View Full Version : geeda.dll, amongst others, causing problems
PrimalWrath
2008-01-16, 15:02
Hey there, I'm new to this forum. I've spent a couple of weeks now trying to rid my PC of some pesky viruses, but never seem to obliterate them completely (treating the symptons, but not the cause so to speak).
Mainly, my pc suffers from random slowdown, slower than usual browsing speed, occaisions where my desktop fails to load up, and a constant barrage of helpful popups(!)
I would appreciate any assistance provided, I've already got the results from the kaspersky results scan and a hijackthis log, and can provide these when requested.
Thanks in advance.
PrimalWrath
2008-01-16, 20:16
Hi, thought there'd be a reply by now... no worries.
I'll just post the results of the kaspersky scan here.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 15, 2008 5:50:51 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/01/2008
Kaspersky Anti-Virus database records: 511990
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
Scan Statistics:
Total number of scanned objects: 54518
Number of viruses found: 5
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 02:23:33
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-15_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\2DB01E64.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\62189FE4.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\674A44F1.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\Deborah\Application Data\Nero\Nero8\OnlineServices\registrationinfo.xml Object is locked skipped
C:\Documents and Settings\Deborah\My Documents\Nero-8.2.8.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Deborah\My Documents\Nero-8.2.8.0_eng_trial.exe 7-Zip: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Michael\Desktop\Nero-8.2.8.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Michael\Desktop\Nero-8.2.8.0_eng_trial.exe 7-Zip: infected - 1 skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temp\RCX2F.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Michael\Local Settings\Temp\TMP6.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael\My Documents\Downloads\Tunebite Platinum Edition v4.1.0.35 + Patch\Setup\tunebite.exe/data0000.cab/uTorrent.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\Documents and Settings\Michael\My Documents\Downloads\Tunebite Platinum Edition v4.1.0.35 + Patch\Setup\tunebite.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\Documents and Settings\Michael\My Documents\Downloads\Tunebite Platinum Edition v4.1.0.35 + Patch\Setup\tunebite.exe Rsrc-Package: infected - 2 skipped
C:\Documents and Settings\Michael\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Michael\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\RapidSolution\Tunebite\Tunebite.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Windows Live\Messenger\msnmsgr .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Windows Live\Messenger\msnmsgr .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Windows Live\Messenger\msnmsgr .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Windows Live\Messenger\msnmsgr .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Windows Live\Messenger\msnmsgr .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Windows Live\Messenger\msnmsgr.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\RECYCLER\S-1-5-21-1177238915-484763869-682003330-1007\Dc4.zip/img_628.jpeg-deborah_1989@hotmail.co.uk.com Infected: Backdoor.Win32.Agent.det skipped
C:\RECYCLER\S-1-5-21-1177238915-484763869-682003330-1007\Dc4.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F5295373-6882-49E7-87D2-6EDF4D765FB1}\RP1\change.log Object is locked skipped
C:\VundoFix Backups\geeda.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnk skipped
C:\VundoFix Backups\geeda.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\mljkiig.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ctfmon.exe.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\geeda.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnk skipped
C:\WINDOWS\system32\geeda.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jkhhi.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\mljkiig.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\WINDOWS\system32\OPNOONK.DLL.del Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\WINDOWS\system32\qgss.exe Infected: Backdoor.Win32.Agent.det skipped
C:\WINDOWS\system32\RCX10.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\RCX13.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\RCX30.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only
* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
PrimalWrath
2008-01-21, 19:42
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:41:32, on 21/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\geeda.exe
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1196699195\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 7521 bytes
Hi
Generate an Uninstall List
* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.
1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
PrimalWrath
2008-01-21, 21:20
Thanks for the prompt responses, I have an issue when creating an uninstall log with HijackThis; the program closes and produces no log.
