View Full Version : Help removing Command Serive
TaffyLewis
2008-05-12, 06:15
I'm trying to remove the command service virus. Spybot is telling me that it is there but it can't remove it. I've been reading around here so this is what I did. I ran Look2Me-Destroyer.exe the way I read it was suppose to be ran from another thread. I do loaded and ran HJT after I ran Look2Me. I've attached both files to this message. I hope you can help me!
Taffy
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:23 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\?ssembly\t?skmgr.exe
C:\DOCUME~1\GUYHEA~1\APPLIC~1\RACLE~1\userinit.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0993fed2-64ef-4bf9-9bac-9079b8bf93b5} - C:\WINDOWS\system32\uxdnwxs.dll
O2 - BHO: (no name) - {20F36989-0319-4A25-B0B0-E6576F3A54A1} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {3444C4B2-0206-2CA4-001B-5E00BEC7DABD} - C:\WINDOWS\system32\exbs.dll
O2 - BHO: (no name) - {3544C4B5-0206-52A0-0066-2E00BAC5DACB} - C:\WINDOWS\system32\exbs.dll
O2 - BHO: (no name) - {39AB7289-97BB-439A-AC41-F85B0CBDFAFE} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: (no name) - {4539AD1B-6FF1-1002-FCB4-64A394F8AAE9} - C:\WINDOWS\system32\dhmz.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5AAF23D8-4489-43D8-A064-319D1254ABCA} - C:\WINDOWS\system32\tuvurqr.dll (file missing)
O2 - BHO: {744621b3-d6fb-6b0b-3054-264371e44b5b} - {b5b44e17-3462-4503-b0b6-bf6d3b126447} - C:\WINDOWS\system32\mvadvcpc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [f8a1c5be] rundll32.exe "C:\WINDOWS\system32\wkhauwwk.dll",b
O4 - HKLM\..\Run: [BMfb92f622] Rundll32.exe "C:\WINDOWS\system32\fjaklhvr.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA4786] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1714] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [Csqsk] C:\WINDOWS\?ssembly\t?skmgr.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\GUYHEA~1\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv
O4 - Global Startup: dllhost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142978619921
O20 - Winlogon Notify: iednet - iednet.dll (file missing)
O20 - Winlogon Notify: tuvurqr - tuvurqr.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\profsyvynak.html
--
End of file - 7380 bytes
Hi TaffyLewis
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
TaffyLewis
2008-05-13, 02:36
I really appreciate your help. I downloaded ComboFix as mentioned in the reply. I've upload its text file and a new file from HJT.
Thanks again!
Taffy
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:45 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0993fed2-64ef-4bf9-9bac-9079b8bf93b5} - C:\WINDOWS\system32\uxdnwxs.dll
O2 - BHO: (no name) - {20F36989-0319-4A25-B0B0-E6576F3A54A1} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {3444C4B2-0206-2CA4-001B-5E00BEC7DABD} - C:\WINDOWS\system32\exbs.dll
O2 - BHO: (no name) - {3544C4B5-0206-52A0-0066-2E00BAC5DACB} - C:\WINDOWS\system32\exbs.dll
O2 - BHO: (no name) - {39AB7289-97BB-439A-AC41-F85B0CBDFAFE} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: (no name) - {4539AD1B-6FF1-1002-FCB4-64A394F8AAE9} - C:\WINDOWS\system32\dhmz.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Csqsk] C:\WINDOWS\?ssembly\t?skmgr.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\GUYHEA~1\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv
