View Full Version : Virtumonde Removal Help Please.
Here is the results of my HJT log. I ran Spybot in Safe Mode first. I can't get this one removed. I also have a Kaspersky Report, but didn't know when to post it.
Thank you,
Rick
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:53, on 2008-02-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Digidesign\Drivers\MMERefresh .exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1 .EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtstt.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [603c7117] rundll32.exe "C:\WINDOWS\system32\aftteios.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8623] command /c del "C:\WINDOWS\system32\vtstt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1401] cmd /c del "C:\WINDOWS\system32\vtstt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3167] command /c del "C:\WINDOWS\system32\vtstt.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6940] cmd /c del "C:\WINDOWS\system32\vtstt.dll_old"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8505 bytes
Hello Rick
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Run these in order please.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
I need to see the Vundofix log, the SAS log, the Combofix log and a New HJT log please, the reports will most likely not fit all in one reply so take as many as you need to post them all. Use SUBMIT REPLY and NOT START A NEW TOPIC
I ran VundoFix and SuperAntiSpyware, but Combo fix will not launch. Error reads not a valid Win file when I try to launch it from my desktop. Here is the Vundo report. I will post the SAS and HJT report in a minute.
Thank you.
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Scan started at 12:24:01 2008-02-04
Listing files found while scanning....
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
C:\WINDOWS\system32\afpkpjhv.dll
C:\WINDOWS\system32\asrsjqvk.dll
C:\WINDOWS\system32\cmdefvuw.dll
C:\WINDOWS\system32\htogcfml.dll
C:\WINDOWS\system32\ilxuahwq.ini
C:\WINDOWS\system32\kgfdgulu.dll
C:\windows\system32\kgfdgulu.dllbox
C:\WINDOWS\system32\kjrhfgqn.dll
C:\WINDOWS\system32\lhcskgjl.dll
C:\WINDOWS\system32\ljgkschl.ini
C:\WINDOWS\system32\lmfcgoth.ini
C:\WINDOWS\system32\obmrrftf.dll
C:\WINDOWS\system32\qwhauxli.dll
C:\WINDOWS\system32\rsosveyd.dll
C:\WINDOWS\system32\uwjnnrxl.dll
C:\windows\system32\uwjnnrxl.dllbox
C:\WINDOWS\system32\vhjpkpfa.ini
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\system32\xustaikt.dll
Beginning removal...
Attempting to delete C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\afpkpjhv.dll
C:\WINDOWS\system32\afpkpjhv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\asrsjqvk.dll
C:\WINDOWS\system32\asrsjqvk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cmdefvuw.dll
C:\WINDOWS\system32\cmdefvuw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\htogcfml.dll
C:\WINDOWS\system32\htogcfml.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilxuahwq.ini
C:\WINDOWS\system32\ilxuahwq.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\kgfdgulu.dll
C:\WINDOWS\system32\kgfdgulu.dll Has been deleted!
Attempting to delete C:\windows\system32\kgfdgulu.dllbox
C:\windows\system32\kgfdgulu.dllbox Has been deleted!
Attempting to delete C:\WINDOWS\system32\kjrhfgqn.dll
C:\WINDOWS\system32\kjrhfgqn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lhcskgjl.dll
C:\WINDOWS\system32\lhcskgjl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljgkschl.ini
C:\WINDOWS\system32\ljgkschl.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\lmfcgoth.ini
C:\WINDOWS\system32\lmfcgoth.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\obmrrftf.dll
C:\WINDOWS\system32\obmrrftf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qwhauxli.dll
C:\WINDOWS\system32\qwhauxli.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rsosveyd.dll
C:\WINDOWS\system32\rsosveyd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uwjnnrxl.dll
C:\WINDOWS\system32\uwjnnrxl.dll Has been deleted!
Attempting to delete C:\windows\system32\uwjnnrxl.dllbox
C:\windows\system32\uwjnnrxl.dllbox Has been deleted!
Attempting to delete C:\WINDOWS\system32\vhjpkpfa.ini
C:\WINDOWS\system32\vhjpkpfa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\system32\vtstt.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\xustaikt.dll
C:\WINDOWS\system32\xustaikt.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.8
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Scan started at 11:01:20 2008-02-14
Listing files found while scanning....
