View Full Version : virtumonde removal help...
nunyabizniz2399
2008-05-18, 02:48
My CPU is going crazy. I cant access certain internet browsers, I'm getting all kinds of error codes. I ran a scan with spybot and it listed virtumonde as a problem. I continued to try am remove the malware but I have not been successful. I tried to run the online scan with kaspersky but it wouldn't work. Here is the log that is requsetd with the post from "trend micro Hijack this"
Please help me fix this problem... thanks....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:16 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {27B0A233-0BF4-4F93-BD26-814F0CC8EA97} - C:\WINDOWS\system32\wvUNhExX.dll (file missing)
O2 - BHO: (no name) - {2BA2F71C-408D-4C3B-8A92-1768F5ABFAB0} - C:\WINDOWS\system32\cbXNDUMf.dll (file missing)
O2 - BHO: (no name) - {46982F2D-4A15-4125-AD2F-FC9A7BD4FF10} - C:\WINDOWS\system32\vtUkJcda.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5409E1DD-EF95-4B88-92E5-ACA0B4AE1B0F} - C:\WINDOWS\system32\ssqRJATL.dll (file missing)
O2 - BHO: {40d85aef-fa05-3a1a-2cb4-f6bfbcb12a47} - {74a21bcb-fb6f-4bc2-a1a3-50affea58d04} - C:\WINDOWS\system32\chwvsjeg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {780031BB-149E-46C4-B76D-B1721E29EFD1} - (no file)
O2 - BHO: (no name) - {94D81741-0C95-41BD-9005-594AEE4FDADD} - (no file)
O2 - BHO: (no name) - {AE1A49AA-53ED-435C-992F-FC077D2AF061} - (no file)
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - C:\WINDOWS\system32\geBRjhIx.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f88ea82e] rundll32.exe "C:\WINDOWS\system32\muvgjcti.dll",b
O4 - HKLM\..\Run: [BMfbbd9bb2] Rundll32.exe "C:\WINDOWS\system32\nubqvcqs.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.22/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: geBRjhIx - C:\WINDOWS\SYSTEM32\geBRjhIx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 13530 bytes
Hi
Please uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after cleaning process is completed.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
nunyabizniz2399
2008-05-20, 02:14
COMBOFIX LOG
ComboFix 08-05-19.4 - Charya 2008-05-19 18:30:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.470 [GMT -5:00]
Running from: C:\Documents and Settings\Charya\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Charya\Application Data\.#
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\adcJkUtv.ini
C:\WINDOWS\system32\adcJkUtv.ini2
C:\WINDOWS\system32\Cbdfffhk.ini
C:\WINDOWS\system32\Cbdfffhk.ini2
C:\WINDOWS\system32\degpajpe.ini
C:\WINDOWS\system32\fMUDNXbc.ini
C:\WINDOWS\system32\fMUDNXbc.ini2
C:\WINDOWS\system32\ijvqkdyl.ini
C:\WINDOWS\system32\itcjgvum.ini
C:\WINDOWS\system32\itwkhxyh.ini
C:\WINDOWS\system32\ivphsnfr.ini
C:\WINDOWS\system32\jhphywge.ini
C:\WINDOWS\system32\KjTBKUvw.ini
C:\WINDOWS\system32\KjTBKUvw.ini2
C:\WINDOWS\system32\LTAJRqss.ini
C:\WINDOWS\system32\LTAJRqss.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\trugpkuu.ini
C:\WINDOWS\system32\WGgOpXyb.ini
C:\WINDOWS\system32\WGgOpXyb.ini2
C:\WINDOWS\system32\wxtyfqrq.ini
C:\WINDOWS\system32\XxEhNUvw.ini
C:\WINDOWS\system32\XxEhNUvw.ini2
C:\WINDOWS\system32\yjkmvyox.ini
H:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-19 18:40 . 2008-05-19 18:40 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-19 18:25 . 2008-05-19 18:25 114,688 --a------ C:\WINDOWS\system32\uukpgurt.dll
2008-05-19 18:23 . 2008-05-19 18:23 134,656 --a------ C:\WINDOWS\system32\wsvduykq.dll
2008-05-19 18:19 . 2008-05-19 18:19 2,560 --a------ C:\WINDOWS\system32\yxfcsvip.exe
2008-05-19 18:17 . 2008-05-19 18:17 124,928 --a------ C:\WINDOWS\system32\xwlebbwl.dll
