7d-2477-11dc-a396-0016d4a89b07}]
AutoRun\command- E:\
explore\Command- RECYCLER\INFO.exe
open\Command- RECYCLER\INFO.exe
Contents of the 'Scheduled Tasks' folder
2007-07-07 14:17:00 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 22:15:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-07 22:17:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-07 22:17
--- E O F ---
HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 10:20:50 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Giganology\Gigaget\GigagetShell.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DesuBuddy\DesuBuddy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\JUNE BENIDECT\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.dlsu.edu.ph/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Media Office] C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smart Watch Dog] -C:\Program Files\Compal Electronics, INC\Smart Watchdog\SmartWD.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [CASS] C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182483029468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182482710750
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263A94E7-891B-42D3-B9BE-D3CC299A14EF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Watchdog Service (Smart Watchdog) - Unknown owner - C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
what should I do next? also, is it okay if i could post other logs and do the next instructions tomorrow? because it's already nighttime here and I might get scolded if I stay up because of this... I hope you wont mind ofc... ^^;;
random/random
2007-07-07, 17:34
also, is it okay if i could post other logs and do the next instructions tomorrow?
That's fine
Please download Flash_Disinfector.exe (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) by sUBs and save it to your desktop:
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.
Then rerun combofix and post the log, along with a new HijackThis log
okay then... here are the logs:
Combofix log:
"JUNE BENIDECT" - 2007-07-07 22:39:02 - ComboFix 07-07-07.3 - Service Pack 2
((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))
2007-07-07 22:37 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-07 22:37 <DIR> drahs---- C:\autorun.inf
2007-07-07 22:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 21:45 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-07 12:21 50,708 --a------ C:\WINDOWS\system32\wlevrmyw.exe
2007-07-06 10:14 50,708 --a------ C:\WINDOWS\system32\vmwarruq.exe
2007-07-06 08:51 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-07-06 08:50 <DIR> d-------- C:\Program Files\IVT Corporation
2007-07-06 08:14 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-07-06 08:14 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2007-07-06 08:14 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2007-07-06 08:14 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2007-07-06 08:14 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2007-07-06 08:14 100,992 --a------ C:\WINDOWS\system32\drivers\bthpan.sys
2007-07-06 08:13 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-07-06 08:13 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2007-07-05 20:28 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Comodo
2007-07-03 21:19 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-03 21:19 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-07-03 21:19 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-07-03 21:19 471,552 --a------ C:\WINDOWS\system32\Smab.dll
2007-07-03 21:19 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2007-07-03 21:19 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-07-03 21:19 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-07-03 21:19 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-07-03 21:19 217,073 --a------ C:\WINDOWS\meta4.exe
2007-07-03 21:19 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2007-07-03 21:19 <DIR> d-------- C:\Program Files\eRightSoft
2007-07-03 21:19 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-06-29 20:10 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\AdobeUM
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Comodo
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-29 10:53 <DIR> d-------- C:\Program Files\Comodo
2007-06-28 23:04 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-27 12:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Ahead
2007-06-25 21:42 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-25 05:59 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\MEGAUPLOADTOOLBAR
2007-06-24 17:33 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-06-24 16:41 <DIR> d-------- C:\Program Files\DesuBuddy
2007-06-24 16:30 <DIR> d-------- C:\Program Files\MegauploadToolbar
2007-06-24 16:30 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\MegauploadToolbar
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Azureus
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-24 16:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-24 15:59 <DIR> d-------- C:\Program Files\Bonjour
2007-06-24 15:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-24 08:57 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-23 21:19 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Help
2007-06-23 18:58 <DIR> d-------- C:\Program Files\MSBuild
2007-06-23 18:54 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-06-23 18:53 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-06-23 18:52 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-06-23 17:17 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-23 17:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2007-06-23 17:01 <DIR> d-------- C:\Program Files\Giganology
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Shared
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Incomplete
2007-06-23 16:58 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\LimeWire
2007-06-23 16:31 <DIR> d-------- C:\Program Files\AnalogX
2007-06-23 16:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-23 16:11 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-23 16:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-23 16:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-23 16:06 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-23 15:49 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-06-23 15:30 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-06-23 15:30 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-06-23 15:30 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-06-23 14:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-23 12:27 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-23 11:41 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Yahoo!
2007-06-23 11:40 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Google
2007-06-23 10:37 90,496 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2007-06-23 10:37 <DIR> d-------- C:\Program Files\Realtek
2007-06-22 23:08 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Media Player Classic
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Yahoo!