C:\WINDOWS\system32\aftteios.dll
C:\WINDOWS\system32\cgrbcmoq.dll
C:\WINDOWS\system32\csikoyfj.dll
C:\WINDOWS\system32\eorpvgjd.dll
C:\WINDOWS\system32\etxvessu.dll
C:\windows\system32\etxvessu.dllbox
C:\WINDOWS\system32\hyukkcqv.dll
C:\WINDOWS\system32\iepwosfa.dll
C:\WINDOWS\system32\jfyokisc.ini
C:\WINDOWS\system32\jwgaffgv.dll
C:\WINDOWS\system32\kilhofrp.dll
C:\WINDOWS\system32\lnomvhwv.dll
C:\WINDOWS\system32\retnurlv.dll
C:\WINDOWS\system32\soiettfa.ini
C:\WINDOWS\system32\tobihgto.dll
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\vjlyqcij.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\system32\xosjpogq.dll
C:\WINDOWS\system32\xrgxqlss.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\aftteios.dll
C:\WINDOWS\system32\aftteios.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cgrbcmoq.dll
C:\WINDOWS\system32\cgrbcmoq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\csikoyfj.dll
C:\WINDOWS\system32\csikoyfj.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\eorpvgjd.dll
C:\WINDOWS\system32\eorpvgjd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\etxvessu.dll
C:\WINDOWS\system32\etxvessu.dll Could not be deleted.
Attempting to delete C:\windows\system32\etxvessu.dllbox
C:\windows\system32\etxvessu.dllbox Has been deleted!
Attempting to delete C:\WINDOWS\system32\hyukkcqv.dll
C:\WINDOWS\system32\hyukkcqv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iepwosfa.dll
C:\WINDOWS\system32\iepwosfa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jfyokisc.ini
C:\WINDOWS\system32\jfyokisc.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jwgaffgv.dll
C:\WINDOWS\system32\jwgaffgv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kilhofrp.dll
C:\WINDOWS\system32\kilhofrp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lnomvhwv.dll
C:\WINDOWS\system32\lnomvhwv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\retnurlv.dll
C:\WINDOWS\system32\retnurlv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\soiettfa.ini
C:\WINDOWS\system32\soiettfa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\tobihgto.dll
C:\WINDOWS\system32\tobihgto.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\ttstv.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\vjlyqcij.dll
C:\WINDOWS\system32\vjlyqcij.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\system32\vtstt.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\xosjpogq.dll
C:\WINDOWS\system32\xosjpogq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xrgxqlss.dll
C:\WINDOWS\system32\xrgxqlss.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\csikoyfj.dll
C:\WINDOWS\system32\csikoyfj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\etxvessu.dll
C:\WINDOWS\system32\etxvessu.dll Has been deleted!
Attempting to delete C:\windows\system32\etxvessu.dllbox
C:\windows\system32\etxvessu.dllbox Has been deleted!
Performing Repairs to the registry.
Done!
SAS Part 1:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 02/14/2008 at 11:59 AM
Application Version : 3.9.1008
Core Rules Database Version : 3402
Trace Rules Database Version: 1394
Scan type : Complete Scan
Total Scan Time : 00:36:37
Memory items scanned : 382
Memory threats detected : 9
Registry items scanned : 6945
Registry threats detected : 28
File items scanned : 53652
File threats detected : 266
Trojan.WinFixer
C:\WINDOWS\SYSTEM32\VTSTT.DLL
C:\WINDOWS\SYSTEM32\VTSTT.DLL
HKLM\Software\Classes\CLSID\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}
HKCR\CLSID\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}
HKCR\CLSID\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}\InprocServer32
HKCR\CLSID\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}
Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\QMVCETEF.DLL
C:\WINDOWS\SYSTEM32\QMVCETEF.DLL
HKLM\Software\Classes\CLSID\{54fe1af9-4262-42a0-9250-83fbd803e8b5}
HKCR\CLSID\{54FE1AF9-4262-42A0-9250-83FBD803E8B5}
HKCR\CLSID\{54FE1AF9-4262-42A0-9250-83FBD803E8B5}\InprocServer32
HKCR\CLSID\{54FE1AF9-4262-42A0-9250-83FBD803E8B5}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\HXYINCXF.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54fe1af9-4262-42a0-9250-83fbd803e8b5}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001223.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001224.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001225.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001227.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001231.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001232.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001234.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001235.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001238.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001239.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001248.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000133.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000726.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000727.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000804.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001044.DLL
Trojan.Vundo/Variant-Installer/A
C:\PROGRAM FILES\DIGIDESIGN\DRIVERS\MMEREFRESH.EXE
C:\PROGRAM FILES\DIGIDESIGN\DRIVERS\MMEREFRESH.EXE
C:\PROGRAM FILES\MEDIAFOUR\MACDRIVE\MDDISKPROTECT.EXE
C:\PROGRAM FILES\MEDIAFOUR\MACDRIVE\MDDISKPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\MEDIAFOUR\MACVNTFY.EXE
C:\PROGRAM FILES\COMMON FILES\MEDIAFOUR\MACVNTFY.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 8.0\ACROBAT\ACROTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 8.0\ACROBAT\ACROTRAY.EXE
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE12\GROOVEMONITOR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE12\GROOVEMONITOR.EXE
[MDDiskProtect.exe] C:\PROGRAM FILES\MEDIAFOUR\MACDRIVE\MDDISKPROTECT.EXE
[Mediafour Mac Volume Notifications] C:\PROGRAM FILES\COMMON FILES\MEDIAFOUR\MACVNTFY.EXE
[DigidesignMMERefresh] C:\PROGRAM FILES\DIGIDESIGN\DRIVERS\MMEREFRESH.EXE
[AdobeUpdater] C:\PROGRAM FILES\COMMON FILES\ADOBE\UPDATER5\ADOBEUPDATER.EXE
C:\PROGRAM FILES\COMMON FILES\ADOBE\UPDATER5\ADOBEUPDATER.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX12.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX13.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX15.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX158.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX15B.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX15E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX161.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX164.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX16A.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX16D.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX17.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX170.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX1B.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX1C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX1E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX1F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX22.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX24.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX27.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX2A.