View Full Version : Adware.Vundo-Variant found on pc and more....?
Dear Team,
I have just finished cleaning up my son's laptop and he has managed to do something to my pc in the meantime and I can see that it has a virus on it that is affecting my internet explorer pages.
I ran Spybot search & destroy removed the recommended infected objects and viruses (all items marked in red) but it crashed my whole system when I had to restart and the pc could not start up again. so I had to go back to the last configuration. I have got the pc up and running again and have tried adaware and SUPER Anitsypware, which seems to find the trojan/virus and removes it but it hasn't helped with internet.
Spybot seach and destroy has crashed and will not scan anymore...
I am very sorry to bother you again and I hope you can help me. (P.S. I now have a password protect on my pc so my children can not go on it so easily anymore)
Below is the hijackThis report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:24, on 03/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {a8a270da-4963-8b1a-80a4-9962707b05d6} - {6d50b707-2699-4a08-a1b8-3694ad072a8a} - C:\WINDOWS\system32\vovtitfa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Xerox WorkCentre 480cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X480SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM936d36da] Rundll32.exe "C:\WINDOWS\system32\ulgkgkdk.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: SkypeMate.lnk = C:\Program Files\SkypeMate\SkypeMate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182320155843
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
--
End of file - 14846 bytes
I have also run Kaspersky Online Scanner and below is the report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 03, 2008 6:28:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/05/2008
Kaspersky Anti-Virus database records: 737090
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
K:\
Scan Statistics:
Total number of scanned objects: 199488
Number of viruses found: 7
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 03:14:17
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{79E60968-934E-4E76-940E-F819ADA0C8A6}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{A3BF4EE9-3A44-47E9-AF8A-CD6852DC48F0}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/!Easy ScreenSaver Studio 4.0.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/!Easy ScreenSaver Studio 4.0.zip Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip/!Easy ScreenSaver Studio 4.0.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip/!Easy ScreenSaver Studio 4.0.zip Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_2422081001_524288_60641 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_2422081001_72024064_40217 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{E7477E65-A6B3-4EDF-8294-083F38DA4137}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{F507A755-2D51-44E6-9A41-7F77B60CC21B}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Christopher\Local Settings\Temp\Rar$EX01.234\Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\PQHH6AAV\glas[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\PQHH6AAV\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\TZFOBOJU\kriv[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\call256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chat512.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\index2.dat Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\user1024.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\user16384.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\user256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\user4096.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\dfsr.db Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\fsr.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\tmp.edb Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Windows Live Contacts\ethel_roper@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Windows Live Contacts\ethel_roper@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\History\History.IE5\MSHist012008050320080504\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\_hphtra07.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DF51E9.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DF5E1B.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DF75FD.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DF764D.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DFC9AC.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DFCC6E.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DFF700.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch\Keygen\DivX Pro + DivX Player 6.6.x.exe Infected: not-a-virus:PSWTool.Win32.GetPass.h skipped
C:\Documents and Settings\Ethel\My Documents\My Received Files\divxcb661k_p.rar/Divx.Create.Bundle.6.6.1.key+patch/Keygen/DivX Pro + DivX Player 6.6.x.exe Infected: not-a-virus:PSWTool.Win32.GetPass.h skipped
C:\Documents and Settings\Ethel\My Documents\My Received Files\divxcb661k_p.rar RAR: infected - 1 skipped
C:\Documents and Settings\Ethel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ethel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Holger\Local Settings\Temporary Internet Files\Content.IE5\5E8O12NL\glas[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Holger\Local Settings\Temporary Internet Files\Content.IE5\9JTDTVTO\idkfa[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Holger\Local Settings\Temporary Internet Files\Content.IE5\KJ8Q41UB\kriv[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP125\A0026215.exe/C:\Documents and Settings\Privats\Desktop\Phr33.Fox\saime.exe Infected: Trojan-PSW.Win32.Small.dv skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP125\A0026215.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP129\A0029908.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP132\A0031150.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031203.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031204.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031205.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031206.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031207.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031208.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031209.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrg skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP141\change.log Object is locked skipped
C:\WINDOWS\61769.exe Infected: Trojan-PSW.Win32.Small.dv skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B0BA5FB1-4F24-4289-AC1C-10F8EA2C9F67}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\qedpidpd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped
C:\WINDOWS\system32\tshwpwiu.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\ulgkgkdk.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_bzLhLW3yyU9mW7k Object is locked skipped
C:\WINDOWS\Temp\mcmsc_1UdCng9qAtoFDxT Object is locked skipped
C:\WINDOWS\Temp\mcmsc_2xv3X4ZLbDlvBef Object is locked skipped
C:\WINDOWS\Temp\mcmsc_6m0KtOGSTJ10WuK Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ay1RKKeVkH1dgYe Object is locked skipped
C:\WINDOWS\Temp\mcmsc_cVSC2fTGXhxbUK9 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_WKbFh3jppfAcIgD Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP141\change.log Object is locked skipped
Scan process completed.
Kind regards.
Rorschach112
2008-05-03, 18:56
Hello
You got infected because you downloaded cracks and keygens
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\Documents and Settings\Christopher\Local Settings\Temp\Rar$EX01.234\Setup.exe
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch
C:\Documents and Settings\Ethel\My Documents\My Received Files\divxcb661k_p.rar
C:\WINDOWS\61769.exe
C:\WINDOWS\system32\qedpidpd.dll
C:\WINDOWS\system32\tshwpwiu.dll
C:\WINDOWS\system32\ulgkgkdk.dll
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Thanks for your prompt reply. I have copied the paths and press move it! and my MacAfee program has come up with a registry change detected. Should I allow this change?
Quote:
Process: C:\Documents and Settings\Ethel\Desktop\OTMoveIt2.exe
Process Publisher: OldTimer Tools
Affected Items: HKEY_USERS\S-1-5-21-2426438936-4127591418-337715864-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C80120}
If you did not expect this change, McAfee recommends that you block it. If you expected this change, allow it.
Unquote.
Here is the log you requested:
Explorer killed successfully
C:\Documents and Settings\Christopher\Local Settings\Temp\Rar$EX01.234\Setup.exe moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch\Replace File moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch\Patch moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch\Keygen moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\divxcb661k_p.rar moved successfully.