O4 - Global Startup: dllhost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142978619921
O20 - Winlogon Notify: iednet - iednet.dll (file missing)
O20 - Winlogon Notify: tuvurqr - tuvurqr.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
--
End of file - 5909 bytes
ComboFix 08-05-11.1 - Guy Heath 2008-05-12 18:51:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.625 [GMT -4:00]
Running from: C:\Documents and Settings\Guy Heath\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Guy Heath\Application Data\macromedia\Flash Player\#SharedObjects\UYW9FRKB\www.broadcaster.com
C:\Documents and Settings\Guy Heath\Application Data\macromedia\Flash Player\#SharedObjects\UYW9FRKB\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Guy Heath\Application Data\macromedia\Flash Player\#SharedObjects\UYW9FRKB\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Guy Heath\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Guy Heath\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Guy Heath\Application Data\RACLE~1
C:\Documents and Settings\Guy Heath\Application Data\RACLE~1\?racle\
C:\Documents and Settings\Guy Heath\Application Data\RACLE~1\userinit .exe
C:\Documents and Settings\Guy Heath\Application Data\RACLE~1\userinit.exe
C:\Documents and Settings\Maire and Nisha\Application Data\macromedia\Flash Player\#SharedObjects\JMHHVQDY\www.broadcaster.com
C:\Documents and Settings\Maire and Nisha\Application Data\macromedia\Flash Player\#SharedObjects\JMHHVQDY\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Maire and Nisha\Application Data\macromedia\Flash Player\#SharedObjects\JMHHVQDY\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Maire and Nisha\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Maire and Nisha\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Online Services\profsyvynak.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BMfb92f622.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\crosof~1
C:\WINDOWS\Fonts\-
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\ssembl~1
C:\WINDOWS\ssembl~1\t?skmgr.exe
C:\WINDOWS\system32\app.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\eofqkofb.ini
C:\WINDOWS\system32\fjaklhvr.dll
C:\WINDOWS\system32\hgggecb.dll
C:\WINDOWS\system32\hgrtxjah.dll
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\jrfnthow.dll
C:\WINDOWS\system32\kwwuahkw.ini
C:\WINDOWS\system32\ljjjjhi.dll
C:\WINDOWS\system32\lnvldlqo.dll
C:\WINDOWS\system32\mhlpoljv.dll
C:\WINDOWS\SYSTEM32\mnnmp.ini
C:\WINDOWS\SYSTEM32\mnnmp.ini2
C:\WINDOWS\system32\muxvvnbb.ini
C:\WINDOWS\system32\mvadvcpc.dll
C:\WINDOWS\system32\nGpxx05
C:\WINDOWS\system32\nGpxx05\nGpxx051080.exe
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\nGpxx18\nGpxx182328.exe
C:\WINDOWS\SYSTEM32\oqtwa.ini
C:\WINDOWS\SYSTEM32\oqtwa.ini2
C:\WINDOWS\system32\ovkbevlo.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pjfqqias.dll
C:\WINDOWS\system32\rjmhikxu.dll
C:\WINDOWS\system32\supctoaq.dll
C:\WINDOWS\system32\ugabocwq.ini
C:\WINDOWS\system32\winflyer32.dll
C:\WINDOWS\system32\winlogo.exe
C:\WINDOWS\system32\wkhauwwk.dll
C:\WINDOWS\system32\wlrtpjyf.dll
C:\WINDOWS\system32\wmwdsyii.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.