2008-05-19 18:16 . 2008-05-19 18:16 371,712 --a------ C:\WINDOWS\system32\wvUKBTjK.dll
2008-05-18 19:51 . 2008-05-18 19:52 133,120 --a------ C:\WINDOWS\system32\lwyhxrou.dll
2008-05-18 19:42 . 2008-05-18 19:42 117,248 --a------ C:\WINDOWS\system32\egwyhphj.dll
2008-05-18 19:39 . 2008-05-18 19:39 124,928 --a------ C:\WINDOWS\system32\xgwhetwo.dll
2008-05-17 19:45 . 2008-05-17 19:45 134,144 --a------ C:\WINDOWS\system32\dkykiatm.dll
2008-05-17 19:37 . 2008-05-17 19:37 125,952 --a------ C:\WINDOWS\system32\ymcudoxq.dll
2008-05-17 19:35 . 2008-05-17 19:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 12:29 . 2007-11-26 12:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-17 12:29 . 2008-05-17 12:29 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 12:29 . 2008-05-19 18:29 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-17 11:04 . 2008-05-17 11:04 116,224 --a------ C:\WINDOWS\system32\rfnshpvi.dll
2008-05-17 11:00 . 2008-05-17 11:00 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-17 10:58 . 2008-05-17 10:58 134,144 --a------ C:\WINDOWS\system32\chwvsjeg.dll
2008-05-17 10:53 . 2008-05-17 10:53 125,952 --a------ C:\WINDOWS\system32\nubqvcqs.dll
2008-05-17 10:52 . 2008-05-17 10:52 371,712 --a------ C:\WINDOWS\system32\r
2008-05-16 17:27 . 2008-05-16 17:27 116,736 --a------ C:\WINDOWS\system32\hyxhkwti.dll
2008-05-16 17:18 . 2008-05-16 17:18 135,680 --a------ C:\WINDOWS\system32\lbdflgwb.dll
2008-05-16 17:15 . 2008-05-16 17:15 125,952 --a------ C:\WINDOWS\system32\ilqcsefu.dll
2008-05-16 00:38 . 2008-05-16 00:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 00:38 . 2008-05-16 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-15 23:52 . 2008-05-19 18:19 <DIR> d-------- C:\Documents and Settings\Charya\Application Data\MSN6
2008-05-15 23:52 . 2008-05-15 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-05-15 23:45 . 2008-05-15 23:46 <DIR> d-------- C:\Program Files\Microsoft Picture It! 9
2008-05-15 23:44 . 2008-05-15 23:44 <DIR> d-------- C:\Program Files\Design Science
2008-05-15 23:43 . 2008-05-15 23:43 <DIR> d-------- C:\Program Files\MSN Messenger
2008-05-15 23:43 . 2008-05-15 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN Messenger 6.1.0207
2008-05-15 23:40 . 2008-05-15 23:40 116,736 --a------ C:\WINDOWS\system32\xoyvmkjy.dll
2008-05-15 23:34 . 2008-05-15 23:34 133,120 --a------ C:\WINDOWS\system32\xmehagnp.dll
2008-05-15 23:32 . 2008-05-15 23:32 125,952 --a------ C:\WINDOWS\system32\tohwwkkx.dll
2008-05-15 21:27 . 2008-05-18 18:03 958 --a------ C:\WINDOWS\wininit.ini
2008-05-15 20:40 . 2008-05-19 18:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 20:40 . 2008-05-19 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 19:40 . 2008-05-15 19:40 133,120 --a------ C:\WINDOWS\system32\lnrjlsve.dll
2008-05-15 19:40 . 2008-05-15 19:40 125,952 --a------ C:\WINDOWS\system32\yyqyqmoa.dll
2008-05-15 19:28 . 2008-05-15 19:28 133,120 --a------ C:\WINDOWS\system32\yvfveums.dll
2008-05-15 19:23 . 2008-05-15 19:23 125,952 --a------ C:\WINDOWS\system32\mtxpvugh.dll
2008-05-13 21:50 . 2008-05-19 18:57 109,807 --a------ C:\WINDOWS\BMfbbd9bb2.xml
2008-05-13 10:14 . 2008-05-13 11:55 <DIR> d-------- C:\Program Files\DVDFab 5
2008-05-13 09:49 . 2008-05-13 09:49 57,856 --a------ C:\WINDOWS\system32\ljJCvUKE.dll
2008-05-13 09:48 . 2008-05-13 09:48 57,856 --a------ C:\WINDOWS\system32\hgGaBurO.dll
2008-05-13 09:41 . 2008-05-13 09:41 57,856 --a------ C:\WINDOWS\system32\geBRjhIx.dll
2008-05-12 21:04 . 2008-05-12 21:04 <DIR> d-------- C:\Program Files\iPod
2008-05-12 15:36 . 2008-05-12 15:36 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-28 22:46 . 2008-04-28 22:47 <DIR> d-------- C:\Program Files\Diner Dash Flo on the Go