C:\WINDOWS\61769.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qedpidpd.dll
C:\WINDOWS\system32\qedpidpd.dll NOT unregistered.
C:\WINDOWS\system32\qedpidpd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tshwpwiu.dll
C:\WINDOWS\system32\tshwpwiu.dll NOT unregistered.
C:\WINDOWS\system32\tshwpwiu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ulgkgkdk.dll
C:\WINDOWS\system32\ulgkgkdk.dll NOT unregistered.
C:\WINDOWS\system32\ulgkgkdk.dll moved successfully.
< purity >
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05032008_190724
kind regards.
Rorschach112
2008-05-03, 20:04
Yes allow the change and do this
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
A quick question, my system is the Microsoft Windows XP Media Centre Edition Version 2002 Service Pack 2. Can I use the Microsoft Windows XP Home Edition with Service Pack 2?
For the sake of good order, I already have the windows recovery console on my computer, will I actually need to through with downloading it and dragging and dropping on the ComboFix icon, so that it automatically installs the windows recovery console?
Here is the log...
ComboFix 08-05-01.3 - Ethel 2008-05-03 21:47:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.589 [GMT 2:00]
Running from: C:\Documents and Settings\Ethel\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\atbnipxj.ini
C:\WINDOWS\system32\beuqyohl.ini
C:\WINDOWS\system32\bnkpaoui.ini
C:\WINDOWS\system32\fyqydmub.ini
C:\WINDOWS\system32\GhQqqtwa.ini
C:\WINDOWS\system32\GhQqqtwa.ini2
C:\WINDOWS\system32\mrkuetpl.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppfonmlt.ini
C:\WINDOWS\system32\wvcdivpa.ini
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini2
C:\WINDOWS\system32\xyadd.tmp
----- BITS: Possible infected sites -----
hxxp://gateway.digitalmusicnotebook.com
.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.
2008-05-03 19:07 . 2008-05-03 19:07 <DIR> d-------- C:\_OTMoveIt
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmnoopt15.sqm
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmdata15.sqm
2008-05-03 12:18 . 2008-05-03 12:18 268 --ah----- C:\sqmdata14.sqm
2008-05-03 12:18 . 2008-05-03 12:18 244 --ah----- C:\sqmnoopt14.sqm
2008-05-02 16:13 . 2008-05-02 16:13 268 --ah----- C:\sqmdata13.sqm
2008-05-02 16:13 . 2008-05-02 16:13 244 --ah----- C:\sqmnoopt13.sqm
2008-04-30 14:33 . 2008-04-30 14:33 268 --ah----- C:\sqmdata12.sqm
2008-04-30 14:33 . 2008-04-30 14:33 244 --ah----- C:\sqmnoopt12.sqm
2008-04-29 22:53 . 2008-04-29 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 22:52 . 2008-04-30 06:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 22:52 . 2008-04-29 22:52 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\SUPERAntiSpyware.com
2008-04-29 20:25 . 2008-04-29 20:25 <DIR> d-------- C:\Documents and Settings\Holger\Contacts
2008-04-29 18:57 . 2008-04-29 18:57 <DIR> d-------- C:\Documents and Settings\Holger\Application Data\Skype
2008-04-28 16:13 . 2008-04-28 16:13 268 --ah----- C:\sqmdata11.sqm
2008-04-28 16:13 . 2008-04-28 16:13 244 --ah----- C:\sqmnoopt11.sqm
2008-04-25 17:58 . 2008-04-25 17:58 268 --ah----- C:\sqmdata10.sqm
2008-04-25 17:58 . 2008-04-25 17:58 244 --ah----- C:\sqmnoopt10.sqm
2008-04-23 21:30 . 2008-05-03 16:11 109,734 --a------ C:\WINDOWS\BM936d36da.xml
2008-04-23 20:26 . 2008-04-23 20:26 268 --ah----- C:\sqmdata09.sqm
2008-04-23 20:26 . 2008-04-23 20:26 244 --ah----- C:\sqmnoopt09.sqm
2008-04-23 20:24 . 2008-04-23 21:27 <DIR> d-------- C:\WINDOWS\system32\pnVes18
2008-04-23 20:24 . 2008-04-23 20:24 <DIR> d-------- C:\temp\zvebs14
2008-04-23 07:03 . 2008-04-23 07:03 268 --ah----- C:\sqmdata08.sqm
2008-04-23 07:03 . 2008-04-23 07:03 244 --ah----- C:\sqmnoopt08.sqm
2008-04-22 19:28 . 2008-04-22 19:28 268 --ah----- C:\sqmdata07.sqm
2008-04-22 19:28 . 2008-04-22 19:28 244 --ah----- C:\sqmnoopt07.sqm
2008-04-22 17:56 . 2008-04-22 17:56 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-20 20:58 . 2008-04-20 20:58 268 --ah----- C:\sqmdata06.sqm
2008-04-20 20:58 . 2008-04-20 20:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-19 13:39 . 2008-05-03 21:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 13:39 . 2008-04-19 13:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 13:37 . 2008-04-19 13:37 <DIR> d-------- C:\Program Files\iPod
2008-04-19 13:34 . 2008-04-19 13:35 <DIR> d-------- C:\Program Files\QuickTime
2008-04-19 13:26 . 2008-04-19 13:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-16 22:53 . 2008-04-16 22:53 268 --ah----- C:\sqmdata05.sqm
2008-04-16 22:53 . 2008-04-16 22:53 244 --ah----- C:\sqmnoopt05.sqm
2008-04-16 19:27 . 2008-04-16 19:27 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\Datel
2008-04-15 21:21 . 2008-04-15 21:21 268 --ah----- C:\sqmdata04.sqm
2008-04-15 21:21 . 2008-04-15 21:21 244 --ah----- C:\sqmnoopt04.sqm
2008-04-15 17:28 . 2008-04-15 17:28 <DIR> d-------- C:\games
2008-04-14 20:39 . 2008-04-14 20:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-14 20:39 . 2008-04-14 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-14 20:38 . 2008-04-29 22:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:48 . 2008-04-11 17:48 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\HP
2008-04-11 17:46 . 2008-04-11 17:46 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\SiteAdvisor
2008-04-11 17:44 . 2005-01-03 01:16 <DIR> d-------- C:\Documents and Settings\Anna\WINDOWS
2008-04-11 17:44 . 2005-01-03 01:31 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\Symantec
2008-04-11 17:44 . 2008-04-24 21:17 <DIR> d-------- C:\Documents and Settings\Anna
2008-04-11 17:44 . 2008-05-03 21:57 1,024 --ah----- C:\Documents and Settings\Anna\ntuser.dat.LOG
2008-04-11 17:21 . 2008-04-11 17:21 268 --ah----- C:\sqmdata03.sqm
2008-04-11 17:21 . 2008-04-11 17:21 244 --ah----- C:\sqmnoopt03.sqm
2008-04-11 16:39 . 2008-04-11 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LucasArts
2008-04-11 16:34 . 2008-04-11 16:34 <DIR> d-------- C:\Program Files\LucasArts
2008-04-11 16:31 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-11 16:30 . 2008-04-11 16:30 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\InstallShield
2008-04-09 19:08 . 2008-04-09 19:08 <DIR> d-------- C:\Program Files\Total Video Converter 3.11
2008-04-08 23:11 . 2008-04-08 23:13 0 --a------ C:\tmp.html
2008-04-08 19:57 . 2008-04-08 19:57 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\Syntrillium