2008-05-12 18:58 . 2008-05-12 18:58 <DIR> d-------- C:\Temp\tn3
2008-05-09 18:44 . 2008-05-09 18:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-09 18:35 . 2008-05-09 18:35 932 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-04-13 10:10 . 2008-04-13 10:10 <DIR> d-------- C:\!KillBox
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 22:59 417,792 ----a-w C:\Program Files\Video.exe
2008-05-12 22:59 417,792 ----a-w C:\Program Files\Track_03.exe
2008-05-12 22:59 25,214 ----a-w C:\Program Files\B.ico
2008-05-12 22:59 25,214 ----a-w C:\Program Files\A.ico
2008-05-12 22:59 218,606 ----a-w C:\Program Files\c.zip
2008-05-12 22:59 217,706 ----a-w C:\Program Files\b.zip
2008-05-12 22:59 217,706 ----a-w C:\Program Files\a.zip
2008-05-11 15:25 --------- d-----w C:\Documents and Settings\Guy Heath\Application Data\U3
2008-03-17 10:35 --------- d-----w C:\Program Files\QuickTime
2008-03-17 10:35 --------- d-----w C:\Program Files\DAEMON Tools
2008-03-17 10:33 --------- d-----w C:\Program Files\Dot1XCfg
2008-03-16 18:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-24 23:25 24,576 ----a-w C:\Documents and Settings\Guy Heath\winlogo.exe
2008-01-23 09:40 253 ----a-w C:\Documents and Settings\Guy Heath\4991.bat
2008-01-23 07:15 57,344 ----a-w C:\Documents and Settings\Guy Heath\min.exe
2008-01-23 05:04 9,302 ----a-w C:\Documents and Settings\Guy Heath\winl.exe
2008-01-23 04:28 57,344 ----a-w C:\Documents and Settings\Guy Heath\install.exe
2008-01-23 02:18 55,808 ----a-w C:\Documents and Settings\Guy Heath\app.exe
2008-01-22 11:23 77 ----a-w C:\Documents and Settings\Guy Heath\5088.bat
2008-01-22 11:22 253 ----a-w C:\Documents and Settings\Guy Heath\1192.bat
2008-01-22 03:36 78,360 ----a-w C:\Program Files\uy.exe
2008-01-12 15:09 27,288 ----a-w C:\Documents and Settings\Maire and Nisha\Application Data\GDIPFONTCACHEV1.DAT
2007-11-29 16:13 417,792 ----a-w C:\Program Files\Setup.exe
2007-11-09 21:43 10,382,133 ----a-w C:\Documents and Settings\Maire and Nisha\HC41SInstaller.exe
2004-10-19 20:38 11,052,037 ----a-w C:\Documents and Settings\Guy Heath\Application Data\HCSetup2.0_IW.5.1.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\R3V5IEhlYXRo\lapcKH15srlC.vbs
2007-06-13 10:23 78,360 --sha-r C:\WINDOWS\SYSTEM32\p2pnetworking.exe
.
<pre>
----a-w 339,968 2008-03-16 21:06:34 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 368,706 2008-03-16 21:06:36 C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w 171,464 2008-03-16 21:06:57 C:\Program Files\DAEMON Tools\daemon .exe
----a-w 61,440 2008-03-16 21:07:06 C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w 286,720 2008-03-16 21:06:40 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-03-16 18:35:22 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-03-15 19:58:12 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-03-13 23:29:36 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-13 19:03:55 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-13 12:27:12 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-12 12:39:56 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-11 18:02:26 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-11 17:10:43 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-11 14:39:37 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-11 12:26:02 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-31 16:52:24 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-31 14:18:02 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-31 12:30:40 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-31 03:14:31 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-30 23:52:23 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-28 01:44:02 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-27 23:41:43 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-27 18:09:47 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-27 12:11:55 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-27 02:02:36 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-26 22:05:03 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-26 18:16:20 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-26 13:33:06 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-25 03:11:10 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-25 02:00:19 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-25 01:37:06 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-24 10:38:38 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-22 11:22:01 C:\Program Files\QuickTime\qttask .exe
----a-w 2,097,488 2008-03-16 21:07:12 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 224,248 2008-03-16 21:06:39 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w 290,821 2008-01-24 23:24:34 C:\WINDOWS\Fonts\svchost .exe
----a-w 15,360 2008-01-26 23:37:13 C:\WINDOWS\SYSTEM32\ctfmon .exe
</pre>
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0993fed2-64ef-4bf9-9bac-9079b8bf93b5}]
