View Full Version : SpyDefenderPro, Whataboutadog infection, Computer running slowly!!
eightsix
2008-03-21, 16:58
My laptop computer has been running much slower than usual, I noticed there was a program "SpyDefenderPro" that I did not install onto it. Tried to remove with control panel- that didn't work.
Also, screen flashes periodically, as if opening a window and closing it quickly.
Also in history of Internet Explorer, it is seen to be visiting daily- b.whataboutadog.com.
Please help! Thanks much.
HJT log is here
------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:31 AM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\tray\wintmr.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpyDefender Pro\SpyDefender.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cchservice.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\Common Files\Tray\ccexec.exe
O1 - Hosts: 80.69.94.166 gameguard.mapleglobal.com
O1 - Hosts: 80.69.94.166 63.251.217.184
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [FG_Monitor] C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Folder Guard\FGKey.exe /Start
O4 - HKLM\..\Run: [ChicoSys] C:\WINDOWS\system32\cc32\webtmr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [tasa] C:\DOCUME~1\Jack\LOCALS~1\Temp\taso.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [CCWinTray] C:\WINDOWS\Tray\wintmr.exe
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Clean Traces - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9461D15-8CA0-41F1-BE59-8FD63641C6F6}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Windows-CCHook-Service - Salfeld Computer - C:\WINDOWS\system32\cchservice.exe
--
End of file - 9587 bytes
Hi eightsix
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
eightsix
2008-03-22, 16:38
ComboFix 08-03-22.1 - Jack 2008-03-22 7:21:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.634 [GMT -8:00]
Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ntdelect.com
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1169506331.old
C:\Program Files\WinBudget\bin\crap.1193182714.old
C:\Program Files\WinBudget\bin\crap.1193237382.old
C:\Program Files\WinBudget\bin\crap.1194399816.old
C:\Program Files\WinBudget\bin\crap.1196027236.old
C:\Program Files\WinBudget\bin\crap.1196632936.old
C:\Program Files\WinBudget\bin\crap.1197912186.old
C:\Program Files\WinBudget\bin\crap.1198520955.old
C:\Program Files\WinBudget\bin\crap.1199131394.old
C:\Program Files\WinBudget\bin\crap.1199745600.old
C:\Program Files\WinBudget\bin\crap.1200966479.old
C:\Program Files\WinBudget\bin\crap.1201298143.old
C:\Program Files\WinBudget\bin\crap.1201800122.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1193182713.old
C:\Program Files\WinBudget\bin\matrix.dll.1193237382.old
C:\Program Files\WinBudget\bin\matrix.dll.1194399816.old
C:\Program Files\WinBudget\bin\matrix.dll.1196027235.old
C:\Program Files\WinBudget\bin\matrix.dll.1196632935.old
C:\Program Files\WinBudget\bin\matrix.dll.1197912186.old
C:\Program Files\WinBudget\bin\matrix.dll.1198520954.old
C:\Program Files\WinBudget\bin\matrix.dll.1199131393.old
C:\Program Files\WinBudget\bin\matrix.dll.1199745600.old
C:\Program Files\WinBudget\bin\matrix.dll.1200966479.old
C:\Program Files\WinBudget\bin\matrix.dll.1201298142.old
C:\Program Files\WinBudget\bin\matrix.dll.1201800121.old
C:\Program Files\WinBudget\bin\matrix.dll.1202081334.old
C:\Program Files\WinBudget\bin\tempzor
C:\u.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ff.exe
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\swctl.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo1.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.