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-22 21:35 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-06-22 21:35 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-06-22 21:35 <DIR> d-------- C:\Program Files\DivX
2007-06-22 21:34 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-22 21:34 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-06-22 21:34 6,144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-06-22 21:34 540,178 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-06-22 21:34 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll
2007-06-22 21:34 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-22 21:34 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-22 21:34 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-06-22 21:34 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-06-22 21:34 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-22 21:34 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2007-06-22 21:34 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2007-06-22 21:34 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-06-22 21:33 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-06-22 21:31 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-22 21:31 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-22 21:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-22 21:23 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2004-08-04 12:00:00 1,304,064 --sha-r C:\WINDOWS\system32\taskmgr1.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2007-03-21 05:39 803864 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{111CAA23-6F4F-42AC-8555-B48C1D87BBAB}]
2006-01-09 15:01 86016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
2007-06-20 06:48 1936840 --a------ C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A263CF7-56A6-4D68-A8CF-345BE45BC911}]
2007-02-24 07:04 140840 --a------ C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-11-01 04:33 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-05-03 03:14 434279 --a------ C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-04-17 13:32 323904 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-06-20 12:24 2403392 -ra------ c:\program files\google\googletoolbar1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 23:28 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 00:43 C:\WINDOWS\ALCMTR.EXE]
"Media Office"="C:\Program Files\Compal Electronics" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 13:50 C:\WINDOWS\AGRSMMSG.exe]
"Smart Watch Dog"="-C:\Program Files\Compal Electronics" []
"KTPWare"="C:\Program Files\Elantech\ktp.exe" [2006-03-29 01:36]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 14:25]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 14:25]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 14:29]
"CASS"="C:\Program Files\Compal Electronics" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-22 07:09]
"Gigaget"="C:\Program Files\Giganology\Gigaget\GigagetShell.exe" [2006-02-07 10:28]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 06:22]
"DesuBuddy"="C:\Program Files\DesuBuddy\DesuBuddy.exe" [2007-05-25 17:07]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-29 10:53]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 20:00 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-06-16 14:38]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}]
AutoRun\command- E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1f-1ec1-11dc-a374-0019d232e170}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ffdc91c-1e77-11dc-a373-0019d232e170}]
Auto\command- RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
Browser\command- RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b748aec-25fc-11dc-a3a2-0016d4a89b07}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56b83a91-1ecf-11dc-a375-0019d232e170}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f2f61c7-22a7-11dc-a38d-0016d4a89b07}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb437a33-29fc-11dc-a3b2-0016d4a89b07}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd336402-2b54-11dc-a3b8-0016d4a89b07}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf19f2aa-2438-11dc-a394-0016d4a89b07}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9168117-2a8d-11dc-a3b4-0016d4a89b07}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9168122-2a8d-11dc-a3b4-0016d4a89b07}]
AutoRun\command- New Folder.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f525ca78-2477-11dc-a396-0016d4a89b07}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f525ca79-2477-11dc-a396-0016d4a89b07}]
AutoRun\command- RootFolder.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f525ca7d-2477-11dc-a396-0016d4a89b07}]
AutoRun\command- E:\
explore\Command- RECYCLER\INFO.exe
open\Command- RECYCLER\INFO.exe
*Newly Created Service* - CATCHME
Contents of the 'Scheduled Tasks' folder
2007-07-07 14:37:00 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 22:41:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-07 22:42:20
C:\ComboFix-quarantined-files.txt ... 2007-07-07 22:42
C:\ComboFix2.txt ... 2007-07-07 22:17
--- E O F ---
HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 10:45:41 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DesuBuddy\DesuBuddy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JUNE BENIDECT\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.dlsu.edu.ph/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Media Office] C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smart Watch Dog] -C:\Program Files\Compal Electronics, INC\Smart Watchdog\SmartWD.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [CASS] C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182483029468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182482710750
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263A94E7-891B-42D3-B9BE-D3CC299A14EF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Watchdog Service (Smart Watchdog) - Unknown owner - C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
also, combofix didnt restart the pc after the scan. is that normal?