2008-04-28 22:46 . 2008-05-15 10:10 <DIR> d-------- C:\Program Files\BFG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-05-19 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-18 15:42 --------- d-----w C:\Documents and Settings\Charya\Application Data\Vso
2008-05-17 16:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-13 15:34 87,608 ----a-w C:\Documents and Settings\Charya\Application Data\inst.exe
2008-05-13 15:34 47,360 ----a-w C:\Documents and Settings\Charya\Application Data\pcouffin.sys
2008-05-13 14:05 --------- d-----w C:\Documents and Settings\Charya\Application Data\FUJIFILM
2008-05-13 13:56 --------- d-----w C:\Program Files\Apple Software Update
2008-05-13 02:04 --------- d-----w C:\Program Files\iTunes
2008-05-13 02:02 --------- d-----w C:\Program Files\QuickTime
2008-05-12 23:16 --------- d-----w C:\Documents and Settings\Charya\Application Data\LimeWire
2008-05-12 20:32 --------- d-----w C:\Program Files\Norton 360
2008-04-29 03:48 --------- d-----w C:\Documents and Settings\Charya\Application Data\PlayFirst
2008-04-29 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-04-12 22:11 --------- d-----w C:\Program Files\Sally's Salon
2008-04-10 14:36 --------- d-----w C:\Program Files\Go-Go Gourmet
2008-04-10 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-10 04:10 --------- d-----w C:\Documents and Settings\Charya\Application Data\Jane s Hotel Family Hero
2008-04-09 22:20 --------- d-----w C:\Program Files\Fashion Boutique-a section8 release
2008-04-09 22:16 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-09 22:15 --------- d-----w C:\Program Files\The Sims Carnival - BumperBlast
2008-04-09 22:14 --------- d-----w C:\Program Files\Ice Cream Craze
2008-04-09 22:06 --------- d-----w C:\Documents and Settings\Charya\Application Data\SprillBermudeEng
2008-04-09 22:05 --------- d-----w C:\Program Files\Hometown Hero
2008-04-09 22:01 --------- d-----w C:\Program Files\Youdagames
2008-04-09 22:01 --------- d-----w C:\Program Files\Jane's Hotel. Family Hero
2008-04-09 22:01 --------- d-----w C:\Documents and Settings\Charya\Application Data\Youdagames
2008-04-07 15:11 --------- d-----w C:\Program Files\WinAVI MP4 Converter
2008-04-07 15:09 --------- d-----w C:\Program Files\Xilisoft
2008-04-02 23:06 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
2008-04-02 23:06 --------- d-----w C:\Program Files\BitComet
2008-03-31 22:39 --------- d-----w C:\Program Files\Java
2008-03-30 00:47 --------- d-----w C:\Documents and Settings\Charya\Application Data\ZoomBrowser EX
2008-03-30 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-03-30 00:25 --------- d-----w C:\Program Files\Canon
2008-03-30 00:22 --------- d-----w C:\Program Files\Common Files\Canon
2008-03-23 21:20 --------- d-----w C:\Program Files\American Airlines DealFinder
2008-03-23 21:19 --------- d-----w C:\Program Files\Star Defender 4
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00CD30B3-8E65-43A3-BC86-C71F162342E0}]
2008-05-19 18:16 371712 --a------ C:\WINDOWS\system32\wvUKBTjK.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27B0A233-0BF4-4F93-BD26-814F0CC8EA97}]
C:\WINDOWS\system32\wvUNhExX.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BA2F71C-408D-4C3B-8A92-1768F5ABFAB0}]
C:\WINDOWS\system32\cbXNDUMf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33312ed7-dfc5-4119-93e1-c314250937a5}]
2008-05-19 18:23 134656 --a------ C:\WINDOWS\system32\wsvduykq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46982F2D-4A15-4125-AD2F-FC9A7BD4FF10}]
C:\WINDOWS\system32\vtUkJcda.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5409E1DD-EF95-4B88-92E5-ACA0B4AE1B0F}]