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX40D.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX410.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX413.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX416.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX419.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX425.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX6.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX61C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX61F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX622.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX625.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX628.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX62E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX631.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX634.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX666.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX669.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX66C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX66F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX672.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX678.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX67B.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX67E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX9.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA10.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA3E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA41.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA44.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA47.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA4A.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA50.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA53.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA56.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA67.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA6A.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA6D.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA70.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA73.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA79.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA7C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA7F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC1C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC26.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC34.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC3F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC58.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC7F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC8D.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC96.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXD.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXD02.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXD14.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXE.TMP
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000011.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000013.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000014.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000015.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000016.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000018.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000019.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001241.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001259.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001262.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001263.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001264.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001265.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001266.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001267.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001268.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000137.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000139.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000140.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000141.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000142.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000143.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000144.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000145.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000203.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000204.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000205.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000206.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000207.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000208.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000209.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000210.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000744.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000746.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000747.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000748.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000749.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000752.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000865.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000866.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000867.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000868.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000869.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000870.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000871.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000872.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001063.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001064.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001066.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001067.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001068.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001069.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001070.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001071.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001111.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001113.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001114.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001115.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001116.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001117.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001118.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001119.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001129.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001131.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001132.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001133.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001134.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001135.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001136.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001137.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001206.EXE
