View Full Version : Need some Virtumonde help
OK, went through all the steps I think and this little bugger keeps coming back up
heres my HJT log (next post is kapersky report)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:40 PM, on 4/29/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clemson.edu/students/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {589FD57C-B54C-4943-93AB-9E5308FD22AC} - (no file)
O2 - BHO: (no name) - {5AB57F0C-6022-4C5D-919A-464732B573FB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AFFD0023-7C2B-45ED-8348-9807D6DE60AB} - C:\Windows\system32\opnmJARk.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\pmNfdDTK.dll,#1
O4 - HKLM\..\Run: [679fb832] rundll32.exe "C:\Windows\system32\ypjaadfs.dll",b
O4 - HKLM\..\Run: [BM64ac8bae] Rundll32.exe "C:\Windows\system32\smmqkxnb.dll",s
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c13/v18.170/qboax10.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9494 bytes
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 2:13:46 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 730656
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 138677
Number of viruses found 6
Number of infected objects 13
Number of suspicious objects 0
Duration of the scan process 02:17:02
Infected Object Name Virus Name Last Action
C:\Program Files\HP Connections\6811507\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\L0000004.FCS Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Online Services\Vonage\smb\Xtras\regxtra121.x32 Infected: Backdoor.Win32.RAdmin.ag skipped
C:\ProgramData\CyberLink\TinyDB\EPGSignal Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\Schedule Object is locked skipped
C:\ProgramData\McAfee\Common Framework\Db\Agent_SPENCER-PC.log Object is locked skipped
C:\ProgramData\McAfee\Common Framework\Db\PrdMgr_SPENCER-PC.log Object is locked skipped
C:\ProgramData\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\ProgramData\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.286.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.286.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001004C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy899.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf297F.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2980.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050241.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BTASSCJS\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JDVEX34W\t650XtctNif8[1].jpg Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JDVEX34W\txwH2uWZCj8b[1].jpg Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JDVEX34W\tznG2Ls4Osyo[1].jpg Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RXO0W4IX\tSTTS_0003_front[1].png Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UG5L9ZF8\glas[1] Infected: Packed.Win32.Monder.gen skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UG5L9ZF8\kriv[1] Infected: Packed.Win32.Monder.gen skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\UsrClass.dat{77566530-1b67-11dc-818f-001b243486cd}.TM.blf Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\UsrClass.dat{77566530-1b67-11dc-818f-001b243486cd}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows\UsrClass.dat{77566530-1b67-11dc-818f-001b243486cd}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Spencer\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Spencer\AppData\Local\Temp\NAILogs\UpdaterUI_SPENCER-PC.log Object is locked skipped
C:\Users\Spencer\AppData\Local\Temp\tmp00009aa9 Infected: not-a-virus:AdWare.Win32.Virtumonde.qpf skipped
C:\Users\Spencer\AppData\Local\Temp\tmp0000b827 Infected: not-a-virus:AdWare.Win32.Virtumonde.qpf skipped
C:\Users\Spencer\AppData\Local\Temp\tmp0000b97e Infected: not-a-virus:AdWare.Win32.Virtumonde.qpf skipped
C:\Users\Spencer\AppData\Local\Temp\tmp0000ba68 Infected: not-a-virus:AdWare.Win32.Virtumonde.qpf skipped
C:\Users\Spencer\AppData\Local\Temp\tmp0000fe5a Infected: not-a-virus:AdWare.Win32.Virtumonde.qpf skipped
C:\Users\Spencer\AppData\Local\Temp\tmp0002a830 Infected: not-a-virus:AdWare.Win32.Virtumonde.qpf skipped
C:\Users\Spencer\AppData\Local\Temp\tmp058615fc Infected: not-a-virus:AdWare.Win32.Virtumonde.qpf skipped
C:\Users\Spencer\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Spencer\ntuser.dat Object is locked skipped
C:\Users\Spencer\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Spencer\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Spencer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Spencer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Spencer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\components Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\default Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\sam Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\security Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\software Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\system Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\opnmJARk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
Scan process completed.
Rorschach112
2008-04-30, 01:30
Hello
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\Program Files\Online Services\Vonage\smb\Xtras\regxtra121.x32
C:\Windows\Downloaded Program Files\popcaploader.dll
C:\Windows\System32\opnmJARk.dll
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Followed your instructions, thanks for your help so far, I'm posting the OTMoveIt2 log and a new HJT log but the ComboFix log wasn't created after reboot because the program and windows froze after it started to make one.