2008-03-21 07:40 . 2008-03-21 07:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-21 07:35 . 2008-03-21 07:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-21 07:35 . 2008-03-21 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-21 07:32 . 2008-03-21 07:29 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 07:32 . 2008-03-21 07:32 2,538 --a------ C:\WINDOWS\unins000.dat
2008-03-19 18:46 . 2008-03-19 18:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\PC Tools
2008-03-18 21:11 . 2008-03-18 21:11 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\Sonic
2008-03-11 17:25 . 2008-03-11 17:25 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\vlc
2008-03-05 19:03 . 2008-03-10 19:59 <DIR> d-------- C:\Documents and Settings\Derek\dwhelper
2008-02-24 07:25 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-24 07:25 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-24 07:25 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-24 07:25 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-24 07:24 . 2008-03-20 06:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-24 07:24 . 2008-02-24 07:24 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\PC Tools
2008-02-24 07:24 . 2008-03-21 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-24 07:13 . 2008-02-24 07:18 <DIR> d-------- C:\Program Files\XoftSpySE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 17:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-21 15:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 15:55 --------- d-----w C:\Program Files\SpyDefender Pro
2008-02-24 15:24 --------- d-----w C:\Program Files\Google
2008-02-22 07:03 81,408 --sh--r C:\WINDOWS\system32\tavo0.dll
2008-02-19 00:51 115,221 --sh--r C:\gqsk.bat
2008-02-18 16:02 113,930 --sh--r C:\p9.exe
2008-02-15 16:09 112,726 --sh--r C:\u18vxqle.com
2008-02-15 04:37 --------- d-----w C:\Documents and Settings\Derek\Application Data\dvdcss
2008-02-15 04:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 04:03 --------- d-----w C:\Program Files\SanDisk
2008-02-14 06:21 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-14 06:21 113,896 --sh--r C:\o2yf0w.bat
2008-02-14 06:21 --------- d-----w C:\Program Files\Real
2008-02-14 06:21 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-14 06:21 --------- d-----w C:\Program Files\Common Files\Real
2008-01-31 06:02 114,770 --sh--r C:\8h3hh3m.exe
2008-01-30 23:43 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-30 05:51 --------- d-----w C:\Documents and Settings\Derek\Application Data\RhythmRascal
2008-01-30 05:50 --------- d-----w C:\Program Files\Rhythm Rascal
2008-01-30 01:58 --------- d-----w C:\Documents and Settings\Derek\Application Data\Apple Computer
2008-01-29 08:56 --------- d-----w C:\Program Files\iTunes
2008-01-29 08:55 --------- d-----w C:\Program Files\QuickTime
2008-01-29 08:55 --------- d-----w C:\Program Files\iPod
2008-01-29 08:55 --------- d-----w C:\Program Files\Bonjour
2008-01-29 08:54 --------- d-----w C:\Program Files\Apple Software Update
2008-01-29 08:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 08:53 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-29 08:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-26 17:27 --------- d-----w C:\Program Files\NHN USA
2008-01-24 19:51 114,187 --sh--r C:\nncu6kk.com
2008-01-23 22:25 --------- d-----w C:\Program Files\Java
2008-01-17 02:25 679,936 ----a-w C:\WINDOWS\system32\ijjiSetup.exe
2008-01-13 23:37 115,079 --sh--r C:\ek.com
2008-01-06 06:29 116,109 --sh--r C:\copetttt.com
2008-01-04 16:51 920,088 ----a-w C:\WINDOWS\system32\igxpun.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 307,200 2004-11-22 16:18:02 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-w 26,636 2007-10-19 02:52:45 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
----a-w 602,182 2005-11-28 19:41:50 C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe
----a-w 667,718 2005-12-05 20:37:40 C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe
----a-w 77,824 2007-03-18 14:43:41 C:\Program Files\Java\jre1.6.0\bin\bak\jusched.exe
----a-w 26,636 2007-10-19 02:52:45 C:\Program Files\Java\jre1.6.0\bin\jusched.exe
----a-w 184,320 2004-08-18 11:37:44 C:\Program Files\ltmoh\bak\Ltmoh.exe
----a-w 286,720 2007-06-29 13:24:52 C:\Program Files\QuickTime\bak\QTTask.exe
----a-w 385,024 2008-01-10 23:27:36 C:\Program Files\QuickTime\QTTask.exe
----a-w 761,945 2005-12-16 08:32:58 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 82,009 2005-12-16 08:34:16 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 65,536 2004-12-30 08:32:20 C:\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe
----a-w 352,256 2006-01-05 22:02:24 C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe
----a-w 122,880 2005-04-27 00:13:20 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe
----a-w 73,728 2005-11-30 20:25:22 C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe
----a-w 151,552 2005-03-18 01:37:26 C:\TOSHIBA\IVP\ISM\bak\pinger.exe
----a-w 64,512 2005-08-05 21:56:34 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-05 21:56:34 C:\WINDOWS\ehome\ehtray.exe
----a-w 15,360 2004-08-10 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 12:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 77,824 2005-11-28 05:52:00 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 159,744 2007-12-19 19:08:12 C:\WINDOWS\system32\hkcmd.exe
----a-w 118,784 2005-11-28 05:55:58 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 131,072 2007-12-19 19:07:42 C:\WINDOWS\system32\igfxpers.exe