random/random
2007-07-07, 17:54
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
File::
C:\WINDOWS\system32\wlevrmyw.exe
C:\WINDOWS\system32\vmwarruq.exe
C:\WINDOWS\system32\taskmgr1.exe
C:\WINDOWS\system32\EXPLORER.EXE
C:\WINDOWS\system32\FS6519.dll.vbs
C:\WINDOWS\system32\RavMonE.exe
C:\WINDOWS\system32\RootFolder.com
E:\RECYCLER\INFO.exe
C:\RECYCLER\INFO.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ffdc91c-1e77-11dc-a373-0019d232e170}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b748aec-25fc-11dc-a3a2-0016d4a89b07}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56b83a91-1ecf-11dc-a375-0019d232e170}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f2f61c7-22a7-11dc-a38d-0016d4a89b07}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb437a33-29fc-11dc-a3b2-0016d4a89b07}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd336402-2b54-11dc-a3b8-0016d4a89b07}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf19f2aa-2438-11dc-a394-0016d4a89b07}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9168117-2a8d-11dc-a3b4-0016d4a89b07}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9168122-2a8d-11dc-a3b4-0016d4a89b07}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f525ca78-2477-11dc-a396-0016d4a89b07}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f525ca79-2477-11dc-a396-0016d4a89b07}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f525ca7d-2477-11dc-a396-0016d4a89b07}]
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as ComboFix-Do.txt
Now drag and drop ComboFix-Do.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
here are the logs.
ComboFix log:
"JUNE BENIDECT" - 2007-07-07 23:04:20 - ComboFix 07-07-07.3 - Service Pack 2
Command switches used :: C:\Documents and Settings\JUNE BENIDECT\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\taskmgr1.exe
C:\WINDOWS\system32\vmwarruq.exe
C:\WINDOWS\system32\wlevrmyw.exe
((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))
2007-07-07 22:37 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-07 22:37 <DIR> drahs---- C:\autorun.inf
2007-07-07 22:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 21:45 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-06 08:51 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-07-06 08:50 <DIR> d-------- C:\Program Files\IVT Corporation
2007-07-06 08:14 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-07-06 08:14 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2007-07-06 08:14 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2007-07-06 08:14 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2007-07-06 08:14 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2007-07-06 08:14 100,992 --a------ C:\WINDOWS\system32\drivers\bthpan.sys
2007-07-06 08:13 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-07-06 08:13 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2007-07-05 20:28 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Comodo
2007-07-03 21:19 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-03 21:19 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-07-03 21:19 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-07-03 21:19 471,552 --a------ C:\WINDOWS\system32\Smab.dll
2007-07-03 21:19 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2007-07-03 21:19 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-07-03 21:19 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-07-03 21:19 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-07-03 21:19 217,073 --a------ C:\WINDOWS\meta4.exe
2007-07-03 21:19 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2007-07-03 21:19 <DIR> d-------- C:\Program Files\eRightSoft
2007-07-03 21:19 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-06-29 20:10 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\AdobeUM
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Comodo
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-29 10:53 <DIR> d-------- C:\Program Files\Comodo
2007-06-28 23:04 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-27 12:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Ahead
2007-06-25 21:42 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-25 05:59 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\MEGAUPLOADTOOLBAR
2007-06-24 17:33 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-06-24 16:41 <DIR> d-------- C:\Program Files\DesuBuddy
2007-06-24 16:30 <DIR> d-------- C:\Program Files\MegauploadToolbar
2007-06-24 16:30 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\MegauploadToolbar
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Azureus
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-24 16:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-24 15:59 <DIR> d-------- C:\Program Files\Bonjour
2007-06-24 15:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-24 08:57 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-23 21:19 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Help
2007-06-23 18:58 <DIR> d-------- C:\Program Files\MSBuild
2007-06-23 18:54 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-06-23 18:53 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-06-23 18:52 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-06-23 17:17 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-23 17:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2007-06-23 17:01 <DIR> d-------- C:\Program Files\Giganology
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Shared
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Incomplete
2007-06-23 16:58 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\LimeWire
2007-06-23 16:31 <DIR> d-------- C:\Program Files\AnalogX
2007-06-23 16:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-23 16:11 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-23 16:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-23 16:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-23 16:06 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-23 15:49 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-06-23 15:30 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-06-23 15:30 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-06-23 15:30 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-06-23 14:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-23 12:27 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-23 11:41 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Yahoo!
2007-06-23 11:40 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Google
2007-06-23 10:37 90,496 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2007-06-23 10:37 <DIR> d-------- C:\Program Files\Realtek
2007-06-22 23:08 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Media Player Classic
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Yahoo!