2008-01-21 23:37 171520 --a------ C:\WINDOWS\system32\uxdnwxs.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20F36989-0319-4A25-B0B0-E6576F3A54A1}]
C:\WINDOWS\system32\awtqo.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3444C4B2-0206-2CA4-001B-5E00BEC7DABD}]
2008-01-28 12:29 60928 --a------ C:\WINDOWS\system32\exbs.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3544C4B5-0206-52A0-0066-2E00BAC5DACB}]
2008-01-28 12:29 60928 --a------ C:\WINDOWS\system32\exbs.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39AB7289-97BB-439A-AC41-F85B0CBDFAFE}]
C:\WINDOWS\system32\pmnnm.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4539AD1B-6FF1-1002-FCB4-64A394F8AAE9}]
C:\WINDOWS\system32\dhmz.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Csqsk"="C:\WINDOWS\?ssembly\t?skmgr.exe" [ ]
"Tair"="C:\DOCUME~1\GUYHEA~1\APPLIC~1\RACLE~1\userinit.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dllhost.exe [2007-11-29 12:13:02 417792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iednet]
iednet.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvurqr]
tuvurqr.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 09:04 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 19:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2004-07-25 15:45 1277952 C:\Program Files\Support.com\BellSouth\hcenter.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Macromedia\\Dreamweaver UltraDev 4\\UltraDev.exe"=
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-12-14 20:06]
R1 DISKDUMPP;DISKDUMPP;C:\WINDOWS\system32\drivers\DISKDUMPP.sys [2008-01-21 23:37]
R2 MSSQL$MAILLOOP6;MSSQL$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe [2002-12-17 16:26]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\NTPASp50.sys [2004-08-10 10:57]
S3 Rio8Drv;Rio800 driver;C:\WINDOWS\system32\Drivers\Rio8Drv.sys [2004-08-04 06:00]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;C:\WINDOWS\system32\DRIVERS\SWLD23U.sys [2003-12-17 16:58]
S3 swlubtl;WLAN USB Boot Device;C:\WINDOWS\system32\Drivers\swlubtl.sys [2003-05-02 17:26]
S3 TPP200;USB Storage Adapter V2 (TPP);C:\WINDOWS\system32\DRIVERS\TPP200.SYS [2005-08-17 19:14]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 06:00]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 15:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-11 06:00:00 C:\WINDOWS\Tasks\wrSpySweeper20050803170831.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe*/ScheduleSweep=wrSpySweeper20050803170831
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 18:59:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-12 19:18:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 23:17:56
Pre-Run: 41,620,467,712 bytes free
Post-Run: 48,165,720,064 bytes free
262 --- E O F --- 2008-03-18 07:01:31
Hi
In the future please don't attach any logs but copy/paste them to your reply.
You have/had a keylogger there so it's highly recommended to change all online passwords immediately from a known clean computer and contact online back/credit card company etc. if you have used their services via this computer.
Open notepad and copy/paste the text in the codebox below into it:
RenV::
----a-w 339,968 2008-03-16 21:06:34 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 368,706 2008-03-16 21:06:36 C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w 171,464 2008-03-16 21:06:57 C:\Program Files\DAEMON Tools\daemon .exe
----a-w 286,720 2008-03-16 21:06:40 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-03-16 18:35:22 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-03-15 19:58:12 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-03-13 23:29:36 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-13 19:03:55 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-13 12:27:12 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-12 12:39:56 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-11 18:02:26 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-11 17:10:43 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-11 14:39:37 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-02-11 12:26:02 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-31 16:52:24 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-31 14:18:02 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-31 12:30:40 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-31 03:14:31 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-30 23:52:23 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-28 01:44:02 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-27 23:41:43 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-27 18:09:47 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-27 12:11:55 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-27 02:02:36 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-26 22:05:03 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-26 18:16:20 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-26 13:33:06 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-25 03:11:10 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-25 02:00:19 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-25 01:37:06 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-24 10:38:38 C:\Program Files\QuickTime\qttask .exe