----a-w 98,304 2005-11-28 05:55:14 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 135,168 2007-12-19 19:08:08 C:\WINDOWS\system32\igfxtray.exe
----a-w 122,940 2005-10-06 13:20:00 C:\WINDOWS\system32\DLA\bak\DLACTRLW.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Aim6"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2007-10-18 18:52 26636]
"CCWinTray"="C:\WINDOWS\Tray\wintmr.exe" [2006-02-15 06:02 4219896]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [2007-10-09 15:24 1630720]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 15:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 06:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 21:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"FG_Monitor"="C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Folder Guard\FGKey.exe" [ ]
"ChicoSys"="C:\WINDOWS\system32\cc32\webtmr.exe" [2006-02-15 06:02 3824120]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
C:\Documents and Settings\Jack\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-02-27 19:01:45 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-24 07:24:18 125624]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 08:31:42 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Jack^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\Jack\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 04:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
C:\PROGRA~1\AIM\\DeadAIM.ocm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
C:\WINDOWS\system32\kavo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\bak\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyDefender Shield]
--a------ 2007-10-09 15:24 1630720 C:\Program Files\SpyDefender Pro\SpyDefender.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tava]
C:\WINDOWS\system32\tavo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 00:05]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-02-19 17:43]
R2 Windows-CCHook-Service;Windows-CCHook-Service;C:\WINDOWS\system32\cchservice.exe [2006-02-15 06:02]
S3 CEDRIVER53;CEDRIVER53;C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Cheat Engine\dbk32.sys []
S3 dump_wmimmc;dump_wmimmc;C:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys []
S3 saruen;saruen;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX08.391\saruen.sys []
S3 Storm1;Storm1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX03.984\Storm\Storm.sys []
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 14:47]
S3 TSHAK3T1;TSHAK3T1;C:\Documents and Settings\Jack\Desktop\RE 3.2\spuce.sys []
S3 uzeil1;uzeil1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX06.062\Mini Engine\Mini Engine\uzeil.sys []
S3 xp1;xp1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX00.361\xpengine\xp.sys []
S3 zenx1;zenx1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX00.484\ZenxEngine_LATEST\zenx.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5190423a-bc20-11dc-886f-001302a47e1e}]
\Shell\AutoRun\command - E:\ntdelect.com
\Shell\explore\Command - E:\ntdelect.com
\Shell\open\Command - E:\ntdelect.com
.
Contents of the 'Scheduled Tasks' folder
"2007-09-01 13:24:05 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1163945586.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-01-16 04:47:15 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 07:24:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-22 7:25:12
ComboFix-quarantined-files.txt 2008-03-22 15:25:09
.
2008-01-24 03:49:20 --- E O F ---
--------------------------- A new HJT log in next post due to word limit-
eightsix
2008-03-22, 16:38
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:00 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\cchservice.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\tray\wintmr.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\SpyDefender Pro\SpyDefender.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 80.69.94.166 gameguard.mapleglobal.com
O1 - Hosts: 80.69.94.166 63.251.217.184
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [FG_Monitor] C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Folder Guard\FGKey.exe /Start
O4 - HKLM\..\Run: [ChicoSys] C:\WINDOWS\system32\cc32\webtmr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [CCWinTray] C:\WINDOWS\Tray\wintmr.exe
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Clean Traces - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9461D15-8CA0-41F1-BE59-8FD63641C6F6}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Windows-CCHook-Service - Salfeld Computer - C:\WINDOWS\system32\cchservice.exe
--
End of file - 9329 bytes
Hi
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
After that:
Open notepad and copy/paste the text in the quotebox below into it:
AWF::
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
C:\Program Files\Java\jre1.6.0\bin\bak\jusched.exe
C:\Program Files\QuickTime\bak\QTTask.exe
C:\WINDOWS\ehome\bak\ehtray.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\WINDOWS\system32\bak\igfxtray.exe
File::
C:\WINDOWS\system32\tavo0.dll
C:\gqsk.bat
C:\p9.exe
C:\u18vxqle.com
C:\o2yf0w.bat
C:\nncu6kk.com
C:\WINDOWS\system32\ijjiSetup.exe
C:\ek.com
C:\copetttt.com
Folder::
C:\Program Files\SpyDefender Pro
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyDefender Shield"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5190423a-bc20-11dc-886f-001302a47e1e}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyDefender Shield]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tava]
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
eightsix
2008-03-24, 06:37
HJT here and combofix in next post, as requested.