2008-04-08 19:57 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-04-08 19:57 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-04-08 19:57 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-04-08 19:57 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-04-08 19:57 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-04-08 19:57 . 2008-04-08 19:57 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-04-08 19:55 . 2008-04-09 17:14 <DIR> d-------- C:\Program Files\coolpro2
2008-04-08 17:17 . 2008-04-12 08:24 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\LimeWire
2008-04-06 16:59 . 2008-04-06 17:33 4,534,272 --a------ C:\dump_dvd.vob
2008-04-04 19:48 . 2008-04-04 19:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 20:02 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Skype
2008-05-03 20:01 --------- d-----w C:\Program Files\Steam
2008-05-03 19:26 --------- d-----w C:\Documents and Settings\Ethel\Application Data\skypePM
2008-05-03 10:41 --------- d-----w C:\Documents and Settings\Christopher\Application Data\LimeWire
2008-04-29 19:06 --------- d-----w C:\Program Files\XoftSpySE
2008-04-24 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 13:36 --------- d-----w C:\Documents and Settings\Ethel\Application Data\LimeWire
2008-04-22 15:57 --------- d-----w C:\Program Files\LimeWire
2008-04-20 12:53 --------- d-----w C:\Documents and Settings\Christopher\Application Data\SiteAdvisor
2008-04-19 20:17 --------- d-----w C:\Program Files\DivX
2008-04-19 11:38 --------- d-----w C:\Program Files\iTunes
2008-04-11 17:48 --------- d-----w C:\Program Files\SkypeMate
2008-04-11 14:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 17:48 --------- d-----w C:\Program Files\Common Files\Real
2008-04-02 15:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Datel
2008-04-02 15:49 --------- d-----w C:\Program Files\Datel
2008-04-02 13:59 160,200 ----a-w C:\Documents and Settings\Ethel\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 12:14 --------- d-----w C:\Documents and Settings\Christopher\Application Data\Skype
2008-03-31 18:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\SiteAdvisor
2008-03-29 17:49 --------- d-----w C:\Program Files\Disney Interactive
2008-03-29 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Disney Interactive
2008-03-24 15:12 --------- d-----w C:\Documents and Settings\Christopher\Application Data\iLike
2008-03-21 23:11 --------- d-----w C:\Program Files\Nature 3D Screensaver
2008-03-21 23:11 --------- d-----w C:\Program Files\3Planesoft Screensaver Manager
2008-03-21 20:15 --------- d-----w C:\Program Files\Tropical Fish 3D Screensaver
2008-03-21 15:12 --------- d-----w C:\Program Files\Fireplace 3D Screensaver
2008-03-21 15:04 --------- d-----w C:\Program Files\AutoEye
2008-03-21 14:57 --------- d-----w C:\Program Files\Adobe Premiere Elements 2.0
2008-03-21 14:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 19:30 --------- d-----w C:\Program Files\Windows Live
2008-03-20 19:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 19:14 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-20 19:13 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-17 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-15 07:38 --------- d-----w C:\Program Files\Google
2008-03-15 05:58 --------- d-----w C:\Program Files\Java
2008-02-19 15:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-19 15:04 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-07 17:49 15,613 ----a-w C:\Program Files\Furnish Lite uninstal.log
2002-09-04 07:14 1,206,784 ----a-w C:\Program Files\AutoEye_PlugIn.8bf
2007-06-15 04:22 0 --sha-r C:\WINDOWS\SMINST\npc.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d50b707-2699-4a08-a1b8-3694ad072a8a}]
C:\WINDOWS\system32\vovtitfa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 10:17 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24 1694208]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 12:34 63024]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-28 23:14 1271032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 06:56 64512]
"ftutil2"="ftutil2.dll" [2004-06-08 07:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 09:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-05 04:03 7307264]
"nwiz"="nwiz.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 08:35 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Xerox WorkCentre 480cx Monitor"="C:\WINDOWS\system32\X480SHLL.DLL" [2001-10-30 10:21 90112]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 19:47 185896]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 21:24 36904]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BM936d36da"="C:\WINDOWS\system32\ulgkgkdk.dll" [ ]
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-01-03 10:30:42 27136]
C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-03-26 19:19:43 147456]
C:\Documents and Settings\Ethel\Start Menu\Programs\Startup\
SkypeMate.lnk - C:\Program Files\SkypeMate\SkypeMate.exe [2005-11-21 09:37:06 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Steam\\steamapps\\criscross404\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-30 06:25]
R2 EcpFax;Team MFP Com Redirector;C:\WINDOWS\system32\Drivers\EcpFax.Sys [1999-01-27 07:29]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-10-03 22:57]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-11-28 21:55]
R3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 09:11]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 19:44]
S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys [2005-12-13 15:10]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:56:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-06 20:18:01 C:\WINDOWS\Tasks\Internet Services.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exeb/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Internet Services\StartIS.aml
"2008-04-15 01:37:44 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 00:00:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-01 05:25:25 C:\WINDOWS\Tasks\WebReg Photosmart C5100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
"2008-05-03 19:59:10 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-15 03:50:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 21:58:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\fsr00B8F.log 131072 bytes
scan completed successfully
hidden files: 113
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-03 22:08:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-03 20:08:14
Pre-Run: 127,568,371,712 bytes free
Post-Run: 128,998,293,504 bytes free
319 --- E O F --- 2008-04-09 20:16:20
Here is the log from ComboFix.