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-22 21:35 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-06-22 21:35 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-06-22 21:35 <DIR> d-------- C:\Program Files\DivX
2007-06-22 21:34 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-22 21:34 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-06-22 21:34 6,144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-06-22 21:34 540,178 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-06-22 21:34 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll
2007-06-22 21:34 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-22 21:34 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-22 21:34 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-06-22 21:34 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-06-22 21:34 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-22 21:34 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2007-06-22 21:34 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2007-06-22 21:34 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-06-22 21:33 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-06-22 21:31 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-22 21:31 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-22 21:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-22 21:23 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-22 21:23 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-06-22 21:21 <DIR> d-------- C:\WINDOWS\system32\LogFiles
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2007-03-21 05:39 803864 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{111CAA23-6F4F-42AC-8555-B48C1D87BBAB}]
2006-01-09 15:01 86016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
2007-06-20 06:48 1936840 --a------ C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A263CF7-56A6-4D68-A8CF-345BE45BC911}]
2007-02-24 07:04 140840 --a------ C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-11-01 04:33 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-05-03 03:14 434279 --a------ C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-04-17 13:32 323904 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-06-20 12:24 2403392 -ra------ c:\program files\google\googletoolbar1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 23:28 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 00:43 C:\WINDOWS\ALCMTR.EXE]
"Media Office"="C:\Program Files\Compal Electronics" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 13:50 C:\WINDOWS\AGRSMMSG.exe]
"Smart Watch Dog"="-C:\Program Files\Compal Electronics" []
"KTPWare"="C:\Program Files\Elantech\ktp.exe" [2006-03-29 01:36]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 14:25]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 14:25]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 14:29]
"CASS"="C:\Program Files\Compal Electronics" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-22 07:09]
"Gigaget"="C:\Program Files\Giganology\Gigaget\GigagetShell.exe" [2006-02-07 10:28]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 06:22]
"DesuBuddy"="C:\Program Files\DesuBuddy\DesuBuddy.exe" [2007-05-25 17:07]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-29 10:53]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 20:00 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-06-16 14:38]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}]
AutoRun\command- E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1f-1ec1-11dc-a374-0019d232e170}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
*Newly Created Service* - CATCHME
Contents of the 'Scheduled Tasks' folder
2007-07-07 15:02:00 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 23:06:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-07 23:06:38
C:\ComboFix-quarantined-files.txt ... 2007-07-07 23:06
C:\ComboFix2.txt ... 2007-07-07 22:42
C:\ComboFix3.txt ... 2007-07-07 22:17
--- E O F ---
HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:07:28 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DesuBuddy\DesuBuddy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\JUNE BENIDECT\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.dlsu.edu.ph/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Media Office] C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smart Watch Dog] -C:\Program Files\Compal Electronics, INC\Smart Watchdog\SmartWD.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [CASS] C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182483029468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182482710750
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263A94E7-891B-42D3-B9BE-D3CC299A14EF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Watchdog Service (Smart Watchdog) - Unknown owner - C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
random/random
2007-07-07, 18:21
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.
regedit /e reglook.txt "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}"
notepad.exe reglook.txt
Save it to your Desktop as search.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: search.bat
Locate search.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal
Once it has finished, a notepad window will open, copy and paste its contents as a reply to this topic
here's the contents
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,01,00,01,00,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,20,00,00,00,09,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}\Shell]
@="AutoRun"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}\Shell\AutoRun]
@="Auto&Play"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}\Shell\AutoRun\command]
@="E:\\LaunchU3.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}\_Autorun]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}\_Autorun\DefaultIcon]
@="E:\\LaunchU3.exe,0"
random/random
2007-07-07, 18:35
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1f-1ec1-11dc-a374-0019d232e170}]
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as ComboFix-Do.txt
Now drag and drop ComboFix-Do.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
here are the logs:
ComboFix log:
"JUNE BENIDECT" - 2007-07-07 23:38:16 - ComboFix 07-07-07.3 - Service Pack 2
Command switches used :: C:\Documents and Settings\JUNE BENIDECT\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))
2007-07-07 22:37 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-07 22:37 <DIR> drahs---- C:\autorun.inf
2007-07-07 22:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 21:45 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-06 08:51 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-07-06 08:50 <DIR> d-------- C:\Program Files\IVT Corporation
2007-07-06 08:14 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-07-06 08:14 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2007-07-06 08:14 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2007-07-06 08:14 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2007-07-06 08:14 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2007-07-06 08:14 100,992 --a------ C:\WINDOWS\system32\drivers\bthpan.sys
2007-07-06 08:13 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-07-06 08:13 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2007-07-05 20:28 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Comodo
2007-07-03 21:19 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-03 21:19 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-07-03 21:19 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-07-03 21:19 471,552 --a------ C:\WINDOWS\system32\Smab.dll
2007-07-03 21:19 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2007-07-03 21:19 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-07-03 21:19 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-07-03 21:19 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-07-03 21:19 217,073 --a------ C:\WINDOWS\meta4.exe
2007-07-03 21:19 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2007-07-03 21:19 <DIR> d-------- C:\Program Files\eRightSoft