Here is the ComboFix log:
COMBOFIX LOG:
ComboFix 08-01-20.1 - Michael 2008-01-21 18:51:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.604 [GMT 0:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DAEMON Tools Lite\daemon .exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat .exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Norton Internet Security\osCheck.exe
C:\Program Files\RapidSolution\Tunebite\Tunebite .exe
C:\Program Files\RapidSolution\Tunebite\Tunebite.exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\adeeg.ini
C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\geeda.exe
C:\WINDOWS\system32\jkhhi.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljkiig.dll
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\RCX18.tmp
C:\WINDOWS\system32\RCX1A.tmp
C:\WINDOWS\system32\RCX2A.tmp
C:\WINDOWS\system32\RCX30.tmp
<pre>
C:\Program Files\Common Files\Symantec Shared\ccApp .exe ---> QooBox
C:\Program Files\DAEMON Tools Lite\daemon .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe ---> QooBox
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat .exe ---> QooBox
C:\Program Files\RapidSolution\Tunebite\Tunebite .exe ---> QooBox
C:\Program Files\Windows Live\Messenger\msnmsgr .exe ---> msnmsgr.exe
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SFSYNC02
-------\sfsync02
PrimalWrath
2008-01-21, 21:21
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.
2008-01-21 18:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-21 17:39 . 2008-01-21 17:39 <DIR> dr-h----- C:\Documents and Settings\Michael\Application Data\SecuROM
2008-01-21 17:38 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-21 17:31 . 2008-01-21 17:45 <DIR> d-------- C:\Program Files\Tomb Raider - Anniversary
2008-01-19 14:51 . 2008-01-19 14:51 <DIR> d-------- C:\WINDOWS\.file_store_32
2008-01-16 21:49 . 2008-01-16 21:49 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-01-16 21:49 . 2008-01-16 21:49 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-01-16 21:48 . 2008-01-21 18:55 <DIR> d-------- C:\Program Files\Microsoft Xbox 360 Accessories
2008-01-16 21:48 . 2007-02-26 18:15 1,421,216 --a------ C:\WINDOWS\system32\WdfCoInstaller01001.dll
2008-01-16 21:48 . 2006-09-28 16:04 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-16 21:48 . 2007-02-26 18:15 61,984 --a------ C:\WINDOWS\system32\drivers\xusb21.sys
2008-01-16 21:07 . 2008-01-21 18:55 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-16 21:07 . 2008-01-21 17:40 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\DAEMON Tools
2008-01-16 21:03 . 2008-01-16 21:03 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-15 18:49 . 2008-01-15 18:49 88 --a------ C:\WINDOWS\wininit.ini
2008-01-15 18:01 . 2008-01-16 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-15 15:15 . 2008-01-19 13:21 <DIR> d-------- C:\Program Files\Tomb Raider - Legend
2008-01-15 13:11 . 2008-01-15 13:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-15 13:08 . 2008-01-15 13:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-15 13:08 . 2008-01-15 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-13 22:08 . 2008-01-13 22:08 329,728 --a------ C:\WINDOWS\system32\geeda.dll_old
2008-01-13 21:28 . 2008-01-13 21:28 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-13 21:15 . 2008-01-13 21:31 <DIR> d-------- C:\VundoFix Backups
2008-01-13 21:11 . 2008-01-13 21:11 <DIR> d-------- C:\Program Files\Sun
2008-01-13 21:11 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-13 20:49 . 2008-01-13 20:49 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-01-13 12:31 . 2008-01-13 12:31 0 --a------ C:\WINDOWS\Irremote.ini
2008-01-12 11:23 . 2008-01-12 11:23 <DIR> d-------- C:\Program Files\PixiePack Codec Pack
2008-01-12 11:15 . 2008-01-12 11:15 <DIR> d-------- C:\Program Files\RapidSolution
2008-01-12 11:15 . 2008-01-12 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-01-12 11:15 . 2007-12-11 09:52 26,784 --a------ C:\WINDOWS\system32\drivers\tbhsd.sys