ComboFix 08-05-01.3 - Ethel 2008-05-03 21:47:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.589 [GMT 2:00]
Running from: C:\Documents and Settings\Ethel\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\atbnipxj.ini
C:\WINDOWS\system32\beuqyohl.ini
C:\WINDOWS\system32\bnkpaoui.ini
C:\WINDOWS\system32\fyqydmub.ini
C:\WINDOWS\system32\GhQqqtwa.ini
C:\WINDOWS\system32\GhQqqtwa.ini2
C:\WINDOWS\system32\mrkuetpl.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppfonmlt.ini
C:\WINDOWS\system32\wvcdivpa.ini
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini2
C:\WINDOWS\system32\xyadd.tmp
----- BITS: Possible infected sites -----
hxxp://gateway.digitalmusicnotebook.com
.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.
2008-05-03 19:07 . 2008-05-03 19:07 <DIR> d-------- C:\_OTMoveIt
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmnoopt15.sqm
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmdata15.sqm
2008-05-03 12:18 . 2008-05-03 12:18 268 --ah----- C:\sqmdata14.sqm
2008-05-03 12:18 . 2008-05-03 12:18 244 --ah----- C:\sqmnoopt14.sqm
2008-05-02 16:13 . 2008-05-02 16:13 268 --ah----- C:\sqmdata13.sqm
2008-05-02 16:13 . 2008-05-02 16:13 244 --ah----- C:\sqmnoopt13.sqm
2008-04-30 14:33 . 2008-04-30 14:33 268 --ah----- C:\sqmdata12.sqm
2008-04-30 14:33 . 2008-04-30 14:33 244 --ah----- C:\sqmnoopt12.sqm
2008-04-29 22:53 . 2008-04-29 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 22:52 . 2008-04-30 06:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 22:52 . 2008-04-29 22:52 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\SUPERAntiSpyware.com
2008-04-29 20:25 . 2008-04-29 20:25 <DIR> d-------- C:\Documents and Settings\Holger\Contacts
2008-04-29 18:57 . 2008-04-29 18:57 <DIR> d-------- C:\Documents and Settings\Holger\Application Data\Skype
2008-04-28 16:13 . 2008-04-28 16:13 268 --ah----- C:\sqmdata11.sqm
2008-04-28 16:13 . 2008-04-28 16:13 244 --ah----- C:\sqmnoopt11.sqm
2008-04-25 17:58 . 2008-04-25 17:58 268 --ah----- C:\sqmdata10.sqm
2008-04-25 17:58 . 2008-04-25 17:58 244 --ah----- C:\sqmnoopt10.sqm
2008-04-23 21:30 . 2008-05-03 16:11 109,734 --a------ C:\WINDOWS\BM936d36da.xml
2008-04-23 20:26 . 2008-04-23 20:26 268 --ah----- C:\sqmdata09.sqm
2008-04-23 20:26 . 2008-04-23 20:26 244 --ah----- C:\sqmnoopt09.sqm
2008-04-23 20:24 . 2008-04-23 21:27 <DIR> d-------- C:\WINDOWS\system32\pnVes18
2008-04-23 20:24 . 2008-04-23 20:24 <DIR> d-------- C:\temp\zvebs14
2008-04-23 07:03 . 2008-04-23 07:03 268 --ah----- C:\sqmdata08.sqm
2008-04-23 07:03 . 2008-04-23 07:03 244 --ah----- C:\sqmnoopt08.sqm
2008-04-22 19:28 . 2008-04-22 19:28 268 --ah----- C:\sqmdata07.sqm
2008-04-22 19:28 . 2008-04-22 19:28 244 --ah----- C:\sqmnoopt07.sqm
2008-04-22 17:56 . 2008-04-22 17:56 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-20 20:58 . 2008-04-20 20:58 268 --ah----- C:\sqmdata06.sqm
2008-04-20 20:58 . 2008-04-20 20:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-19 13:39 . 2008-05-03 21:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 13:39 . 2008-04-19 13:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 13:37 . 2008-04-19 13:37 <DIR> d-------- C:\Program Files\iPod
2008-04-19 13:34 . 2008-04-19 13:35 <DIR> d-------- C:\Program Files\QuickTime
2008-04-19 13:26 . 2008-04-19 13:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-16 22:53 . 2008-04-16 22:53 268 --ah----- C:\sqmdata05.sqm
2008-04-16 22:53 . 2008-04-16 22:53 244 --ah----- C:\sqmnoopt05.sqm
2008-04-16 19:27 . 2008-04-16 19:27 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\Datel
2008-04-15 21:21 . 2008-04-15 21:21 268 --ah----- C:\sqmdata04.sqm
2008-04-15 21:21 . 2008-04-15 21:21 244 --ah----- C:\sqmnoopt04.sqm
2008-04-15 17:28 . 2008-04-15 17:28 <DIR> d-------- C:\games
2008-04-14 20:39 . 2008-04-14 20:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-14 20:39 . 2008-04-14 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-14 20:38 . 2008-04-29 22:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:48 . 2008-04-11 17:48 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\HP
2008-04-11 17:46 . 2008-04-11 17:46 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\SiteAdvisor
2008-04-11 17:44 . 2005-01-03 01:16 <DIR> d-------- C:\Documents and Settings\Anna\WINDOWS
2008-04-11 17:44 . 2005-01-03 01:31 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\Symantec
2008-04-11 17:44 . 2008-04-24 21:17 <DIR> d-------- C:\Documents and Settings\Anna
2008-04-11 17:44 . 2008-05-03 21:57 1,024 --ah----- C:\Documents and Settings\Anna\ntuser.dat.LOG
2008-04-11 17:21 . 2008-04-11 17:21 268 --ah----- C:\sqmdata03.sqm
2008-04-11 17:21 . 2008-04-11 17:21 244 --ah----- C:\sqmnoopt03.sqm
2008-04-11 16:39 . 2008-04-11 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LucasArts
2008-04-11 16:34 . 2008-04-11 16:34 <DIR> d-------- C:\Program Files\LucasArts
2008-04-11 16:31 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-11 16:30 . 2008-04-11 16:30 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\InstallShield
2008-04-09 19:08 . 2008-04-09 19:08 <DIR> d-------- C:\Program Files\Total Video Converter 3.11
2008-04-08 23:11 . 2008-04-08 23:13 0 --a------ C:\tmp.html
2008-04-08 19:57 . 2008-04-08 19:57 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\Syntrillium
2008-04-08 19:57 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-04-08 19:57 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-04-08 19:57 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-04-08 19:57 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-04-08 19:57 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-04-08 19:57 . 2008-04-08 19:57 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-04-08 19:55 . 2008-04-09 17:14 <DIR> d-------- C:\Program Files\coolpro2
2008-04-08 17:17 . 2008-04-12 08:24 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\LimeWire
2008-04-06 16:59 . 2008-04-06 17:33 4,534,272 --a------ C:\dump_dvd.vob
2008-04-04 19:48 . 2008-04-04 19:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 20:02 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Skype