C:\VUNDOFIX BACKUPS\MSCONFIG.EXE.BAD
C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\00002109030000000000000000F01FEC\12.0.4518\GROOVEMONITOR.EXE
C:\WINDOWS\Prefetch\ACROTRAY.EXE-075AD37A.pf
C:\WINDOWS\Prefetch\E_S4I2H1.EXE-1F5C1C4D.pf
C:\WINDOWS\Prefetch\MACVNTFY.EXE-355842C7.pf
C:\WINDOWS\Prefetch\MDDISKPROTECT.EXE-1273016D.pf
SAS Part 2:
Trojan.Vundo/Variant-Installer
[load] C:\WINDOWS\SYSTEM32\VTSTT.EXE
C:\WINDOWS\SYSTEM32\VTSTT.EXE
[load] C:\WINDOWS\SYSTEM32\VTSTT.EXE
[load] C:\WINDOWS\SYSTEM32\VTSTT.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001237.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000147.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000754.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000873.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001072.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001120.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001138.EXE
C:\VUNDOFIX BACKUPS\VTSTT.EXE.BAD
C:\WINDOWS\SYSTEM32\RCX426.TMP
C:\WINDOWS\SYSTEM32\RCXD15.TMP
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\IFGNXVWS.DLL
E:\DELETE ME\WINDOWS\SYSTEM32\ROSDZOP.DLL
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sale.antispywaresuite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statsgod[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertpro.investorvillage[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@antispywaresuite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sonymediasoftware.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bizadverts[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.cnn[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@adecn[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@azjmp[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@buycom.122.2o7[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@counter2.hitslink[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@findwhat[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@heavycom.122.2o7[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@hg1.hitbox[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@hitbox[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@media.fastclick[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@overture[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@pro-market[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@questionmarket[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@revsci[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@server.iad.liveperson[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@shopping.112.2o7[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@stat.dealtime[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@statcounter[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@tacoda[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@toseeka[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@traffic.buyservices[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@upspiral[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@web4.realtracker[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@www.upspiral[1].txt
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000002.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001236.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000800.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001102.DLL
Trojan.IP6FW/Rootkit
E:\DELETE ME\WINDOWS\$NTSERVICEPACKUNINSTALL$\IP6FW.SYS
Trojan.Unknown Origin
E:\DELETE ME\WINDOWS\SYSTEM32\AMMAAAAA.EXE
Worm.Alcra Variant
E:\DELETE ME\WINDOWS\SYSTEM32\CMD.COM
E:\DELETE ME\WINDOWS\SYSTEM32\PING.COM
E:\DELETE ME\WINDOWS\SYSTEM32\TASKLIST.COM
E:\DELETE ME\WINDOWS\SYSTEM32\TRACERT.COM
Trojan.Flx/Conhook
E:\DELETE ME\WINDOWS\SYSTEM32\COMPONENTS\FLX4.DLL
Malware.Notifier
E:\DELETE ME\WINDOWS\SYSTEM32\ISSEARCH.EXE
Trojan.RPCC
E:\DELETE ME\WINDOWS\SYSTEM32\RPCC.EXE
Trojan.Net-K163
E:\RECYCLER\NPROTECT\00000003.SYS
Trojan.Downloader-SysMon
E:\RECYCLER\NPROTECT\00000004.EXE
Trace.Known Threat Sources
E:\Delete me\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8PMZ8LMN\144[1].htm
HJT Report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33, on 2008-02-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtstt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [603c7117] rundll32.exe "C:\WINDOWS\system32\qmvcetef.dll",b
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ifgnxvws - ifgnxvws.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8046 bytes
I just realized my Vundo report also contains info from when I ran it last week. I don't know how to edit the post.
Thank you,
Rick
Rick,
Vundo and SAS removed some Naaaaassty stuff, more to do, Drag Combofix to the Trash and grab a new Copy and run it this way.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Ok - How does this look? ComboFix Report.
ComboFix 08-02-15.1 - Administrator 2008-02-14 14:55:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1759 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gykqichb.ini
C:\WINDOWS\system32\hnvltann.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ptpiikof.ini
C:\WINDOWS\system32\qgopjsox.ini
C:\WINDOWS\system32\sbcoyqwr.ini
C:\WINDOWS\system32\shopvqlc.ini
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 11:19 . 2008-02-14 11:19 294 ---hs---- C:\WINDOWS\system32\fetecvmq.ini
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-04 12:24 . 2008-02-14 11:13 <DIR> d-------- C:\VundoFix Backups
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 22:59 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-14 20:07 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-14 18:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-10 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 08:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
<pre>
----a-w 5,104,459 2002-07-20 02:45:08 C:\Documents and Settings\Administrator\Desktop\New Comp Synths\Native Instruments FM7 DXi-VSTi-works RH\NI FM7 Synth Native instruments .exe
----a-w 620,152 2008-02-14 19:16:23 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 2,321,600 2008-02-14 19:16:33 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 61,440 2008-02-14 19:16:22 C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w 61,440 2008-02-14 19:16:13 C:\Program Files\Digidesign\Drivers\MMERefresh .exe
----a-w 267,048 2008-02-14 19:16:27 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 106,496 2008-02-14 19:16:23 C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
----a-w 33,648 2008-02-14 19:16:28 C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w 169,984 2008-02-01 01:33:46 C:\WINDOWS\pchealth\helpctr\binaries\msconfig .exe
----a-w 99,840 2008-02-14 19:16:23 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"603c7117"="C:\WINDOWS\system32\qmvcetef.dll" [ ]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 12:43 61440]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\603c7117]
C:\WINDOWS\system32\cdiooidh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\vtstt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft]
C:\WINDOWS\temp\lsass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 14:59:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-15 15:01:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 23:01:12
.