2008-01-11 18:02 . 2008-01-11 18:02 <DIR> d-------- C:\WINDOWS\system32\Logs
2008-01-11 18:02 . 2008-01-17 22:16 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\tunebite
2008-01-11 17:59 . 2008-01-12 11:10 <DIR> d-------- C:\Program Files\Tunebite
2008-01-11 17:35 . 2008-01-11 17:35 <DIR> d-------- C:\Program Files\Pcsx2_0.9.4
2008-01-11 16:54 . 2008-01-11 16:55 <DIR> d-------- C:\Program Files\ZillaTube
2008-01-10 12:49 . 2008-01-21 18:58 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-01-10 12:48 . 2008-01-10 13:04 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-10 12:48 . 2008-01-10 13:04 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-10 12:46 . 2008-01-10 13:04 <DIR> d-------- C:\Program Files\Symantec
2008-01-10 12:46 . 2008-01-10 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-10 11:53 . 2008-01-10 11:53 31,074 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-01-10 11:53 . 2008-01-10 11:53 25,600 --a------ C:\WINDOWS\system32\Partizan.exe
2008-01-10 11:52 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-01-09 22:35 . 2008-01-09 22:35 336,896 --a------ C:\WINDOWS\system32\GEEDD.DLL.del
2008-01-09 22:30 . 2008-01-09 22:30 38,400 --a------ C:\WINDOWS\system32\OPNOONK.DLL.del
2008-01-09 15:06 . 1998-06-24 00:00 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX
2008-01-09 15:05 . 2004-03-08 23:00 224,016 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-01-09 15:05 . 1998-07-12 23:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2008-01-09 15:05 . 2000-10-01 19:00 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2008-01-09 15:05 . 1999-03-25 19:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-01-09 15:05 . 1998-07-12 23:00 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2008-01-09 15:05 . 1998-07-12 19:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2008-01-09 15:05 . 1998-07-12 23:00 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2008-01-09 15:05 . 1998-07-12 23:00 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2008-01-09 12:09 . 2008-01-09 12:09 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Leadertech
2008-01-09 11:19 . 2008-01-09 11:20 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Teleca
2008-01-08 16:52 . 2008-01-08 16:53 <DIR> d-------- C:\Documents and Settings\Deborah\Application Data\Teleca
2008-01-08 14:03 . 2008-01-08 14:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-08 14:03 . 2008-01-08 14:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-08 13:48 . 2008-01-08 13:48 <DIR> d-------- C:\Documents and Settings\Mum\Application Data\AdobeUM
2008-01-08 13:48 . 2008-01-08 13:48 <DIR> d-------- C:\Documents and Settings\Mum\Application Data\AdobeAUM
2008-01-08 13:42 . 2008-01-08 13:43 <DIR> d-------- C:\Documents and Settings\Mum\Application Data\Teleca
2008-01-08 13:42 . 2008-01-08 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-01-08 13:41 . 2008-01-08 13:41 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-01-08 13:41 . 2008-01-08 13:42 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-01-08 13:41 . 2008-01-08 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-01-08 13:39 . 2008-01-08 13:39 6,176 --a------ C:\WINDOWS\system32\drivers\w810cm.sys
2008-01-08 13:39 . 2008-01-08 13:39 5,808 --a------ C:\WINDOWS\system32\drivers\w810wh.sys
2008-01-07 21:11 . 2008-01-07 21:11 <DIR> d-------- C:\Programme
2008-01-07 14:54 . 2008-01-07 14:54 <DIR> d-------- C:\WINDOWS\Sun
2008-01-04 18:08 . 2008-01-04 18:08 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Lionhead Studios
2008-01-04 16:54 . 2008-01-04 16:54 <DIR> d-------- C:\Program Files\Lionhead Studios Ltd
2008-01-04 16:54 . 2008-01-04 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lionhead Studios
2008-01-04 16:53 . 2008-01-04 16:53 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-03 20:14 . 2008-01-03 20:14 <DIR> d-------- C:\Program Files\NaturalMotion
2008-01-03 20:14 . 2002-01-01 03:28 860,211 --a-s---- C:\WINDOWS\system32\XSIFtk-3.6.2.1.dll