2007-07-03 21:19 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-06-29 20:10 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\AdobeUM
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Comodo
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-29 10:53 <DIR> d-------- C:\Program Files\Comodo
2007-06-28 23:04 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-27 12:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Ahead
2007-06-25 21:42 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-25 05:59 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\MEGAUPLOADTOOLBAR
2007-06-24 17:33 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-06-24 16:41 <DIR> d-------- C:\Program Files\DesuBuddy
2007-06-24 16:30 <DIR> d-------- C:\Program Files\MegauploadToolbar
2007-06-24 16:30 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\MegauploadToolbar
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Azureus
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-24 16:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-24 15:59 <DIR> d-------- C:\Program Files\Bonjour
2007-06-24 15:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-24 08:57 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-23 21:19 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Help
2007-06-23 18:58 <DIR> d-------- C:\Program Files\MSBuild
2007-06-23 18:54 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-06-23 18:53 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-06-23 18:52 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-06-23 17:17 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-23 17:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2007-06-23 17:01 <DIR> d-------- C:\Program Files\Giganology
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Shared
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Incomplete
2007-06-23 16:58 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\LimeWire
2007-06-23 16:31 <DIR> d-------- C:\Program Files\AnalogX
2007-06-23 16:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-23 16:11 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-23 16:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-23 16:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-23 16:06 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-23 15:49 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-06-23 15:30 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-06-23 15:30 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-06-23 15:30 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-06-23 14:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-23 12:27 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-23 11:41 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Yahoo!
2007-06-23 11:40 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Google
2007-06-23 10:37 90,496 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2007-06-23 10:37 <DIR> d-------- C:\Program Files\Realtek
2007-06-22 23:08 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Media Player Classic
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Yahoo!
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-22 21:35 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-06-22 21:35 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-06-22 21:35 <DIR> d-------- C:\Program Files\DivX
2007-06-22 21:34 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-22 21:34 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-06-22 21:34 6,144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-06-22 21:34 540,178 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-06-22 21:34 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll
2007-06-22 21:34 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-22 21:34 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-22 21:34 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-06-22 21:34 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-06-22 21:34 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-22 21:34 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2007-06-22 21:34 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2007-06-22 21:34 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-06-22 21:33 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-06-22 21:31 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-22 21:31 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-22 21:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-22 21:23 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-22 21:23 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-06-22 21:21 <DIR> d-------- C:\WINDOWS\system32\LogFiles
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2007-03-21 05:39 803864 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{111CAA23-6F4F-42AC-8555-B48C1D87BBAB}]
2006-01-09 15:01 86016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
2007-06-20 06:48 1936840 --a------ C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A263CF7-56A6-4D68-A8CF-345BE45BC911}]
2007-02-24 07:04 140840 --a------ C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-11-01 04:33 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-05-03 03:14 434279 --a------ C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-04-17 13:32 323904 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-06-20 12:24 2403392 -ra------ c:\program files\google\googletoolbar1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 23:28 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 00:43 C:\WINDOWS\ALCMTR.EXE]
"Media Office"="C:\Program Files\Compal Electronics" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 13:50 C:\WINDOWS\AGRSMMSG.exe]
"Smart Watch Dog"="-C:\Program Files\Compal Electronics" []
"KTPWare"="C:\Program Files\Elantech\ktp.exe" [2006-03-29 01:36]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 14:25]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 14:25]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 14:29]
"CASS"="C:\Program Files\Compal Electronics" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-22 07:09]
"Gigaget"="C:\Program Files\Giganology\Gigaget\GigagetShell.exe" [2006-02-07 10:28]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 06:22]
"DesuBuddy"="C:\Program Files\DesuBuddy\DesuBuddy.exe" [2007-05-25 17:07]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-29 10:53]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 20:00 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-06-16 14:38]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}]
AutoRun\command- E:\LaunchU3.exe
*Newly Created Service* - CATCHME
Contents of the 'Scheduled Tasks' folder
2007-07-07 15:37:00 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 23:40:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-07 23:41:01
C:\ComboFix-quarantined-files.txt ... 2007-07-07 23:40
C:\ComboFix2.txt ... 2007-07-07 23:06
C:\ComboFix3.txt ... 2007-07-07 22:42
--- E O F ---
HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:41:38 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DesuBuddy\DesuBuddy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\JUNE BENIDECT\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.dlsu.edu.ph/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Media Office] C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smart Watch Dog] -C:\Program Files\Compal Electronics, INC\Smart Watchdog\SmartWD.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [CASS] C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182483029468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182482710750
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263A94E7-891B-42D3-B9BE-D3CC299A14EF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Watchdog Service (Smart Watchdog) - Unknown owner - C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
random/random
2007-07-07, 18:51
Looks like you're nearly clean
Go here (http://www.kaspersky.com/virusscanner) to run an online scannner from Kaspersky.