Explorer killed successfully
C:\Program Files\Online Services\Vonage\smb\Xtras\regxtra121.x32 moved successfully.
C:\Windows\Downloaded Program Files\popcaploader.dll unregistered successfully.
C:\Windows\Downloaded Program Files\popcaploader.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\opnmJARk.dll
C:\Windows\System32\opnmJARk.dll NOT unregistered.
File move failed. C:\Windows\System32\opnmJARk.dll scheduled to be moved on reboot.
< purity >
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04302008_223337
Files moved on Reboot...
LoadLibrary failed for C:\Windows\System32\opnmJARk.dll
C:\Windows\System32\opnmJARk.dll NOT unregistered.
C:\Windows\System32\opnmJARk.dll moved successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:07, on 2008-04-30
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clemson.edu/students/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {589FD57C-B54C-4943-93AB-9E5308FD22AC} - (no file)
O2 - BHO: (no name) - {5AB57F0C-6022-4C5D-919A-464732B573FB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {98E7E799-7D58-470D-BF11-780BC46A388F} - (no file)
O2 - BHO: (no name) - {AF5AB3D1-794E-43CF-AFA1-04265F5E2112} - C:\Windows\system32\opnmJARk.dll (file missing)
O2 - BHO: (no name) - {AFFD0023-7C2B-45ED-8348-9807D6DE60AB} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\pmNfdDTK.dll,#1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP-Diags] C:\Program Files\Hewlett-Packard\HP Battery Check\HPDOM\HPDiags.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c13/v18.170/qboax10.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8903 bytes
ok ran combofix again and it finally spat out a report!
ComboFix 08-04-28.2 - Spencer 2008-05-01 6:45:55.3 - NTFSx86 DSREPAIR
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1278 [GMT -4:00]
Running from: C:\Users\Spencer\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Windows\Downloaded Program Files\setup.inf
C:\Windows\System32\kRAJmnpo.ini
C:\Windows\System32\kRAJmnpo.ini2
C:\Windows\system32\lovqhlty.dll
C:\Windows\System32\sfdaajpy.ini
C:\Windows\system32\xumvfvkg.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
2008-04-30 22:33 . 2008-04-30 22:33 <DIR> d-------- C:\_OTMoveIt
2008-04-30 22:13 . 2008-04-30 22:54 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-30 22:13 . 2008-04-30 22:13 1,409 --a------ C:\Windows\QTFont.for
2008-04-29 08:54 . 2008-04-29 08:54 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-04-29 08:54 . 2008-04-29 08:54 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-04-29 08:54 . 2008-04-29 08:54 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-04-29 03:37 . 2008-04-29 15:47 422 --a------ C:\Windows\wininit.ini
2008-04-29 03:19 . 2008-04-30 23:03 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-29 03:19 . 2008-04-30 23:03 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-29 03:19 . 2008-04-30 23:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-29 02:40 . 2008-04-29 02:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 00:45 . 2008-04-29 00:45 268 --ah----- C:\sqmdata17.sqm
2008-04-29 00:45 . 2008-04-29 00:45 244 --ah----- C:\sqmnoopt17.sqm
2008-04-26 15:09 . 2008-04-26 15:09 268 --ah----- C:\sqmdata16.sqm
2008-04-26 15:09 . 2008-04-26 15:09 244 --ah----- C:\sqmnoopt16.sqm
2008-04-26 06:19 . 2008-04-26 06:19 268 --ah----- C:\sqmdata15.sqm
2008-04-26 06:19 . 2008-04-26 06:19 244 --ah----- C:\sqmnoopt15.sqm
2008-04-20 20:53 . 2008-04-20 20:53 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-04-17 11:59 . 2008-04-17 11:59 268 --ah----- C:\sqmdata14.sqm
2008-04-17 11:59 . 2008-04-17 11:59 244 --ah----- C:\sqmnoopt14.sqm
2008-04-17 00:30 . 2007-10-26 20:46 779,800 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2008-04-17 00:30 . 2007-10-26 20:46 579,584 --a------ C:\Windows\System32\icardagt.exe
2008-04-17 00:30 . 2007-10-26 20:46 350,744 --a------ C:\Windows\System32\PresentationHost.exe
2008-04-17 00:30 . 2007-10-26 20:46 106,520 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-04-17 00:30 . 2007-10-29 23:12 88,576 --a------ C:\Windows\System32\infocardapi.dll
2008-04-17 00:30 . 2007-10-26 20:46 33,304 --a------ C:\Windows\System32\PresentationHostProxy.dll
2008-04-17 00:30 . 2007-10-29 23:09 28,160 --a------ C:\Windows\System32\infocardcpl.cpl