ComboFix 08-03-22.1 - Jack 2008-03-23 21:23:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.599 [GMT -8:00]
Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jack\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\copetttt.com
C:\ek.com
C:\gqsk.bat
C:\nncu6kk.com
C:\o2yf0w.bat
C:\p9.exe
C:\u18vxqle.com
C:\WINDOWS\system32\ijjiSetup.exe
C:\WINDOWS\system32\tavo0.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\swctl.dll
.
---- Previous Run -------
.
C:\copetttt.com
C:\ek.com
C:\gqsk.bat
C:\nncu6kk.com
C:\o2yf0w.bat
C:\p9.exe
C:\Program Files\SpyDefender Pro
C:\Program Files\SpyDefender Pro\SpyDefender.exe
C:\Program Files\SpyDefender Pro\SpyDefender.ini
C:\u18vxqle.com
C:\WINDOWS\system32\ijjiSetup.exe
C:\WINDOWS\system32\swctl.dll
C:\WINDOWS\system32\tavo0.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.
2008-03-23 21:08 . 2008-03-23 21:08 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-23 21:08 . 2003-03-18 12:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-03-23 21:08 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-23 21:08 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-23 21:08 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-23 21:08 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-23 21:08 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-23 21:08 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-23 21:08 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-23 21:08 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-21 07:40 . 2008-03-21 07:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-21 07:35 . 2008-03-21 07:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-21 07:35 . 2008-03-21 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-21 07:32 . 2008-03-21 07:29 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 07:32 . 2008-03-21 07:32 2,538 --a------ C:\WINDOWS\unins000.dat
2008-03-19 18:46 . 2008-03-19 18:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\PC Tools
2008-03-18 21:11 . 2008-03-18 21:11 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\Sonic
2008-03-11 17:25 . 2008-03-11 17:25 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\vlc
2008-03-05 19:03 . 2008-03-10 19:59 <DIR> d-------- C:\Documents and Settings\Derek\dwhelper
2008-02-24 07:25 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-24 07:25 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-24 07:25 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-24 07:25 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-24 07:24 . 2008-03-20 06:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-24 07:24 . 2008-02-24 07:24 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\PC Tools
2008-02-24 07:24 . 2008-03-23 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-24 07:13 . 2008-02-24 07:18 <DIR> d-------- C:\Program Files\XoftSpySE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 05:17 --------- d-----w C:\Documents and Settings\Jack\Application Data\AdobeUM
2008-03-24 05:16 --------- d-----w C:\Program Files\QuickTime
2008-03-21 17:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-21 15:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 15:24 --------- d-----w C:\Program Files\Google
2008-02-15 04:37 --------- d-----w C:\Documents and Settings\Derek\Application Data\dvdcss
2008-02-15 04:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 04:03 --------- d-----w C:\Program Files\SanDisk
2008-02-14 06:21 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-14 06:21 --------- d-----w C:\Program Files\Real
2008-02-14 06:21 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-14 06:21 --------- d-----w C:\Program Files\Common Files\Real
2008-01-31 06:02 114,770 --sh--r C:\8h3hh3m.exe
2008-01-30 23:43 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-30 05:51 --------- d-----w C:\Documents and Settings\Derek\Application Data\RhythmRascal
2008-01-30 05:50 --------- d-----w C:\Program Files\Rhythm Rascal
2008-01-30 01:58 --------- d-----w C:\Documents and Settings\Derek\Application Data\Apple Computer
2008-01-29 08:56 --------- d-----w C:\Program Files\iTunes
2008-01-29 08:55 --------- d-----w C:\Program Files\iPod
2008-01-29 08:55 --------- d-----w C:\Program Files\Bonjour
2008-01-29 08:54 --------- d-----w C:\Program Files\Apple Software Update
2008-01-29 08:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 08:53 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-29 08:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-26 17:27 --------- d-----w C:\Program Files\NHN USA