Click on "Kaspersky Online Scanner"
A new smaller window will pop up. Press on "Accept". After reading the contents.
Now Kaspersky will update the anti-virus database. Let it run.
Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
Then click on "My Computer", and the scan will start.
Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post back with the Kaspersky log and a new HijackThis log
Also, do you recognize this?
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
Also, do you recognize this?
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
oh that's just the desktop buddy I installed a couple of weeks ago... Scanned it several times before, I see no problem there...
I'll just post the log after the scan finishes... It just started, so I think it might take a while...
sorry for the delay.. here are the logs:
Kaspersky Online Scan Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 08, 2007 1:11:35 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/07/2007
Kaspersky Anti-Virus database records: 359412
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 64932
Number of viruses found: 8
Number of infected objects: 60 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:49:34
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\cert8.db Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\history.dat Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\key3.db Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\parent.lock Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\search.sqlite Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Desktop\installers\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Documents and Settings\JUNE BENIDECT\Desktop\installers\mirc617.exe mIRC: infected - 1 skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Application Data\Mozilla\Firefox\Profiles\kddrip2a.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\History\History.IE5\MSHist012007070720070708\index.dat Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Temp\~DF26C3.tmp Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Temp\~DF5C5B.tmp Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Temp\~DFBCD.tmp Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\ntuser.dat Object is locked skipped
C:\Documents and Settings\JUNE BENIDECT\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Giganology\Gigaget\gigaget.log Object is locked skipped
C:\Program Files\Giganology\Gigaget\Update.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\QooBox\Quarantine\C\WINDOWS\RavMonE.exe.vir Infected: Worm.Win32.RJump.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dyyblqmf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\efccdbb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fomkdyem.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\irlowpbg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ktbkrbwk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ktbwqykc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pniwtcuk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqrqoon.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\seylchiv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\teakkskt.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vmwarruq.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtsqn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wlevrmyw.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xfmdrvjy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xsssrnka.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP17\A0000869.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP17\A0000974.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP17\A0000974.exe mIRC: infected - 1 skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP32\A0001917.dll Object is locked skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP32\A0001919.DLL Object is locked skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP32\A0001920.dll Object is locked skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP32\A0001923.dll Object is locked skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP32\A0001924.dll Object is locked skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP40\A0004659.exe Infected: Backdoor.Win32.Rbot.bll skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP40\A0004660.exe Infected: Backdoor.Win32.Rbot.bll skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP41\A0005160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP41\A0005161.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP41\A0005172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP42\A0005316.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP42\A0005317.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP43\A0005366.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP43\A0005567.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP43\A0005614.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP43\A0005802.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP43\A0005891.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP43\A0005946.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP44\A0006003.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP44\A0006056.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP44\A0006057.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP44\A0006058.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP44\A0006060.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP44\A0006061.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006262.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006305.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006306.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006324.exe Object is locked skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006325.exe Object is locked skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006370.exe Infected: Worm.Win32.RJump.b skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006373.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006374.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006375.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006376.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006377.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006378.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006379.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006380.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006381.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006388.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006389.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006462.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\A0006463.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{FE1C85CF-83B0-4720-A38E-86B5921E5177}\RP45\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:12:00 AM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DesuBuddy\DesuBuddy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JUNE BENIDECT\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.dlsu.edu.ph/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Media Office] C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smart Watch Dog] -C:\Program Files\Compal Electronics, INC\Smart Watchdog\SmartWD.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [CASS] C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182483029468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182482710750
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263A94E7-891B-42D3-B9BE-D3CC299A14EF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Watchdog Service (Smart Watchdog) - Unknown owner - C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
what should I do now? must I delete all restore points or use an anti-virus for this?