2008-04-17 00:30 . 2007-10-26 20:46 11,776 --a------ C:\Windows\System32\icardres.dll
2008-04-17 00:23 . 2007-10-26 20:46 41,984 --a------ C:\Windows\System32\netfxperf.dll
2008-04-17 00:22 . 2007-10-26 20:46 158,720 --a------ C:\Windows\System32\mscorier.dll
2008-04-17 00:22 . 2007-10-26 20:46 84,480 --a------ C:\Windows\System32\mscories.dll
2008-04-17 00:21 . 2007-10-26 20:46 96,760 --a------ C:\Windows\System32\dfshim.dll
2008-04-17 00:20 . 2007-10-26 20:46 282,112 --a------ C:\Windows\System32\mscoree.dll
2008-04-15 16:36 . 2008-04-15 16:36 268 --ah----- C:\sqmdata13.sqm
2008-04-15 16:36 . 2008-04-15 16:36 244 --ah----- C:\sqmnoopt13.sqm
2008-04-15 00:56 . 2008-04-15 00:56 268 --ah----- C:\sqmdata12.sqm
2008-04-15 00:56 . 2008-04-15 00:56 244 --ah----- C:\sqmnoopt12.sqm
2008-04-14 00:50 . 2008-04-14 00:56 <DIR> d-------- C:\Program Files\Cloudbrain
2008-04-09 05:25 . 2008-04-09 05:25 268 --ah----- C:\sqmdata11.sqm
2008-04-09 05:25 . 2008-04-09 05:25 244 --ah----- C:\sqmnoopt11.sqm
2008-04-08 22:52 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-08 22:52 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-08 22:52 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-08 22:52 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-08 22:52 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-08 22:52 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-08 22:52 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-08 22:52 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-08 22:52 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-08 22:51 . 2008-02-29 00:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-08 22:51 . 2008-02-21 00:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-08 22:51 . 2007-12-16 07:42 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-08 22:51 . 2007-12-16 07:41 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-08 00:42 . 2008-04-08 00:42 <DIR> d-------- C:\Program Files\Screenshot Utility
2008-04-08 00:24 . 2008-04-08 00:24 268 --ah----- C:\sqmdata10.sqm
2008-04-08 00:24 . 2008-04-08 00:24 244 --ah----- C:\sqmnoopt10.sqm
2008-04-06 23:58 . 2008-04-06 23:58 280 --ah----- C:\sqmdata09.sqm
2008-04-06 23:58 . 2008-04-06 23:58 244 --ah----- C:\sqmnoopt09.sqm
2008-04-06 23:16 . 2008-04-06 23:16 268 --ah----- C:\sqmdata08.sqm
2008-04-06 23:16 . 2008-04-06 23:16 244 --ah----- C:\sqmnoopt08.sqm
2008-04-06 01:49 . 2008-04-07 01:29 <DIR> d-------- C:\Users\Spencer\AppData\Roaming\Azureus
2008-04-06 01:49 . 2008-04-06 01:49 <DIR> d-------- C:\Users\All Users\Azureus
2008-04-06 01:49 . 2008-04-06 01:49 <DIR> d-------- C:\ProgramData\Azureus
2008-04-05 20:42 . 2008-04-05 20:42 268 --ah----- C:\sqmdata07.sqm
2008-04-05 20:42 . 2008-04-05 20:42 244 --ah----- C:\sqmnoopt07.sqm
2008-04-04 17:55 . 2008-04-04 17:55 <DIR> d-------- C:\Program Files\iPod
2008-04-04 17:52 . 2008-04-04 17:53 <DIR> d-------- C:\Program Files\QuickTime
2008-04-04 15:35 . 2008-05-01 06:42 <DIR> d-------- C:\QUARANTINE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 07:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-01 02:54 13,119 ----a-w C:\Users\Spencer\AppData\Roaming\nvModes.dat
2008-04-29 08:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 14:13 --------- d-----w C:\Users\Spencer\AppData\Roaming\uTorrent
2008-04-26 10:34 --------- d-----w C:\Program Files\Electronic Arts
2008-04-25 08:23 --------- d-----w C:\Program Files\City of Heroes
2008-04-22 19:11 --------- d-----w C:\ProgramData\Roxio
2008-04-22 19:06 --------- d-----w C:\Users\Spencer\AppData\Roaming\Roxio
2008-04-21 21:49 --------- d-----w C:\Program Files\Java
2008-04-21 04:20 --------- d-----w C:\Users\Spencer\AppData\Roaming\LimeWire
2008-04-16 18:25 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2008-04-13 18:40 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-09 09:06 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 04:52 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-06 01:58 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-04-06 01:58 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-04-04 21:55 --------- d-----w C:\Program Files\iTunes
2008-03-25 02:24 --------- d-----w C:\ProgramData\LightScribe
2008-03-25 02:11 --------- d-----w C:\ProgramData\Sonic