2008-01-04 16:51 920,088 ----a-w C:\WINDOWS\system32\igxpun.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-22_ 7.24.48.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-19 19:08:12 159,744 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2005-11-28 05:52:00 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
- 2007-12-19 19:07:42 131,072 ----a-w C:\WINDOWS\system32\igfxpers.exe
+ 2005-11-28 05:55:58 118,784 ----a-w C:\WINDOWS\system32\igfxpers.exe
- 2007-12-19 19:08:08 135,168 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2005-11-28 05:55:14 98,304 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2008-03-24 05:16:17 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Aim6"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18 307200]
"CCWinTray"="C:\WINDOWS\Tray\wintmr.exe" [2006-02-15 06:02 4219896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 15:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 06:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 21:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"FG_Monitor"="C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Folder Guard\FGKey.exe" [ ]
"ChicoSys"="C:\WINDOWS\system32\cc32\webtmr.exe" [2006-02-15 06:02 3824120]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 21:55 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-27 21:52 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 21:55 118784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast\ashDisp.exe" [2007-12-04 05:00 79224]
C:\Documents and Settings\Jack\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-02-27 19:01:45 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-24 07:24:18 125624]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 08:31:42 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Jack^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\Jack\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 04:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
C:\PROGRA~1\AIM\\DeadAIM.ocm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 00:05]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-02-19 17:43]
R2 Windows-CCHook-Service;Windows-CCHook-Service;C:\WINDOWS\system32\cchservice.exe [2006-02-15 06:02]
S3 CEDRIVER53;CEDRIVER53;C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Cheat Engine\dbk32.sys []
S3 dump_wmimmc;dump_wmimmc;C:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys []
S3 saruen;saruen;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX08.391\saruen.sys []
S3 Storm1;Storm1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX03.984\Storm\Storm.sys []
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 14:47]
S3 TSHAK3T1;TSHAK3T1;C:\Documents and Settings\Jack\Desktop\RE 3.2\spuce.sys []
S3 uzeil1;uzeil1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX06.062\Mini Engine\Mini Engine\uzeil.sys []
S3 xp1;xp1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX00.361\xpengine\xp.sys []
S3 zenx1;zenx1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX00.484\ZenxEngine_LATEST\zenx.sys []
*Newly Created Service* - AAVMKER4
*Newly Created Service* - ASWMON2
*Newly Created Service* - ASWRDR
*Newly Created Service* - ASWTDI
*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
.
Contents of the 'Scheduled Tasks' folder
"2007-09-01 13:24:05 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1163945586.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-01-16 04:47:15 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 21:25:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-23 21:26:43
ComboFix-quarantined-files.txt 2008-03-24 05:26:39
ComboFix2.txt 2008-03-22 15:25:13
.
2008-01-24 03:49:20 --- E O F ---
eightsix
2008-03-24, 06:37
Combofix log as requested, newest HJT in previous post ^.
ComboFix 08-03-22.1 - Jack 2008-03-23 21:23:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.599 [GMT -8:00]
Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jack\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\copetttt.com
C:\ek.com
C:\gqsk.bat
C:\nncu6kk.com
C:\o2yf0w.bat
C:\p9.exe
C:\u18vxqle.com
C:\WINDOWS\system32\ijjiSetup.exe
C:\WINDOWS\system32\tavo0.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\swctl.dll
.
---- Previous Run -------
.
C:\copetttt.com
C:\ek.com
C:\gqsk.bat
C:\nncu6kk.com
C:\o2yf0w.bat
C:\p9.exe
C:\Program Files\SpyDefender Pro
C:\Program Files\SpyDefender Pro\SpyDefender.exe
C:\Program Files\SpyDefender Pro\SpyDefender.ini
C:\u18vxqle.com
C:\WINDOWS\system32\ijjiSetup.exe
C:\WINDOWS\system32\swctl.dll
C:\WINDOWS\system32\tavo0.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.