2008-02-13 11:05:13 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:20, on 2008-02-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [603c7117] rundll32.exe "C:\WINDOWS\system32\qmvcetef.dll",b
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 7979 bytes
During a reboot my computer date jumped ahead 1 day - I set it back to todays date.
Rick
Hello Rick,
You have the latest variant of Vundo that includes a File Infector, if you look at your Combofix log, all the files and programs in the Blue Code Box are infected, we need to fix them.
Open Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::
RenV::
----a-w 5,104,459 2002-07-20 02:45:08 C:\Documents and Settings\Administrator\Desktop\New Comp Synths\Native Instruments FM7 DXi-VSTi-works RH\NI FM7 Synth Native instruments .exe
----a-w 620,152 2008-02-14 19:16:23 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 2,321,600 2008-02-14 19:16:33 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 61,440 2008-02-14 19:16:22 C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w 61,440 2008-02-14 19:16:13 C:\Program Files\Digidesign\Drivers\MMERefresh .exe
----a-w 267,048 2008-02-14 19:16:27 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 106,496 2008-02-14 19:16:23 C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
----a-w 33,648 2008-02-14 19:16:28 C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w 169,984 2008-02-01 01:33:46 C:\WINDOWS\pchealth\helpctr\binaries\msconfig .exe
----a-w 99,840 2008-02-14 19:16:23 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
File::
C:\WINDOWS\system32\fetecvmq.ini
C:\WINDOWS\system32\cdiooidh.dll
C:\WINDOWS\system32\vtstt.exe
Folder::
C:\VundoFix Backups
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"603c7117"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\603c7117]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
ComboFix 08-02-15.1 - Administrator 2008-02-14 17:06:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1629 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\system32\cdiooidh.dll
C:\WINDOWS\system32\fetecvmq.ini
C:\WINDOWS\system32\vtstt.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\afpkpjhv.dll.bad
C:\VundoFix Backups\aftteios.dll.bad
C:\VundoFix Backups\asrsjqvk.dll.bad
C:\VundoFix Backups\cgrbcmoq.dll.bad
C:\VundoFix Backups\cmdefvuw.dll.bad
C:\VundoFix Backups\csikoyfj.dll.bad
C:\VundoFix Backups\eorpvgjd.dll.bad
C:\VundoFix Backups\etxvessu.dll.bad
C:\VundoFix Backups\etxvessu.dllbox.bad
C:\VundoFix Backups\htogcfml.dll.bad
C:\VundoFix Backups\hyukkcqv.dll.bad
C:\VundoFix Backups\iepwosfa.dll.bad
C:\VundoFix Backups\ifgnxvws.dllbox.bad
C:\VundoFix Backups\ilxuahwq.ini.bad
C:\VundoFix Backups\jfyokisc.ini.bad
C:\VundoFix Backups\jwgaffgv.dll.bad
C:\VundoFix Backups\kgfdgulu.dll.bad
C:\VundoFix Backups\kgfdgulu.dllbox.bad
C:\VundoFix Backups\kilhofrp.dll.bad
C:\VundoFix Backups\kjrhfgqn.dll.bad
C:\VundoFix Backups\lhcskgjl.dll.bad
C:\VundoFix Backups\ljgkschl.ini.bad
C:\VundoFix Backups\lmfcgoth.ini.bad
C:\VundoFix Backups\lnomvhwv.dll.bad
C:\VundoFix Backups\obmrrftf.dll.bad
C:\VundoFix Backups\qwhauxli.dll.bad
C:\VundoFix Backups\retnurlv.dll.bad
C:\VundoFix Backups\rsosveyd.dll.bad
C:\VundoFix Backups\soiettfa.ini.bad
C:\VundoFix Backups\sppewsoy.dll.bad
C:\VundoFix Backups\tobihgto.dll.bad
C:\VundoFix Backups\ttstv.ini.bad
C:\VundoFix Backups\ttstv.ini2.bad
C:\VundoFix Backups\uwjnnrxl.dll.bad
C:\VundoFix Backups\uwjnnrxl.dllbox.bad
C:\VundoFix Backups\vhjpkpfa.ini.bad
C:\VundoFix Backups\vjlyqcij.dll.bad
C:\VundoFix Backups\vtstt.dll.bad
C:\VundoFix Backups\xosjpogq.dll.bad
C:\VundoFix Backups\xrgxqlss.dll.bad
C:\VundoFix Backups\xustaikt.dll.bad
C:\WINDOWS\system32\fetecvmq.ini
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 01:08 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-15 01:06 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-14 18:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-10 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 08:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
<pre>
----a-w 2,321,600 2008-02-14 19:16:33 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 61,440 2008-02-14 19:16:22 C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w 106,496 2008-02-14 19:16:23 C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 12:43 61440]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft]
C:\WINDOWS\temp\lsass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 17:08:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-02-14 17:10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 01:10:48
ComboFix2.txt 2008-02-15 23:01:15
.