2008-03-25 02:06 --------- d-----w C:\Program Files\LightScribeTemplateLabeler
2008-03-25 02:05 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-06 13:08 --------- d-----w C:\Program Files\LimeWire
2008-03-03 09:40 599,552 ----a-w C:\Windows\System32\CnxtAp32.dll
2008-03-03 08:10 182,272 ----a-w C:\Windows\system32\drivers\CHDRT32.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-13 10:12 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 10:05 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 10:05 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 10:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 10:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 10:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 10:04 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 10:04 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 10:04 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 10:04 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 10:04 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 10:04 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 10:04 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-01-27 00:38 32 ----a-r C:\Users\All Users\hash.dat
2008-01-27 00:38 32 ----a-r C:\ProgramData\hash.dat
2007-11-15 17:06 22,328 ----a-w C:\Users\Spencer\AppData\Roaming\PnkBstrK.sys
2007-08-30 11:49 174 --sha-w C:\Program Files\desktop.ini
2008-01-29 02:00 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-01-29 02:00 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-29 02:00 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-04-30_22.59.21.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 02:39:50 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-01 10:08:04 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-01 02:39:34 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-01 10:45:01 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-01 02:18:18 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-01 03:03:42 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-01 02:18:18 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-01 03:03:42 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-01 02:18:18 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-01 03:03:42 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-01 02:42:23 108,758 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-05-01 03:01:13 108,758 ----a-w C:\Windows\System32\perfc009.dat
- 2008-05-01 02:42:24 632,538 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-05-01 03:01:13 632,538 ----a-w C:\Windows\System32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF5AB3D1-794E-43CF-AFA1-04265F5E2112}]
C:\Windows\system32\opnmJARk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 08:34 2159104 C:\Windows\System32\oobefldr.dll]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 06:01 1232896]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2006-11-21 20:36 1474560]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 08:36 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-14 10:38 1006264]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 13:56 317152]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 01:02 815104]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-11-24 19:33 167936]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 14:58 159744]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-26 16:17 86016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-26 16:17 81920]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-26 16:17 8429568]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 13:32 472800]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-09-19 17:30 66816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"MSServer"="C:\Windows\system32\pmNfdDTK.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP-Diags"="C:\Program Files\Hewlett-Packard\HP Battery Check\HPDOM\HPDiags.exe" [2007-03-05 19:17 57344]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2006-12-29 09:16:39 34520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"679fb832"=rundll32.exe "C:\Windows\system32\ypjaadfs.