2008-03-23 21:08 . 2008-03-23 21:08 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-23 21:08 . 2003-03-18 12:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-03-23 21:08 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-23 21:08 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-23 21:08 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-23 21:08 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-23 21:08 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-23 21:08 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-23 21:08 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-23 21:08 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-21 07:40 . 2008-03-21 07:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-21 07:35 . 2008-03-21 07:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-21 07:35 . 2008-03-21 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-21 07:32 . 2008-03-21 07:29 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 07:32 . 2008-03-21 07:32 2,538 --a------ C:\WINDOWS\unins000.dat
2008-03-19 18:46 . 2008-03-19 18:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\PC Tools
2008-03-18 21:11 . 2008-03-18 21:11 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\Sonic
2008-03-11 17:25 . 2008-03-11 17:25 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\vlc
2008-03-05 19:03 . 2008-03-10 19:59 <DIR> d-------- C:\Documents and Settings\Derek\dwhelper
2008-02-24 07:25 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-24 07:25 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-24 07:25 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-24 07:25 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-24 07:24 . 2008-03-20 06:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-24 07:24 . 2008-02-24 07:24 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\PC Tools
2008-02-24 07:24 . 2008-03-23 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-24 07:13 . 2008-02-24 07:18 <DIR> d-------- C:\Program Files\XoftSpySE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 05:17 --------- d-----w C:\Documents and Settings\Jack\Application Data\AdobeUM
2008-03-24 05:16 --------- d-----w C:\Program Files\QuickTime
2008-03-21 17:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-21 15:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 15:24 --------- d-----w C:\Program Files\Google
2008-02-15 04:37 --------- d-----w C:\Documents and Settings\Derek\Application Data\dvdcss
2008-02-15 04:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 04:03 --------- d-----w C:\Program Files\SanDisk
2008-02-14 06:21 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-14 06:21 --------- d-----w C:\Program Files\Real
2008-02-14 06:21 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-14 06:21 --------- d-----w C:\Program Files\Common Files\Real
2008-01-31 06:02 114,770 --sh--r C:\8h3hh3m.exe
2008-01-30 23:43 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-30 05:51 --------- d-----w C:\Documents and Settings\Derek\Application Data\RhythmRascal
2008-01-30 05:50 --------- d-----w C:\Program Files\Rhythm Rascal
2008-01-30 01:58 --------- d-----w C:\Documents and Settings\Derek\Application Data\Apple Computer
2008-01-29 08:56 --------- d-----w C:\Program Files\iTunes
2008-01-29 08:55 --------- d-----w C:\Program Files\iPod
2008-01-29 08:55 --------- d-----w C:\Program Files\Bonjour
2008-01-29 08:54 --------- d-----w C:\Program Files\Apple Software Update
2008-01-29 08:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 08:53 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-29 08:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-26 17:27 --------- d-----w C:\Program Files\NHN USA
2008-01-04 16:51 920,088 ----a-w C:\WINDOWS\system32\igxpun.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-22_ 7.24.48.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-19 19:08:12 159,744 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2005-11-28 05:52:00 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
- 2007-12-19 19:07:42 131,072 ----a-w C:\WINDOWS\system32\igfxpers.exe
+ 2005-11-28 05:55:58 118,784 ----a-w C:\WINDOWS\system32\igfxpers.exe
- 2007-12-19 19:08:08 135,168 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2005-11-28 05:55:14 98,304 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2008-03-24 05:16:17 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Aim6"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18 307200]
"CCWinTray"="C:\WINDOWS\Tray\wintmr.exe" [2006-02-15 06:02 4219896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 15:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 06:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 21:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"FG_Monitor"="C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Folder Guard\FGKey.exe" [ ]
"ChicoSys"="C:\WINDOWS\system32\cc32\webtmr.exe" [2006-02-15 06:02 3824120]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 21:55 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-27 21:52 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 21:55 118784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast\ashDisp.exe" [2007-12-04 05:00 79224]
C:\Documents and Settings\Jack\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-02-27 19:01:45 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-24 07:24:18 125624]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 08:31:42 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Jack^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\Jack\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 04:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
C:\PROGRA~1\AIM\\DeadAIM.ocm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 00:05]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-02-19 17:43]
R2 Windows-CCHook-Service;Windows-CCHook-Service;C:\WINDOWS\system32\cchservice.exe [2006-02-15 06:02]
S3 CEDRIVER53;CEDRIVER53;C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Cheat Engine\dbk32.sys []
S3 dump_wmimmc;dump_wmimmc;C:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys []
S3 saruen;saruen;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX08.391\saruen.sys []
S3 Storm1;Storm1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX03.984\Storm\Storm.sys []
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 14:47]
S3 TSHAK3T1;TSHAK3T1;C:\Documents and Settings\Jack\Desktop\RE 3.2\spuce.sys []
S3 uzeil1;uzeil1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX06.062\Mini Engine\Mini Engine\uzeil.sys []
S3 xp1;xp1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX00.361\xpengine\xp.sys []
S3 zenx1;zenx1;C:\DOCUME~1\Jack\LOCALS~1\Temp\Rar$EX00.484\ZenxEngine_LATEST\zenx.sys []
*Newly Created Service* - AAVMKER4
*Newly Created Service* - ASWMON2
*Newly Created Service* - ASWRDR
*Newly Created Service* - ASWTDI
*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
.