2007-12-29 18:15 . 2007-12-29 18:15 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\InstallShield
2007-12-26 11:45 . 2007-12-26 11:45 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2007-12-22 20:59 . 2007-12-22 20:59 268 --ah----- C:\sqmdata19.sqm
2007-12-22 20:59 . 2007-12-22 20:59 244 --ah----- C:\sqmnoopt19.sqm
2007-12-22 11:44 . 2007-12-22 11:44 <DIR> d-------- C:\Program Files\BitTorrent
2007-12-22 11:34 . 2007-12-22 11:34 268 --ah----- C:\sqmdata18.sqm
2007-12-22 11:34 . 2007-12-22 11:34 244 --ah----- C:\sqmnoopt18.sqm
2007-12-22 11:08 . 2007-12-22 11:08 268 --ah----- C:\sqmdata17.sqm
2007-12-22 11:08 . 2007-12-22 11:08 244 --ah----- C:\sqmnoopt17.sqm
2007-12-21 23:13 . 2007-12-21 23:13 268 --ah----- C:\sqmdata16.sqm
2007-12-21 23:13 . 2007-12-21 23:13 244 --ah----- C:\sqmnoopt16.sqm
2007-12-21 22:09 . 2007-12-21 22:09 268 --ah----- C:\sqmdata15.sqm
2007-12-21 22:09 . 2007-12-21 22:09 244 --ah----- C:\sqmnoopt15.sqm
2007-12-21 21:19 . 2008-01-09 22:35 <DIR> d-------- C:\Program Files\DNA
2007-12-21 21:19 . 2008-01-09 22:52 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\DNA
2007-12-21 21:19 . 2008-01-21 18:57 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\BitTorrent
2007-12-21 17:10 . 2007-12-21 17:10 268 --ah----- C:\sqmdata14.sqm
2007-12-21 17:10 . 2007-12-21 17:10 244 --ah----- C:\sqmnoopt14.sqm
2007-12-21 12:05 . 2007-12-21 12:05 268 --ah----- C:\sqmdata13.sqm
2007-12-21 12:05 . 2007-12-21 12:05 244 --ah----- C:\sqmnoopt13.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 18:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-13 21:10 --------- d-----w C:\Program Files\Java
2008-01-13 20:50 7,084 ----a-w C:\Program Files\hijackthis.log
2008-01-13 13:45 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-13 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-01-12 13:55 --------- d-----w C:\Documents and Settings\Michael\Application Data\FrostWire
2008-01-10 13:22 --------- d-----w C:\Program Files\Windows Live
2008-01-10 13:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-10 13:04 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-10 13:04 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-10 11:59 --------- d-----w C:\Program Files\AOL Toolbar
2008-01-09 22:36 --------- d-----w C:\Program Files\QuickTime
2008-01-08 14:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-04 18:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 15:33 --------- d-----w C:\Program Files\FrostWire
2007-12-29 18:16 --------- d-----w C:\Program Files\THQ
2007-12-22 11:44 --------- d-----w C:\Program Files\Azureus
2007-12-22 11:30 --------- d-----w C:\Documents and Settings\Michael\Application Data\Azureus
2007-12-22 11:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-20 16:41 --------- d-----w C:\Program Files\AOL 9.0
2007-12-12 19:06 --------- d-----w C:\Documents and Settings\Deborah\Application Data\FrostWire
2007-12-12 09:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-11 17:12 --------- d-----w C:\Program Files\Bethesda Softworks
2007-12-03 22:53 --------- d-----w C:\Program Files\Common Files\aol
2007-12-03 17:26 --------- d-----w C:\Documents and Settings\Deborah\Application Data\AOL
2007-12-03 16:38 --------- d-----w C:\Documents and Settings\Mum\Application Data\AOL
2007-12-03 16:27 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-03 15:36 --------- d-----w C:\Program Files\AOL Companion
2007-12-03 15:30 --------- d-----w C:\Program Files\Common Files\aolback
2007-12-03 15:30 --------- d-----w C:\Documents and Settings\Michael\Application Data\AOL
2007-12-03 15:29 --------- d-----w C:\Program Files\Learn2.com
2007-12-03 15:29 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-03 15:29 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-03 15:29 --------- d-----w C:\Documents and Settings\Michael\Application Data\You've Got Pictures Screensaver