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F7D2D91B-2F93-4D98-89DA-EAA8221D97E4}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8553FFE4-2978-492C-B2EF-BDFD62B4FAEF}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8487480D-1C86-41BC-88D2-2F94CEFB5506}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{2323E63B-77E5-49DA-AB6C-674CAE419990}"= TCP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{BA87D380-4483-441F-8DE3-F17AFA5472AB}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{85087D8B-AF97-4EB9-A26E-D8B9AB8F767F}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{935C2EF6-A603-4F13-8463-5A832EC27F6B}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{D75EE1D6-182D-42A7-BE19-058BA7449A8C}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{E274B2FC-F54F-4631-BB1B-F63DD15BA9A2}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{694F75FE-AD5C-4AB0-BB36-7C2CAA098EAF}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{6014D925-779E-4517-9853-F48EE1F54858}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0158754C-0CAA-4651-A1BC-C0CA90A95F43}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{44A7F39C-5F3C-4878-86B5-5C42F49CA0E1}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C2105CA8-6F50-4906-9F35-ADCC317BB1B5}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D0AE3926-EEC5-4F02-A564-C24AE84F922B}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9403EDE5-FA94-449F-A7F9-2006D330B0EF}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{10B1F97E-7E08-4266-B960-30E26E686D49}"= UDP:C:\Program Files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{0DC12471-8E9F-45E3-A753-44AC2CF60961}"= TCP:C:\Program Files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{39EE4256-DB94-4A63-A1C9-8830A60ED22B}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{9A0B5B59-D1B5-4E25-B82E-772EFC00532E}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{B56C0923-A880-408F-82D3-3BC32334EC55}"= UDP:C:\Program Files\Electronic Arts\EA Link\Core.exe:EA Link
"{486A3498-407A-4C2B-B1E3-24332EF4B5D4}"= TCP:C:\Program Files\Electronic Arts\EA Link\Core.exe:EA Link
"TCP Query User{58774C9C-F39B-41B4-8906-7E47B105A337}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{15AEC532-C827-4E36-865E-9648FDF855AF}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{F2A97290-D5F6-4875-A513-7143D7E0C03B}"= UDP:C:\Program Files\IGN\Download Manager\DLM.exe:Download Manager
"{662CCDA4-8703-42B4-8BEC-0C36494A0A5D}"= TCP:C:\Program Files\IGN\Download Manager\DLM.exe:Download Manager
"TCP Query User{66B3C7DE-98CE-410A-B53A-A4F542E7664C}C:\\program files\\fury\\binaries\\launcherapp.exe"= UDP:C:\program files\fury\binaries\launcherapp.exe:LauncherApp
"UDP Query User{B060B77D-EDB6-4FF5-A79D-9A322C7CF7CD}C:\\program files\\fury\\binaries\\launcherapp.exe"= TCP:C:\program files\fury\binaries\launcherapp.exe:LauncherApp
"TCP Query User{CCADBFF6-8E82-4F00-9556-D8FDBB103590}C:\\program files\\fury\\binaries\\loguploadservice.exe"= UDP:C:\program files\fury\binaries\loguploadservice.exe:LogUploadService
"UDP Query User{D509770D-3A3E-465A-AEEB-47605AA40808}C:\\program files\\fury\\binaries\\loguploadservice.exe"= TCP:C:\program files\fury\binaries\loguploadservice.exe:LogUploadService
"TCP Query User{CB7F7DFA-5D02-4BF4-BB94-26F5EF98E512}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{F0B0C000-3165-4BE0-830E-DF3F81781597}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{58ED2111-9B72-4304-9360-CE34AA9D4B87}"= UDP:60960:BitTorrent
"TCP Query User{AA07E8F2-2B32-450B-87C6-B471470EAA18}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{EFEC4CEC-8563-4804-989A-61E80F0943FA}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"{19FE197E-FE52-43A3-9FC8-658DDDDD05B2}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{CF5CA030-5E24-4212-9FD3-6E65AC05E16D}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{11E314C2-9647-4872-8D7C-A140B7C8C50E}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{57880E84-3456-47FA-98CB-3E51E239675D}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{03D25A3F-81B4-440C-848E-B516C18939F8}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{7AC917CF-1CF1-4BE6-A525-7600E3149ABF}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{D861CCA8-6201-4ACA-87CD-3B354919C857}"= UDP:C:\Program Files\Fury\Binaries\Fury.exe:Fury
"{9374AFC1-8D6C-45EC-BD3D-4A7F66375C0F}"= TCP:C:\Program Files\Fury\Binaries\Fury.exe:Fury