2008-05-03 20:01 --------- d-----w C:\Program Files\Steam
2008-05-03 19:26 --------- d-----w C:\Documents and Settings\Ethel\Application Data\skypePM
2008-05-03 10:41 --------- d-----w C:\Documents and Settings\Christopher\Application Data\LimeWire
2008-04-29 19:06 --------- d-----w C:\Program Files\XoftSpySE
2008-04-24 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 13:36 --------- d-----w C:\Documents and Settings\Ethel\Application Data\LimeWire
2008-04-22 15:57 --------- d-----w C:\Program Files\LimeWire
2008-04-20 12:53 --------- d-----w C:\Documents and Settings\Christopher\Application Data\SiteAdvisor
2008-04-19 20:17 --------- d-----w C:\Program Files\DivX
2008-04-19 11:38 --------- d-----w C:\Program Files\iTunes
2008-04-11 17:48 --------- d-----w C:\Program Files\SkypeMate
2008-04-11 14:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 17:48 --------- d-----w C:\Program Files\Common Files\Real
2008-04-02 15:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Datel
2008-04-02 15:49 --------- d-----w C:\Program Files\Datel
2008-04-02 13:59 160,200 ----a-w C:\Documents and Settings\Ethel\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 12:14 --------- d-----w C:\Documents and Settings\Christopher\Application Data\Skype
2008-03-31 18:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\SiteAdvisor
2008-03-29 17:49 --------- d-----w C:\Program Files\Disney Interactive
2008-03-29 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Disney Interactive
2008-03-24 15:12 --------- d-----w C:\Documents and Settings\Christopher\Application Data\iLike
2008-03-21 23:11 --------- d-----w C:\Program Files\Nature 3D Screensaver
2008-03-21 23:11 --------- d-----w C:\Program Files\3Planesoft Screensaver Manager
2008-03-21 20:15 --------- d-----w C:\Program Files\Tropical Fish 3D Screensaver
2008-03-21 15:12 --------- d-----w C:\Program Files\Fireplace 3D Screensaver
2008-03-21 15:04 --------- d-----w C:\Program Files\AutoEye
2008-03-21 14:57 --------- d-----w C:\Program Files\Adobe Premiere Elements 2.0
2008-03-21 14:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 19:30 --------- d-----w C:\Program Files\Windows Live
2008-03-20 19:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 19:14 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-20 19:13 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-17 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-15 07:38 --------- d-----w C:\Program Files\Google
2008-03-15 05:58 --------- d-----w C:\Program Files\Java
2008-02-19 15:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-19 15:04 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-07 17:49 15,613 ----a-w C:\Program Files\Furnish Lite uninstal.log
2002-09-04 07:14 1,206,784 ----a-w C:\Program Files\AutoEye_PlugIn.8bf
2007-06-15 04:22 0 --sha-r C:\WINDOWS\SMINST\npc.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d50b707-2699-4a08-a1b8-3694ad072a8a}]
C:\WINDOWS\system32\vovtitfa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 10:17 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24 1694208]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 12:34 63024]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-28 23:14 1271032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 06:56 64512]
"ftutil2"="ftutil2.dll" [2004-06-08 07:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 09:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-05 04:03 7307264]
"nwiz"="nwiz.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 08:35 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Xerox WorkCentre 480cx Monitor"="C:\WINDOWS\system32\X480SHLL.DLL" [2001-10-30 10:21 90112]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 19:47 185896]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 21:24 36904]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BM936d36da"="C:\WINDOWS\system32\ulgkgkdk.dll" [ ]
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-01-03 10:30:42 27136]
C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-03-26 19:19:43 147456]
C:\Documents and Settings\Ethel\Start Menu\Programs\Startup\
SkypeMate.lnk - C:\Program Files\SkypeMate\SkypeMate.exe [2005-11-21 09:37:06 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Steam\\steamapps\\criscross404\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-30 06:25]
R2 EcpFax;Team MFP Com Redirector;C:\WINDOWS\system32\Drivers\EcpFax.Sys [1999-01-27 07:29]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-10-03 22:57]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-11-28 21:55]
R3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 09:11]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 19:44]
S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys [2005-12-13 15:10]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:56:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-06 20:18:01 C:\WINDOWS\Tasks\Internet Services.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exeb/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Internet Services\StartIS.aml
"2008-04-15 01:37:44 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 00:00:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-01 05:25:25 C:\WINDOWS\Tasks\WebReg Photosmart C5100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
"2008-05-03 19:59:10 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-15 03:50:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 21:58:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\fsr00B8F.log 131072 bytes
scan completed successfully
hidden files: 113
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-03 22:08:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-03 20:08:14
Pre-Run: 127,568,371,712 bytes free
Post-Run: 128,998,293,504 bytes free
319 --- E O F --- 2008-04-09 20:16:20
Rorschach112
2008-05-04, 15:53
Hello
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\BM936d36da.xml
Folder::
C:\WINDOWS\system32\pnVes18
C:\temp\zvebs14
Registry::
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Reboot and post a new HijackThis log
Thanks.