----a-w 652,288 2008-01-22 11:22:01 C:\Program Files\QuickTime\qttask .exe
----a-w 2,097,488 2008-03-16 21:07:12 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 224,248 2008-03-16 21:06:39 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w 15,360 2008-01-26 23:37:13 C:\WINDOWS\SYSTEM32\ctfmon .exe
File::
C:\WINDOWS\Fonts\svchost .exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\WINDOWS\system32\uxdnwxs.dll
C:\WINDOWS\system32\exbs.dll
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\Program Files\Video.exe
C:\Program Files\Track_03.exe
C:\Program Files\B.ico
C:\Program Files\A.ico
C:\Program Files\c.zip
C:\Program Files\b.zip
C:\Program Files\a.zip
C:\Documents and Settings\Guy Heath\winlogo.exe
C:\Documents and Settings\Guy Heath\4991.bat
C:\Documents and Settings\Guy Heath\min.exe
C:\Documents and Settings\Guy Heath\winl.exe
C:\Documents and Settings\Guy Heath\install.exe
C:\Documents and Settings\Guy Heath\app.exe
C:\Documents and Settings\Guy Heath\5088.bat
C:\Documents and Settings\Guy Heath\1192.bat
C:\Program Files\uy.exe
C:\WINDOWS\SYSTEM32\p2pnetworking.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\WINDOWS\system32\drivers\DISKDUMPP.sys
Driver::
DISKDUMPP
Folder::
C:\WINDOWS\R3V5IEhlYXRo
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0993fed2-64ef-4bf9-9bac-9079b8bf93b5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20F36989-0319-4A25-B0B0-E6576F3A54A1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3444C4B2-0206-2CA4-001B-5E00BEC7DABD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3544C4B5-0206-52A0-0066-2E00BAC5DACB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39AB7289-97BB-439A-AC41-F85B0CBDFAFE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4539AD1B-6FF1-1002-FCB4-64A394F8AAE9}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Csqsk"=-
"Tair"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
TaffyLewis
2008-05-14, 02:33
Sorry about not inserting the logs in the file (what I suppose to do that from the getty-up, my bad) here is my insert of the two files:
ComboFix 08-05-11.1 - Guy Heath 2008-05-13 19:12:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.686 [GMT -4:00]
Running from: C:\Documents and Settings\Guy Heath\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Guy Heath\Desktop\CFScript
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\Documents and Settings\Guy Heath\1192.bat
C:\Documents and Settings\Guy Heath\4991.bat
C:\Documents and Settings\Guy Heath\5088.bat
C:\Documents and Settings\Guy Heath\app.exe
C:\Documents and Settings\Guy Heath\install.exe
C:\Documents and Settings\Guy Heath\min.exe
C:\Documents and Settings\Guy Heath\winl.exe
C:\Documents and Settings\Guy Heath\winlogo.exe
C:\Program Files\A.ico
C:\Program Files\a.zip
C:\Program Files\B.ico
C:\Program Files\b.zip
C:\Program Files\c.zip
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Track_03.exe
C:\Program Files\uy.exe
C:\Program Files\Video.exe
C:\WINDOWS\Fonts\svchost .exe
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\system32\drivers\DISKDUMPP.sys
C:\WINDOWS\system32\exbs.dll
C:\WINDOWS\SYSTEM32\p2pnetworking.exe
C:\WINDOWS\system32\uxdnwxs.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\Documents and Settings\Guy Heath\1192.bat
C:\Documents and Settings\Guy Heath\4991.bat
C:\Documents and Settings\Guy Heath\5088.bat
C:\Documents and Settings\Guy Heath\app.exe
C:\Documents and Settings\Guy Heath\install.exe
C:\Documents and Settings\Guy Heath\min.exe
C:\Documents and Settings\Guy Heath\winl.exe
C:\Documents and Settings\Guy Heath\winlogo.exe
C:\Program Files\A.ico
C:\Program Files\a.zip
C:\Program Files\B.ico
C:\Program Files\b.zip
C:\Program Files\c.zip
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Track_03.exe
C:\Program Files\uy.exe
C:\Program Files\Video.exe
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\Fonts\svchost .exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1000140.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\R3V5IEhlYXRo
C:\WINDOWS\R3V5IEhlYXRo\lapcKH15srlC.vbs
C:\WINDOWS\system32\clcwseva.dllbox
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\DISKDUMPP.sys
C:\WINDOWS\system32\exbs.dll
C:\WINDOWS\SYSTEM32\p2pnetworking.exe
C:\WINDOWS\system32\RCX1B.tmp
C:\WINDOWS\system32\RCX1F.tmp
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX25.tmp
C:\WINDOWS\system32\RCX2B.tmp
C:\WINDOWS\system32\uxdnwxs.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DISKDUMPP
-------\Service_DISKDUMPP
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.