"{6E5801C0-963C-4F8B-AAB2-947B9C33E291}"= UDP:C:\Program Files\Fury\Binaries\DiamondWare\dwTVC.exe:Fury VOIP
"{74AEB6B0-A4B7-4411-AA4A-223885551820}"= TCP:C:\Program Files\Fury\Binaries\DiamondWare\dwTVC.exe:Fury VOIP
"TCP Query User{CEA1D6FE-D66B-4A43-AB24-A9C9E0DAF4CC}C:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{2FA88785-B67E-4821-8CB0-C3C1280F17B9}C:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"{A8A5915C-2158-47E1-9CA7-72FD581DFC27}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{345207D0-03D4-475C-B665-1150469F5B9C}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{34CB3B10-49A8-4AF5-BB9F-6BB5097327E0}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{8685FF7C-8C25-4569-84F1-3ACF0C9174CA}"= Disabled:UDP:C:\Program Files\Fury\Binaries\Fury.exe:Fury
"{E19BFF85-501B-4D47-B7F5-81F609847F4E}"= Disabled:TCP:C:\Program Files\Fury\Binaries\Fury.exe:Fury
"{7AE558CA-0193-435E-82C8-8DD348FC2881}"= Disabled:UDP:C:\Program Files\Fury\Binaries\DiamondWare\dwTVC.exe:Fury VOIP
"{D5F2AB3A-24D6-446B-AF41-0A357741AEE2}"= Disabled:TCP:C:\Program Files\Fury\Binaries\DiamondWare\dwTVC.exe:Fury VOIP
"TCP Query User{DD2692D4-9C26-48FB-BC07-6B1885A57152}C:\\program files\\fury\\binaries\\furylowspec.exe"= Disabled:UDP:C:\program files\fury\binaries\furylowspec.exe:FuryLowSpec
"UDP Query User{F4DDAAAD-DBE5-44B0-BCD5-B860D39C9CFC}C:\\program files\\fury\\binaries\\furylowspec.exe"= Disabled:TCP:C:\program files\fury\binaries\furylowspec.exe:FuryLowSpec
"{D82C7817-BECC-455F-8499-DEC8887E1CE4}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{FC791F61-7AF6-457C-A85A-57B21B1B7E1A}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9B5C4767-6DE8-4AB0-B139-BB1B0ED7719A}"= UDP:61622:utor1
"{CCB720D0-AC1F-4B36-AD44-B44BF6E86CB5}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{1A00E6F2-ACDF-42BB-B0DB-5F6217DD3BD7}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{A6C5C36B-ECB4-4CED-A46C-F05BBC7467E6}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{6710D8A1-DEBD-4941-95C5-78D2AE214CCF}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{B314807B-DA72-4F1E-9E61-0A2A0DDEE371}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{CDB52ECF-02DB-4C81-B874-5442022AA8AB}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{B2607D35-A2DB-48A1-97B0-38B6E5E533D5}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{F7B5C5F5-78FF-4D69-9FFB-F904CBC81F03}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{A9958D43-DA92-493C-A11A-B6883F5A8254}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{415D41DE-6D45-483B-8293-7B687E370A03}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"TCP Query User{8C470E28-5C25-4BEE-A623-1DD23669A50F}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{C9E52A89-5D13-4ECC-9ABB-0B44DC81061A}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{51045961-9B6C-4492-BA3A-A89B9CAA0FEB}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{0496E1A7-6F33-447E-A27C-3002F379EFB4}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 13:39]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-03 04:10]
S3 Alpham1;Ideazon Merc USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham1.sys [2007-07-23 10:56]
S3 Alpham2;Ideazon Merc MM USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham2.sys [2007-03-20 12:49]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 03:30]
S3 tapgamerail;GameRail Adapter;C:\Windows\system32\DRIVERS\tapgamerail.sys [2007-11-27 14:11]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-01 02:15:28 C:\Windows\Tasks\User_Feed_Synchronization-{A02D2728-0C25-491B-A5E8-4016502A31A5}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 06:47:13
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-01 6:48:22
ComboFix-quarantined-files.txt 2008-05-01 10:48:18
Pre-Run: 91,176,513,536 bytes free
Post-Run: 91,145,977,856 bytes free
312 --- E O F --- 2008-04-26 10:23:39
Rorschach112
2008-05-01, 15:08
Hello
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\system32\ypjaadfs.dll
Folder::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"679fb832"=-
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Reboot and post a new HijackThis log
Rorschach112
2008-05-06, 16:26
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.