Here is the log:
ComboFix 08-05-01.3 - Ethel 2008-05-04 16:53:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.520 [GMT 2:00]
Running from: C:\Documents and Settings\Ethel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ethel\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
FILE ::
C:\WINDOWS\BM936d36da.xml
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\temp\zvebs14
C:\WINDOWS\BM936d36da.xml
C:\WINDOWS\system32\pnVes18
.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.
2008-05-04 12:56 . 2008-05-04 12:56 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-03 19:07 . 2008-05-03 19:07 <DIR> d-------- C:\_OTMoveIt
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmnoopt15.sqm
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmdata15.sqm
2008-05-03 12:18 . 2008-05-03 12:18 268 --ah----- C:\sqmdata14.sqm
2008-05-03 12:18 . 2008-05-03 12:18 244 --ah----- C:\sqmnoopt14.sqm
2008-05-02 16:13 . 2008-05-02 16:13 268 --ah----- C:\sqmdata13.sqm
2008-05-02 16:13 . 2008-05-02 16:13 244 --ah----- C:\sqmnoopt13.sqm
2008-04-30 14:33 . 2008-04-30 14:33 268 --ah----- C:\sqmdata12.sqm
2008-04-30 14:33 . 2008-04-30 14:33 244 --ah----- C:\sqmnoopt12.sqm
2008-04-29 22:53 . 2008-04-29 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 22:52 . 2008-04-30 06:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 22:52 . 2008-04-29 22:52 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\SUPERAntiSpyware.com
2008-04-29 20:25 . 2008-04-29 20:25 <DIR> d-------- C:\Documents and Settings\Holger\Contacts
2008-04-29 18:57 . 2008-04-29 18:57 <DIR> d-------- C:\Documents and Settings\Holger\Application Data\Skype
2008-04-28 16:13 . 2008-04-28 16:13 268 --ah----- C:\sqmdata11.sqm
2008-04-28 16:13 . 2008-04-28 16:13 244 --ah----- C:\sqmnoopt11.sqm
2008-04-25 17:58 . 2008-04-25 17:58 268 --ah----- C:\sqmdata10.sqm
2008-04-25 17:58 . 2008-04-25 17:58 244 --ah----- C:\sqmnoopt10.sqm
2008-04-23 20:26 . 2008-04-23 20:26 268 --ah----- C:\sqmdata09.sqm
2008-04-23 20:26 . 2008-04-23 20:26 244 --ah----- C:\sqmnoopt09.sqm
2008-04-23 07:03 . 2008-04-23 07:03 268 --ah----- C:\sqmdata08.sqm
2008-04-23 07:03 . 2008-04-23 07:03 244 --ah----- C:\sqmnoopt08.sqm
2008-04-22 19:28 . 2008-04-22 19:28 268 --ah----- C:\sqmdata07.sqm
2008-04-22 19:28 . 2008-04-22 19:28 244 --ah----- C:\sqmnoopt07.sqm
2008-04-22 17:56 . 2008-04-22 17:56 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-20 20:58 . 2008-04-20 20:58 268 --ah----- C:\sqmdata06.sqm
2008-04-20 20:58 . 2008-04-20 20:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-19 13:39 . 2008-05-04 09:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 13:39 . 2008-04-19 13:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 13:37 . 2008-04-19 13:37 <DIR> d-------- C:\Program Files\iPod
2008-04-19 13:34 . 2008-04-19 13:35 <DIR> d-------- C:\Program Files\QuickTime
2008-04-19 13:26 . 2008-04-19 13:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-16 22:53 . 2008-04-16 22:53 268 --ah----- C:\sqmdata05.sqm
2008-04-16 22:53 . 2008-04-16 22:53 244 --ah----- C:\sqmnoopt05.sqm
2008-04-16 19:27 . 2008-04-16 19:27 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\Datel
2008-04-15 21:21 . 2008-04-15 21:21 268 --ah----- C:\sqmdata04.sqm
2008-04-15 21:21 . 2008-04-15 21:21 244 --ah----- C:\sqmnoopt04.sqm
2008-04-15 17:28 . 2008-04-15 17:28 <DIR> d-------- C:\games
2008-04-14 20:39 . 2008-04-14 20:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-14 20:39 . 2008-04-14 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-14 20:38 . 2008-04-29 22:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:48 . 2008-04-11 17:48 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\HP
2008-04-11 17:46 . 2008-04-11 17:46 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\SiteAdvisor
2008-04-11 17:44 . 2005-01-03 01:16 <DIR> d-------- C:\Documents and Settings\Anna\WINDOWS
2008-04-11 17:44 . 2005-01-03 01:31 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\Symantec
2008-04-11 17:44 . 2008-04-24 21:17 <DIR> d-------- C:\Documents and Settings\Anna
2008-04-11 17:44 . 2008-05-04 09:33 1,024 --ah----- C:\Documents and Settings\Anna\ntuser.dat.LOG
2008-04-11 17:21 . 2008-04-11 17:21 268 --ah----- C:\sqmdata03.sqm
2008-04-11 17:21 . 2008-04-11 17:21 244 --ah----- C:\sqmnoopt03.sqm
2008-04-11 16:39 . 2008-04-11 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LucasArts
2008-04-11 16:34 . 2008-04-11 16:34 <DIR> d-------- C:\Program Files\LucasArts
2008-04-11 16:31 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-11 16:30 . 2008-04-11 16:30 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\InstallShield
2008-04-09 19:08 . 2008-04-09 19:08 <DIR> d-------- C:\Program Files\Total Video Converter 3.11
2008-04-08 23:11 . 2008-04-08 23:13 0 --a------ C:\tmp.html
2008-04-08 19:57 . 2008-04-08 19:57 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\Syntrillium
2008-04-08 19:57 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-04-08 19:57 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-04-08 19:57 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-04-08 19:57 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-04-08 19:57 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-04-08 19:57 . 2008-04-08 19:57 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-04-08 19:55 . 2008-04-09 17:14 <DIR> d-------- C:\Program Files\coolpro2
2008-04-08 17:17 . 2008-04-12 08:24 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\LimeWire
2008-04-06 16:59 . 2008-04-06 17:33 4,534,272 --a------ C:\dump_dvd.vob
2008-04-04 19:48 . 2008-04-04 19:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 14:58 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Skype
2008-05-04 14:07 --------- d-----w C:\Documents and Settings\Ethel\Application Data\skypePM
2008-05-04 07:36 --------- d-----w C:\Program Files\Steam
2008-05-03 10:41 --------- d-----w C:\Documents and Settings\Christopher\Application Data\LimeWire
2008-04-29 19:06 --------- d-----w C:\Program Files\XoftSpySE
2008-04-24 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 13:36 --------- d-----w C:\Documents and Settings\Ethel\Application Data\LimeWire
2008-04-22 15:57 --------- d-----w C:\Program Files\LimeWire
2008-04-20 12:53 --------- d-----w C:\Documents and Settings\Christopher\Application Data\SiteAdvisor
2008-04-19 20:17 --------- d-----w C:\Program Files\DivX
2008-04-19 11:38 --------- d-----w C:\Program Files\iTunes
2008-04-11 17:48 --------- d-----w C:\Program Files\SkypeMate
2008-04-11 14:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 17:48 --------- d-----w C:\Program Files\Common Files\Real
2008-04-02 15:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Datel
2008-04-02 15:49 --------- d-----w C:\Program Files\Datel
2008-04-02 13:59 160,200 ----a-w C:\Documents and Settings\Ethel\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 12:14 --------- d-----w C:\Documents and Settings\Christopher\Application Data\Skype
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-31 18:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\SiteAdvisor
2008-03-29 17:49 --------- d-----w C:\Program Files\Disney Interactive
2008-03-29 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Disney Interactive
2008-03-24 15:12 --------- d-----w C:\Documents and Settings\Christopher\Application Data\iLike
2008-03-21 23:11 --------- d-----w C:\Program Files\Nature 3D Screensaver
2008-03-21 23:11 --------- d-----w C:\Program Files\3Planesoft Screensaver Manager
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-21 20:15 --------- d-----w C:\Program Files\Tropical Fish 3D Screensaver