random/random
2007-07-07, 20:17
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
File::
C:\WINDOWS\system32\vmwarruq.exe
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\vmwarruq.exe"=-
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as ComboFix-Do.txt
Now drag and drop ComboFix-Do.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
here are the logs:
ComboFix log:
"JUNE BENIDECT" - 2007-07-08 1:21:13 - ComboFix 07-07-07.3 - Service Pack 2
Command switches used :: C:\Documents and Settings\JUNE BENIDECT\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))
2007-07-07 23:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-07 23:56 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-07 22:37 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-07 22:37 <DIR> drahs---- C:\autorun.inf
2007-07-07 22:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 21:45 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-06 08:51 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-07-06 08:50 <DIR> d-------- C:\Program Files\IVT Corporation
2007-07-06 08:14 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-07-06 08:14 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2007-07-06 08:14 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2007-07-06 08:14 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2007-07-06 08:14 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2007-07-06 08:14 100,992 --a------ C:\WINDOWS\system32\drivers\bthpan.sys
2007-07-06 08:13 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-07-06 08:13 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2007-07-05 20:28 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Comodo
2007-07-03 21:19 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-03 21:19 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-03 21:19 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-07-03 21:19 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-07-03 21:19 471,552 --a------ C:\WINDOWS\system32\Smab.dll
2007-07-03 21:19 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2007-07-03 21:19 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-07-03 21:19 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-07-03 21:19 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-07-03 21:19 217,073 --a------ C:\WINDOWS\meta4.exe
2007-07-03 21:19 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2007-07-03 21:19 <DIR> d-------- C:\Program Files\eRightSoft
2007-07-03 21:19 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-06-29 20:10 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\AdobeUM
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Comodo
2007-06-29 10:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-29 10:53 <DIR> d-------- C:\Program Files\Comodo
2007-06-28 23:04 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-27 12:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Ahead
2007-06-25 21:42 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-25 05:59 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\MEGAUPLOADTOOLBAR
2007-06-24 17:33 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-06-24 16:41 <DIR> d-------- C:\Program Files\DesuBuddy
2007-06-24 16:30 <DIR> d-------- C:\Program Files\MegauploadToolbar
2007-06-24 16:30 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\MegauploadToolbar
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Azureus
2007-06-24 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-24 16:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-24 15:59 <DIR> d-------- C:\Program Files\Bonjour
2007-06-24 15:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-24 08:57 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-23 21:19 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Help
2007-06-23 18:58 <DIR> d-------- C:\Program Files\MSBuild
2007-06-23 18:54 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-06-23 18:53 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-06-23 18:52 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-06-23 17:17 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-23 17:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2007-06-23 17:01 <DIR> d-------- C:\Program Files\Giganology
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Shared
2007-06-23 16:59 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\Incomplete
2007-06-23 16:58 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\LimeWire
2007-06-23 16:31 <DIR> d-------- C:\Program Files\AnalogX
2007-06-23 16:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-23 16:11 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-23 16:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-23 16:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-23 16:06 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-23 15:49 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-06-23 15:30 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-06-23 15:30 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-06-23 15:30 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-06-23 14:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-23 12:27 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-23 11:41 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Yahoo!
2007-06-23 11:40 <DIR> d-------- C:\DOCUME~1\ELIASP~1\APPLIC~1\Google
2007-06-23 10:37 90,496 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2007-06-23 10:37 <DIR> d-------- C:\Program Files\Realtek
2007-06-22 23:08 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Media Player Classic
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\JUNEBE~1\APPLIC~1\Yahoo!