2008-02-13 11:05:13 --- E O F ---
VundoFix V6.7.8
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Scan started at 12:38:17 2008-02-14
Listing files found while scanning....
C:\windows\system32\ifgnxvws.dllbox
C:\WINDOWS\system32\sppewsoy.dll
Beginning removal...
Attempting to delete C:\windows\system32\ifgnxvws.dllbox
C:\windows\system32\ifgnxvws.dllbox Has been deleted!
Attempting to delete C:\WINDOWS\system32\sppewsoy.dll
C:\WINDOWS\system32\sppewsoy.dll Has been deleted!
Performing Repairs to the registry.
Done!
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Open Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::
RenV::
----a-w 2,321,600 2008-02-14 19:16:33 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 61,440 2008-02-14 19:16:22 C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w 106,496 2008-02-14 19:16:23 C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
File::
C:\WINDOWS\temp\lsass.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
ComboFix 08-02-15.1 - Administrator 2008-02-14 23:45:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1645 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\temp\lsass.exe
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 07:46 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-15 01:08 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-14 18:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-10 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 08:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
<pre>
----a-w 2,321,600 2008-02-14 19:16:33 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 61,440 2008-02-14 19:16:22 C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w 106,496 2008-02-14 19:16:23 C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 12:43 61440]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 23:47:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-14 23:49:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 07:49:13
ComboFix2.txt 2008-02-15 01:10:52
ComboFix3.txt 2008-02-15 23:01:15
.
2008-02-13 11:05:13 --- E O F ---
===========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:53, on 2008-02-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 7717 bytes
Hello,
Don't worry about your clock, when where done Combofix has a tool that will restore it, just leave it be.
Again, drag Combofix to the trash and download a fresh copy. Same rules
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Open Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::
Killall::
RenV::
----a-w 2,321,600 2008-02-14 19:16:33 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 61,440 2008-02-14 19:16:22 C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w 106,496 2008-02-14 19:16:23 C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
ComboFix 08-02-15.2 - Administrator 2008-02-15 1:50:12.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1645 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 09:51 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-15 09:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-15 01:08 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-10 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 08:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
<pre>
----a-w 2,321,600 2008-02-14 19:16:33 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 61,440 2008-02-14 19:16:22 C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w 106,496 2008-02-14 19:16:23 C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 12:43 61440]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 01:52:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-15 1:54:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 09:54:46
ComboFix2.txt 2008-02-15 09:46:25
ComboFix3.txt 2008-02-15 07:49:16
ComboFix4.txt 2008-02-15 01:10:52
ComboFix5.txt 2008-02-15 23:01:15
.
2008-02-13 11:05:13 --- E O F ---
====================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:56, on 2008-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 7750 bytes
What I would do is to use those programs, make sure they work with no problems. Wait a few days and post a new HJT log. I have to look into this a bit as this infection is new.
C:\Program Files\Mediafour
C:\Program Files\Common Files\Adobe\Updater5
Every time I try to empty the trash, after I run these fixes - this screen comes up saying it is updating Adobe. Adobe Acrobat 8.1.2. Should I try to delete Acrobat and install again later?
I am not sure what Mediafour is - it may be from Digidesign/ProTools - Macdrive.
Thank you,
Rick
I just - uninstalled Adobe Acrobat Pro - deleted the folder.
Emptied the trash and ran ComboFix again. Here are the new results.