2008-03-21 15:12 --------- d-----w C:\Program Files\Fireplace 3D Screensaver
2008-03-21 15:04 --------- d-----w C:\Program Files\AutoEye
2008-03-21 14:57 --------- d-----w C:\Program Files\Adobe Premiere Elements 2.0
2008-03-21 14:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 19:30 --------- d-----w C:\Program Files\Windows Live
2008-03-20 19:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 19:14 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-20 19:13 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-17 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-15 07:38 --------- d-----w C:\Program Files\Google
2008-03-15 05:58 --------- d-----w C:\Program Files\Java
2008-03-01 16:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-19 15:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-19 15:04 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-14 19:07 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-07 17:49 15,613 ----a-w C:\Program Files\Furnish Lite uninstal.log
2002-09-04 07:14 1,206,784 ----a-w C:\Program Files\AutoEye_PlugIn.8bf
2007-06-15 04:22 0 --sha-r C:\WINDOWS\SMINST\npc.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-03_22.07.55.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-03 19:57:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 07:33:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-03-12 14:42:30 1,123,696 ----a-w C:\WINDOWS\LastGood\system32\D3DCompiler_33.dll
+ 2007-05-16 14:45:16 1,124,720 ----a-w C:\WINDOWS\LastGood\system32\D3DCompiler_34.dll
+ 2007-03-15 14:57:58 443,752 ----a-w C:\WINDOWS\LastGood\system32\d3dx10_33.dll
+ 2007-05-16 14:45:16 443,752 ----a-w C:\WINDOWS\LastGood\system32\d3dx10_34.dll
+ 2007-03-12 14:42:30 3,495,784 ----a-w C:\WINDOWS\LastGood\system32\d3dx9_33.dll
+ 2007-05-16 14:45:16 3,497,832 ----a-w C:\WINDOWS\LastGood\system32\d3dx9_34.dll
+ 2007-03-05 10:42:18 15,128 ----a-w C:\WINDOWS\LastGood\system32\x3daudio1_1.dll
+ 2007-06-20 18:45:20 18,280 ----a-w C:\WINDOWS\LastGood\system32\x3daudio1_2.dll
+ 2007-01-24 13:27:30 255,848 ----a-w C:\WINDOWS\LastGood\system32\xactengine2_6.dll
+ 2007-04-04 16:55:00 261,480 ----a-w C:\WINDOWS\LastGood\system32\xactengine2_7.dll
+ 2007-06-20 18:46:04 266,088 ----a-w C:\WINDOWS\LastGood\system32\xactengine2_8.dll
+ 2007-04-04 16:53:42 81,768 ----a-w C:\WINDOWS\LastGood\system32\xinput1_3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d50b707-2699-4a08-a1b8-3694ad072a8a}]
C:\WINDOWS\system32\vovtitfa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 10:17 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24 1694208]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 12:34 63024]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-28 23:14 1271032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 06:56 64512]
"ftutil2"="ftutil2.dll" [2004-06-08 07:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 09:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-05 04:03 7307264]
"nwiz"="nwiz.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 08:35 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Xerox WorkCentre 480cx Monitor"="C:\WINDOWS\system32\X480SHLL.DLL" [2001-10-30 10:21 90112]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 19:47 185896]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 21:24 36904]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BM936d36da"="C:\WINDOWS\system32\ulgkgkdk.dll" [ ]
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-01-03 10:30:42 27136]
C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-03-26 19:19:43 147456]
C:\Documents and Settings\Ethel\Start Menu\Programs\Startup\
SkypeMate.lnk - C:\Program Files\SkypeMate\SkypeMate.exe [2005-11-21 09:37:06 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Steam\\steamapps\\criscross404\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-30 06:25]
R2 EcpFax;Team MFP Com Redirector;C:\WINDOWS\system32\Drivers\EcpFax.Sys [1999-01-27 07:29]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-10-03 22:57]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-11-28 21:55]
R3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 09:11]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 19:44]
S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys [2005-12-13 15:10]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:56:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-06 20:18:01 C:\WINDOWS\Tasks\Internet Services.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exeb/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Internet Services\StartIS.aml
"2008-04-15 01:37:44 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 00:00:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-01 05:25:25 C:\WINDOWS\Tasks\WebReg Photosmart C5100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
"2008-05-04 15:00:04 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-15 03:50:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 16:57:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
? [42576]
? [43852]
? [43224]
? [43204]
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-04 17:00:29
ComboFix-quarantined-files.txt 2008-05-04 15:00:11
ComboFix2.txt 2008-05-03 20:08:45
Pre-Run: 133,111,926,784 bytes free
Post-Run: 133,185,093,632 bytes free
319 --- E O F --- 2008-04-09 20:16:20
Rorschach112
2008-05-04, 19:12
Post a new HijackThis log and do this
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Here is the hijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:13, on 04/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {a8a270da-4963-8b1a-80a4-9962707b05d6} - {6d50b707-2699-4a08-a1b8-3694ad072a8a} - C:\WINDOWS\system32\vovtitfa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Xerox WorkCentre 480cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X480SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM936d36da] Rundll32.exe "C:\WINDOWS\system32\ulgkgkdk.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: SkypeMate.lnk = C:\Program Files\SkypeMate\SkypeMate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182320155843
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
--
End of file - 14660 bytes
Here is the log from the Malwarebytes' Anti-Malware:
Malwarebytes' Anti-Malware 1.11
Database version: 715
Scan type: Full Scan (C:\|D:\|E:\|G:\|H:\|I:\|K:\|)
Objects scanned: 214486
Time elapsed: 1 hour(s), 57 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM936d36da (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Ethel\Application Data\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ethel\Application Data\WinSecureAv\Logs (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP129\A0029893.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031207.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031208.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0037216.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0037217.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ethel\Application Data\WinSecureAv\avtasks.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ethel\Application Data\WinSecureAv\Logs\av.log (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ethel\Application Data\WinSecureAv\Logs\ga6Support.log (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ethel\Application Data\WinSecureAv\Logs\update.log (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ethel\Desktop\Antivirus Programs Links.htm (Rogue.AntivirusPro) -> Quarantined and deleted successfully.