2008-05-09 18:44 . 2008-05-09 18:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 10:10 . 2008-04-13 10:10 <DIR> d-------- C:\!KillBox
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 23:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-13 23:13 --------- d-----w C:\Program Files\QuickTime
2008-05-13 23:12 --------- d-----w C:\Program Files\Dot1XCfg
2008-05-13 23:12 --------- d-----w C:\Program Files\DAEMON Tools
2008-05-11 15:25 --------- d-----w C:\Documents and Settings\Guy Heath\Application Data\U3
2008-01-12 15:09 27,288 ----a-w C:\Documents and Settings\Maire and Nisha\Application Data\GDIPFONTCACHEV1.DAT
2007-11-29 16:13 417,792 ----a-w C:\Program Files\Setup.exe
2007-11-09 21:43 10,382,133 ----a-w C:\Documents and Settings\Maire and Nisha\HC41SInstaller.exe
2004-10-19 20:38 11,052,037 ----a-w C:\Documents and Settings\Guy Heath\Application Data\HCSetup2.0_IW.5.1.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-26 19:37 15360]
"Tair"="C:\DOCUME~1\GUYHEA~1\APPLIC~1\RACLE~1\userinit.exe" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iednet]
iednet.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvurqr]
tuvurqr.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 09:04 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 19:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-22 07:22 652288 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2004-07-25 15:45 1277952 C:\Program Files\Support.com\BellSouth\hcenter.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Macromedia\\Dreamweaver UltraDev 4\\UltraDev.exe"=
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-12-14 20:06]
R2 MSSQL$MAILLOOP6;MSSQL$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe [2002-12-17 16:26]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\NTPASp50.sys [2004-08-10 10:57]
S3 Rio8Drv;Rio800 driver;C:\WINDOWS\system32\Drivers\Rio8Drv.sys [2004-08-04 06:00]
S3 SQLAgent$MAILLOOP6;SQLAgent$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlagent.EXE [2002-12-17 16:23]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;C:\WINDOWS\system32\DRIVERS\SWLD23U.sys [2003-12-17 16:58]
S3 swlubtl;WLAN USB Boot Device;C:\WINDOWS\system32\Drivers\swlubtl.sys [2003-05-02 17:26]
S3 TPP200;USB Storage Adapter V2 (TPP);C:\WINDOWS\system32\DRIVERS\TPP200.SYS [2005-08-17 19:14]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 06:00]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 15:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-11 06:00:00 C:\WINDOWS\Tasks\wrSpySweeper20050803170831.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe*/ScheduleSweep=wrSpySweeper20050803170831
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 19:19:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2008-05-13 19:22:06 - machine was rebooted [Guy Heath]
ComboFix-quarantined-files.txt 2008-05-13 23:22:03
ComboFix2.txt 2008-05-12 23:18:41
Pre-Run: 48,139,104,256 bytes free
Post-Run: 48,132,288,512 bytes free
186 --- E O F --- 2008-03-18 07:01:31
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:21 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\GUYHEA~1\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142978619921
O20 - Winlogon Notify: iednet - iednet.dll (file missing)
O20 - Winlogon Notify: tuvurqr - tuvurqr.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
--
End of file - 5131 bytes
Hi
Open HijackThis, click do a system scan only and checkmark these:
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\GUYHEA~1\APPLIC~1\RACLE~1\userinit.exe" -vt ndrv
O20 - Winlogon Notify: iednet - iednet.dll (file missing)
O20 - Winlogon Notify: tuvurqr - tuvurqr.dll (file missing)
Close all windows including browser and press fix checked.
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
Post back a fresh HijackThis log.
TaffyLewis
2008-05-16, 04:24
Ok, I had been running spybot and adware personal se. I'll take a look at the ones you're suggesting and use one. thanks again. I did what you asked and here is the file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:41 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142978619921
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
--
End of file - 5701 bytes
Hi
Those are not unfortunately antiviruses but antispywares.
You should install one antivirus, too.
After that, please post back a fresh HijackThis log :)
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.