2007-06-22 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-22 21:35 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-06-22 21:35 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-06-22 21:35 <DIR> d-------- C:\Program Files\DivX
2007-06-22 21:34 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-22 21:34 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-06-22 21:34 6,144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-06-22 21:34 540,178 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-06-22 21:34 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll
2007-06-22 21:34 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-22 21:34 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-22 21:34 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-06-22 21:34 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-06-22 21:34 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-22 21:34 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2007-06-22 21:34 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2007-06-22 21:34 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-06-22 21:33 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-06-22 21:31 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-22 21:31 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-22 21:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-22 21:23 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2007-03-21 05:39 803864 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{111CAA23-6F4F-42AC-8555-B48C1D87BBAB}]
2006-01-09 15:01 86016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
2007-06-20 06:48 1936840 --a------ C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A263CF7-56A6-4D68-A8CF-345BE45BC911}]
2007-02-24 07:04 140840 --a------ C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-11-01 04:33 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-05-03 03:14 434279 --a------ C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-04-17 13:32 323904 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-06-20 12:24 2403392 -ra------ c:\program files\google\googletoolbar1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 23:28 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 00:43 C:\WINDOWS\ALCMTR.EXE]
"Media Office"="C:\Program Files\Compal Electronics" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 13:50 C:\WINDOWS\AGRSMMSG.exe]
"Smart Watch Dog"="-C:\Program Files\Compal Electronics" []
"KTPWare"="C:\Program Files\Elantech\ktp.exe" [2006-03-29 01:36]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 14:25]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 14:25]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 14:29]
"CASS"="C:\Program Files\Compal Electronics" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-22 07:09]
"Gigaget"="C:\Program Files\Giganology\Gigaget\GigagetShell.exe" [2006-02-07 10:28]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 06:22]
"DesuBuddy"="C:\Program Files\DesuBuddy\DesuBuddy.exe" [2007-05-25 17:07]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-29 10:53]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 20:00 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-06-16 14:38]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18630a1e-1ec1-11dc-a374-0019d232e170}]
AutoRun\command- E:\LaunchU3.exe
*Newly Created Service* - CATCHME
Contents of the 'Scheduled Tasks' folder
2007-07-07 17:22:00 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-08 01:23:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-08 1:24:24
C:\ComboFix-quarantined-files.txt ... 2007-07-08 01:24
C:\ComboFix2.txt ... 2007-07-07 23:41
C:\ComboFix3.txt ... 2007-07-07 23:06
--- E O F ---
HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:25:34 AM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DesuBuddy\DesuBuddy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\JUNE BENIDECT\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.dlsu.edu.ph/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Media Office] C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smart Watch Dog] -C:\Program Files\Compal Electronics, INC\Smart Watchdog\SmartWD.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [CASS] C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182483029468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182482710750
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263A94E7-891B-42D3-B9BE-D3CC299A14EF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Watchdog Service (Smart Watchdog) - Unknown owner - C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
random/random
2007-07-07, 20:29
Delete sdfix.exe and combofix.exe from your desktop
Delete these folders:
C:\combofix\
C:\QooBox\
C:\SDfix\
Post a new HijackThis log and let me know of any remaining problems
here's the last HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:33:16 AM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DesuBuddy\DesuBuddy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\JUNE BENIDECT\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.dlsu.edu.ph/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Media Office] C:\Program Files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smart Watch Dog] -C:\Program Files\Compal Electronics, INC\Smart Watchdog\SmartWD.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [CASS] C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DesuBuddy] C:\Program Files\DesuBuddy\DesuBuddy.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182483029468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182482710750
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263A94E7-891B-42D3-B9BE-D3CC299A14EF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Watchdog Service (Smart Watchdog) - Unknown owner - C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe
about the stuff that was detected by the kaspersky online scan, should I just let them be or can I delete them using an anti-virus software(e.g. AVG)? also since most of the infected files are located in the system volume information folder, is it fine to disable system restore to remove those files?
random/random
2007-07-07, 20:40
We'll clean out system volume information now
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
You now appear to be clean. Congratulations!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.
Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Keep your antivirus and firewall updated
Keep windows up to date with the latest patches
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site (www.officeupdate.microsoft.com) and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Install spywareblaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
Make sure to update it on a regular basis
Install IE-SPYAD
Dowload and instructions located here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
Make sure to update it on a regular basis
Use a HOSTS file
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.hosts-file.net/downloads.html). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Install and use Ad-aware & Spybot search & destroy
Instructions are located here (http://forum.malwareremoval.com/viewtopic.php?t=13)
Make sure to update them on a regular basis
Most exploits are aimed at internet explorer, so I recommend you switch to an altenative browser
Two good alternative browsers are
Firefox (http://www.mozilla.com/firefox/)
Opera (http://www.opera.com/)
It is essential to update to the latest version of your browser, as the updates fix known security holes
Even if you do decide to switch to another browser, it is still a good idea to lock down Internet explorer
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Change the allow paste operations via script to Disable
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Clean out you temp file on a regular basis
I use and recommend ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Attribune
To use it, follow these instructions
Double-click ATF-Cleaner.exe to run the program.
Click Main at the top and choose Select All from the list.
Click the Empty Selected button.
If you use Firefox browser:
Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
Click Opera at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
oh ok.. thanks for helping me with my problem! ^^
random/random
2007-07-07, 20:51
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.