Kind regards.
Rorschach112
2008-05-04, 22:06
Hello
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: {a8a270da-4963-8b1a-80a4-9962707b05d6} - {6d50b707-2699-4a08-a1b8-3694ad072a8a} - C:\WINDOWS\system32\vovtitfa.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [BM936d36da] Rundll32.exe "C:\WINDOWS\system32\ulgkgkdk.dll",s
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Reboot and post a new HijackThis log
Thanks for your mail.
I can not find the below entry on my hijackThis log...
O4 - HKLM\..\Run: [BM936d36da] Rundll32.exe "C:\WINDOWS\system32\ulgkgkdk.dll",s
Kind regards.
Rorschach112
2008-05-05, 17:16
Post a new HijackThis log there
Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:51:42, on 05/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {a8a270da-4963-8b1a-80a4-9962707b05d6} - {6d50b707-2699-4a08-a1b8-3694ad072a8a} - C:\WINDOWS\system32\vovtitfa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Xerox WorkCentre 480cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X480SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: SkypeMate.lnk = C:\Program Files\SkypeMate\SkypeMate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182320155843
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
--
End of file - 14627 bytes
Rorschach112
2008-05-05, 22:59
Hello
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: {a8a270da-4963-8b1a-80a4-9962707b05d6} - {6d50b707-2699-4a08-a1b8-3694ad072a8a} - C:\WINDOWS\system32\vovtitfa.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Reboot and post a new HijackThis log
I have now removed the entry as requested below - that is:
O2 - BHO: {a8a270da-4963-8b1a-80a4-9962707b05d6} - {6d50b707-2699-4a08-a1b8-3694ad072a8a} - C:\WINDOWS\system32\vovtitfa.dll (file missing)
I have not removed the other entry that you mentioned in your last post (please advise if I should):
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
Here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:28:09, on 06/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Xerox WorkCentre 480cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X480SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: SkypeMate.lnk = C:\Program Files\SkypeMate\SkypeMate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182320155843
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
--
End of file - 14486 bytes
Rorschach112
2008-05-06, 20:46
Yes fix that entry as well
Few things to do
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
Thank you for your time and patience.
I have uninstalled ComboFix as requested.
I have removed the old Java Runtime Evironment and updated with new version (I hope)
Internet security levels are as you have written. And will read the reading material you have suggested.
I still have:
OTMoveIt2
Malwarebytes' Anti-Malware
Super AntiSypware Free edition
Spybot Search and Destroy (that does not scan after receiving the updates)
Ad-Aware
(And of course MacAfee)
Should I remove any of the above.
I have problems with Microsoft update as I get an error when trying to update and I have sent a mail to their support requesting assistance.
I have also download Mozilla Firefox and will learn to use this instead!
Should I also make a new System Restore if all virusses are gone or do I have a few more things I need to do?
I appreciate all your help.
Kind regards.
Rorschach112
2008-05-07, 20:25
Do this with OTMoveIt2
Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
You can remove these
Super AntiSypware Free edition
Spybot Search and Destroy (that does not scan after receiving the updates)
Ad-Aware
MalwareBytes is good enough to just use by itself
No need to make a new System Restore point, ComboFix did that automatically
Any other questions ?
Sorry with all the questions.:oops:
I can't uninstall Spybot Search and Destroy - it comes up with this error:
Message file "C:Program Files\Spybot - Search & Destroy/unins000.msg" is missing. Please correct the problem or obtain a new copy of the program.
Rorschach112
2008-05-07, 23:00
Try download Spybot again and install it
Then uninstall it
Let me know how that goes
Rorschach112
2008-05-12, 01:39
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Rorschach112
2008-05-13, 16:46
Whats wrong ?
Sorry for bothering. I wanted to inform you that I was able to remove spybot search and Destroy by installing again and then removing.
My pc has become extremely slow and I don't know if it something that the virus/malware has done to it.
Also as mentioned unable to do the windows update.
Aparently after contacting windows support they informed me that my harddisk might be defect (from the error code that it produced 0x80070017) now the error code has changed to 0x8007041D and I was wondering if something had been corrupted...
Is this something that you have seen before?
Rorschach112
2008-05-13, 18:16
I wouldn't say it is related to your malware problem, just the hard drive getting old
Not much advice I can give you really, hard drive would be easily replaced
Yes the computer is getting older... Would be hard keeping up with the latest all the time.
Will see what the HP customer service desk says about the error codes.
Thanks again for your assistance.
Best regards.
Rorschach112
2008-05-13, 20:30
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.