Contents of the 'Scheduled Tasks' folder
"2007-09-01 13:24:05 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1163945586.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-01-16 04:47:15 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 21:25:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-23 21:26:43
ComboFix-quarantined-files.txt 2008-03-24 05:26:39
ComboFix2.txt 2008-03-22 15:25:13
.
2008-01-24 03:49:20 --- E O F ---
eightsix
2008-03-24, 06:38
Sorry for the double post of the combofix, HERE is the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:16 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\cchservice.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\tray\wintmr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Alwil Software\Avast\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [FG_Monitor] C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Folder Guard\FGKey.exe /Start
O4 - HKLM\..\Run: [ChicoSys] C:\WINDOWS\system32\cc32\webtmr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [CCWinTray] C:\WINDOWS\Tray\wintmr.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Clean Traces - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9461D15-8CA0-41F1-BE59-8FD63641C6F6}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Windows-CCHook-Service - Salfeld Computer - C:\WINDOWS\system32\cchservice.exe
--
End of file - 9704 bytes
Hi
Delete this:
C:\8h3hh3m.exe
Empty Recycle Bin.
Open HijackThis, click do a system scan only and checkmark these:
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
Close all windows including browser and press fix checked.
Reboot.
Re-scan with kaspersky.
Post:
- a fresh HijackThis log
- kaspersky report
eightsix
2008-03-24, 21:34
Couldnt find "C:\8h3hh3m.exe"
Here's new HJT, Kaspersky was way too slow, sorry. Any alternatives?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:07 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\cchservice.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Tray\wintmr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [FG_Monitor] C:\Documents and Settings\Jack\Desktop\DEREK'S JUNK\Folder Guard\FGKey.exe /Start
O4 - HKLM\..\Run: [ChicoSys] C:\WINDOWS\system32\cc32\webtmr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CCWinTray] C:\WINDOWS\Tray\wintmr.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Clean Traces - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Documents and Settings\Derek\Desktop\DEREK'S JUNK\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9461D15-8CA0-41F1-BE59-8FD63641C6F6}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Windows-CCHook-Service - Salfeld Computer - C:\WINDOWS\system32\cchservice.exe
--
End of file - 9283 bytes
Hi
What do you mean by too slow?
It can take hours, that's true.
Well, this should be faster:
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
eightsix
2008-03-25, 15:16
Malwarebytes' Anti-Malware 1.09
Database version: 540
Scan type: Full Scan (C:\|)
Objects scanned: 111630
Time elapsed: 36 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{b0e43034-50f5-1f84-8098-824b44f2dbc3} (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SWD123 (Rogue.SpyDefender) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.1196027235.old.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP360\A0239471.old (Trojan.Downloader) -> Quarantined and deleted successfully.
Hi
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\8h3hh3m.exe
Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post along with a fresh HijackThis log, please.
eightsix
2008-03-25, 19:53
C:\8h3hh3m.exe moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03252008_105101
Hi
That looks good :)
Still problems?
eightsix
2008-03-25, 22:40
It is running better than before, but I am still concerned that I may have something.
In Task Manager, I see I have several (at the moment 9) svchost.exe running, and I'm concerned that a virus may have hijacked it.
Hi
That is normal unless you have some other symptoms left?
eightsix
2008-03-27, 05:56
Not especially any problems but how can I make sure all spyware is gone?
I want to be able to pay bills with confidence that my computer is virus free, what steps can I take?
Hi
Well if you have no symptoms left you can be pretty sure that nothing is left.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.