2007-12-03 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-03 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-12-03 15:10 --------- d-----w C:\Program Files\AOL 8.0
2007-12-02 18:31 --------- d-----w C:\Documents and Settings\Deborah\Application Data\Nero
2007-12-02 17:14 --------- d-----w C:\Documents and Settings\Mum\Application Data\Nero
2007-12-02 11:39 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-02 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5
2007-12-02 00:46 --------- d-----w C:\Program Files\OGMTOAVI
2007-12-02 00:27 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-02 00:27 --------- d-----w C:\Program Files\Ahead
2007-12-02 00:16 --------- d-----w C:\Documents and Settings\Michael\Application Data\River Past G5
2007-12-02 00:11 --------- d-----w C:\Program Files\vso
2007-12-02 00:02 --------- d-----w C:\Program Files\WinAVI Video Converter
2007-12-01 22:54 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-01 22:49 --------- d-----w C:\Documents and Settings\Michael\Application Data\Nero
2007-12-01 19:10 --------- d-----w C:\Program Files\EA GAMES
2007-12-01 12:22 --------- d-----w C:\Program Files\AskSBar
2007-12-01 11:21 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-01 10:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-01 10:23 --------- d-----w C:\Program Files\ATI Technologies
2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 20:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-11-30 19:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-30 18:48 --------- d-----w C:\Documents and Settings\Michael\Application Data\MSNInstaller
2007-11-30 18:44 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-11-30 18:44 --------- d-----w C:\Program Files\Viewpoint
2007-11-30 18:44 --------- d-----w C:\Program Files\Real
2007-11-30 18:44 --------- d-----w C:\Program Files\Nullsoft
2007-11-30 18:44 --------- d-----w C:\Program Files\Common Files\Real
2007-11-30 13:27 --------- d-----w C:\Program Files\VoyagerModemDrivers
2007-11-30 13:22 --------- d-----w C:\Program Files\CONEXANT
2007-11-30 12:45 --------- d--h--w C:\Program Files\Uninstall Information
2007-11-30 12:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-30 12:37 --------- d-----w C:\Program Files\Common Files\Java
.
<pre>
----a-w 1,460,560 2008-01-16 20:21:47 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 2,846,720 2008-01-12 10:47:21 C:\Program Files\Tunebite\tunebite .exe
----a-w 81,920 2008-01-16 20:34:48 C:\RECYCLER\S-1-5-21-1177238915-484763869-682003330-1005\Dc1\daemon .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr .exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 17:39 90112 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [ ]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1196699195\ee\AOLSoftware.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [ ]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
R3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys [2007-12-11 09:52]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-01-10 11:53]
*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 20:00:17 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Michael.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 19:11:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-21 19:12:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 19:12:35
.
2008-01-10 01:56:45 --- E O F ---
Hi
You need to reinstall Norton 'cos one of its exe files was infected and couldn't be healed. Same thing applies to Daemon Tools.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\geeda.dll_old
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\GEEDD.DLL.del
C:\WINDOWS\system32\OPNOONK.DLL.del
C:\WINDOWS\system32\qgss.exe
RENV::
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Tunebite\tunebite .exe
Folder::
C:\VundoFix Backups
Save this as
CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Run Kaspersky online scanner again and post its report, ComboFix resultant log, a fresh hjt log.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.