Thank you,
Rick
----------------------------------------
ComboFix 08-02-15.2 - Administrator 2008-02-15 10:10:11.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1672 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 17:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-15 17:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-15 09:52 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-15 01:08 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-10 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 08:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 01:33 169,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-15 00:20 424,456 ----a-w C:\WINDOWS\system32\ma_cmidn.dll
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
<pre>
----a-w 61,440 2008-02-14 19:16:22 C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w 106,496 2008-02-14 19:16:23 C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 12:43 61440]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 10:11:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-15 10:11:47
ComboFix-quarantined-files.txt 2008-02-15 18:11:39
ComboFix2.txt 2008-02-15 09:54:49
ComboFix3.txt 2008-02-15 09:46:25
ComboFix4.txt 2008-02-15 07:49:16
ComboFix5.txt 2008-02-15 01:10:52
.
2008-02-13 11:05:13 --- E O F ---
=========================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14, on 2008-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 5707 bytes
C:\Program Files\Common Files\Adobe <-- Make sure this is gone
This is related to your Mac Drive, you can uninstall it and then reinstall it to be safe.
http://www.bleepingcomputer.com/startups/MDDiskProtect.exe-9854.html
I turned of MacDrive in my startup items.
I didn't see a way to remove it on Add/Remove.
I disconected the Internet and ran ComboFix again.
Here are the results:
ComboFix 08-02-15.2 - Administrator 2008-02-15 11:07:47.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1678 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 19:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-15 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 19:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-15 17:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-15 09:52 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-15 01:08 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-01 01:33 169,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-15 00:20 424,456 ----a-w C:\WINDOWS\system32\ma_cmidn.dll
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
<pre>
----a-w 61,440 2008-02-14 19:16:22 C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w 106,496 2008-02-14 19:16:23 C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe" [2008-01-31 17:33 169984]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDDiskProtect.exe]
-ra------ 2005-04-15 12:54 106496 C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
-ra------ 2002-12-17 12:43 61440 C:\Program Files\Common Files\Mediafour\MACVNTFY.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe
*Newly Created Service* - APPMGMT
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 11:08:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-15 11:08:25
ComboFix-quarantined-files.txt 2008-02-15 19:08:18
ComboFix2.txt 2008-02-15 18:11:47
ComboFix3.txt 2008-02-15 09:54:49
ComboFix4.txt 2008-02-15 09:46:25
ComboFix5.txt 2008-02-15 07:49:16
.
2008-02-13 11:05:13 --- E O F ---
========================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10, on 2008-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 4884 bytes
Rick,
Your log looks fine, lets wait until I hear back on those entries not being removed, I will be back as soon as I find out.
Ken
Thank you very much.
Rick
Rick,
This is from one of the leading experts in removing Vundo.
I guess it's because some components are loaded under Explorer which may explain why CF can't rename them.
Ask to uninstall the program, reboot and after reboot, delete the folders:
C:\Program Files\Common Files\Mediafour
C:\Program Files\Mediafour
If those folders are deleted and Combofix still displays them afterwards, then this means this is a bug in Combofix, because it can't list what was removed.
If everything is Ok again, ask to reinstall the MediaFour thing again.
I see you already asked to uninstall and reinstall it previously, but since this file was renamed, the uninstaller doesn't see the renamed file and doesn't know the renamed file should be deleted as well.
So, delete both these folders
C:\Program Files\Common Files\Mediafour
C:\Program Files\Mediafour
Reboot and reinstall the program if you wish. Run Combofix again and lets see what it comes up with
I will be back in a couple of hours to try that.
Thank you for all the help.
Rick
ComboFix 08-02-15.2 - Administrator 2008-02-15 19:09:13.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1781 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.
2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 02:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-15 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 19:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-15 17:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-15 01:08 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-01 01:33 169,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-16 04:26 --------- d-----w C:\Program Files\iPod
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe" [2008-01-31 17:33 169984]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDDiskProtect.exe]
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
C:\Program Files\Common Files\Mediafour\MACVNTFY.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 19:10:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-15 19:11:13
ComboFix-quarantined-files.txt 2008-02-16 03:11:05
ComboFix2.txt 2008-02-16 02:52:58
ComboFix3.txt 2008-02-15 19:08:26
ComboFix4.txt 2008-02-15 18:11:47
ComboFix5.txt 2008-02-15 09:54:49
.
2008-02-13 11:05:13 --- E O F ---
======================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:11, on 2008-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 4884 bytes
Looks Good :bigthumb:
This will remove the registry entries for the programs you just removed. If your going to reinstall the program then you can bypass this.
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDDiskProtect.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg
Let me know how things are running now and I will link you to some free programs to install to help keep you more secure.
Ken
How does it look now?
Thank you,
Rick
ComboFix 08-02-15.2 - Administrator 2008-02-15 20:30:04.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1735 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.
2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 02:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-15 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 19:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-15 17:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-15 01:08 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-01 01:33 169,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-16 04:26 --------- d-----w C:\Program Files\iPod
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe" [2008-01-31 17:33 169984]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 20:30:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-15 20:30:46
ComboFix-quarantined-files.txt 2008-02-16 04:30:38
ComboFix2.txt 2008-02-16 03:11:13
ComboFix3.txt 2008-02-16 02:52:58
ComboFix4.txt 2008-02-15 19:08:26
ComboFix5.txt 2008-02-15 18:11:47
.
2008-02-13 11:05:13 --- E O F ---
===============================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:31, on 2008-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 4851 bytes
Hello,
By removing those entries from start up, you disabled Normal Startup and although your log looks fine, it may not be showing everything so go to Start> Run and type in msconfig and hit enter and then select Normal Startup, reboot and post a new HJT log.
OK - how does this look?
Thank you,
Rick
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:11, on 2008-02-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 6250 bytes
Hello Rick,
This has showed up on your Combo log all along but now its on your HJT log and I think it may be bad. Malware constantly disguises itself as legit programs. To be on the safeside, lets do a couple of things, I know your ready to move on but I would feel terrible if I told you that you where fine and you where not. Leave this be, don't fix it yet
O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
SDFix: Version 1.143
Run by Administrator on 2008-02-16 at 16:50
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 16:54:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
Files with Hidden Attributes:
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 28 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Finished!
=================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:57, on 2008-02-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 6316 bytes
Good, glad you do not have that trojan. Do this please, it won't take long.
You can upload this file for analysis, post the reports please.
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the browse feature and then submit them , you will get a report back, post the report into this thread for me to see.
c:\windows\system\Update.exe
Go to Jotti Upload (http://virusscan.jotti.org/) and under the browse feature, browse to these files
c:\windows\system\Update.exe
Then click on Submit and it will give you a report, post the report in your next reply.
I would also like you to look on your own
c:\windows\system\Update.exe <-- Right click on this file and go to Properties and give me any info on this file.
That file is not in the folder.
I did all the uncheck/checks you said.
It's just not there.
Rick
Also, I ran a search in case I was looking in the wrong folder - the search did not find that file.
Rick
OK Rick, thanks for your patience.
Remove this with HJT and post a new HJT log
O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
I am not sure if you want me to remove the file or HJT will.
Here is a new report.
Rick
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:53, on 2008-02-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 6316 bytes
OK - I think I got it. You wanted me to checkmark that line in the HJT window and - Fix it?
I did.
Here is the report.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:03, on 2008-02-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 6250 bytes
Good, if no issues when you removed it then do this. This may be overkill but lets be sure.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
c:\windows\system\Update.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
File/Folder c:\windows\system\Update.exe not found.
OTMoveIt2 v1.0.20 log created on 02162008_182356
http://i24.photobucket.com/albums/c30/ken545/cool.gif
Rick, your good to go :bigthumb::bigthumb:
Just update your Java, this may be how this garbage got in
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 4 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.12 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Glad we could help
Safe Surfn
Ken
From Java Verify:
You have the recommended Java installed (1.6.0_04).
I will do the other things you listed.
Thank you so much for the help.
Rick
Your very welcome Rick,
Take care,
Ken
Rick,
In my haste I forgot this...
Time for some housekeeping
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Ken
Did it now - looks like it reset everything.
My clock is running on the 24 hour style - not 12 am/pm like it used to.
I think that I can change that in the Bios.
Thank you again,
Rick
Your welcome Rick,
Been a pleasure helping you :)
Ken
I can't figure out how to get my clock back to the AM/PM style and not 24 hour style.
At some point one of these Fixes or Virus changed it to the 24 hour style.
Do you know how I can get it back to how it was?
Thank you,
Rick
Try this
Go to your Control Panel and then to Regional and Language Options, Under the Regional Options Tab , click on Customize and then the Time Tab make sure the first drop down box is set like this h:mm:ss tt , the second box should be : and the 3rd and 4th AM and PM Close it out and see if it fixed it, not sure but a reboot may be needed.
Yeah!! - now I know what time it is.
Thank you again,
Rick