C:\WINDOWS\system32\ssqRJATL.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{780031BB-149E-46C4-B76D-B1721E29EFD1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA457F4-6C7B-4AA1-B27B-286D256EAE7B}]
C:\WINDOWS\system32\khfffdbC.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94D81741-0C95-41BD-9005-594AEE4FDADD}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE1A49AA-53ED-435C-992F-FC077D2AF061}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]
2008-05-13 09:41 57856 --a------ C:\WINDOWS\system32\geBRjhIx.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48 157592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2003-12-18 00:02 4677632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorkFlow"="D:\Install\WorkFlow.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 02:43 8466432]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42 1404928]
"nwiz"="nwiz.exe" [2007-06-29 02:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 02:43 81920]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 10:21 823296]
"MXOBG"="C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE" [ ]
"RetroExpress"="C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" [2004-07-30 17:47 6946816]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 19:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 10:38 241664]
"DXDllRegExe"="dxdllreg.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 02:47 31016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 13:09 63712]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 16:59 115816]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-08 21:13 1695744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"f88ea82e"="C:\WINDOWS\system32\uukpgurt.dll" [2008-05-19 18:25 114688]
"BMfbbd9bb2"="C:\WINDOWS\system32\xwlebbwl.dll" [2008-05-19 18:17 124928]
C:\Documents and Settings\Charya\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-09-02 16:06:54 557568]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 07:19:24 237568]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"= C:\WINDOWS\system32\geBRjhIx.dll [2008-05-13 09:41 57856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBRjhIx]
geBRjhIx.dll 2008-05-13 09:41 57856 C:\WINDOWS\system32\geBRjhIx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"23294:TCP"= 23294:TCP:BitComet 23294 TCP
"23294:UDP"= 23294:UDP:BitComet 23294 UDP
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5bb5add-87ef-11dc-be6c-0013205313ed}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 01:25:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 18:55:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\trugpkuu.ini 294 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\geBRjhIx.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\uukpgurt.dll
-> C:\WINDOWS\system32\xwlebbwl.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\Retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
.
**************************************************************************
.
Completion time: 2008-05-19 19:04:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 00:04:32
Pre-Run: 33,460,695,040 bytes free
Post-Run: 33,467,334,656 bytes free
274 --- E O F --- 2008-04-13 05:30:31
Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:05 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {00CD30B3-8E65-43A3-BC86-C71F162342E0} - C:\WINDOWS\system32\wvUKBTjK.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {27B0A233-0BF4-4F93-BD26-814F0CC8EA97} - C:\WINDOWS\system32\wvUNhExX.dll (file missing)
O2 - BHO: (no name) - {2BA2F71C-408D-4C3B-8A92-1768F5ABFAB0} - C:\WINDOWS\system32\cbXNDUMf.dll (file missing)
O2 - BHO: {5a739052-413c-1e39-9114-5cfd7de21333} - {33312ed7-dfc5-4119-93e1-c314250937a5} - C:\WINDOWS\system32\wsvduykq.dll
O2 - BHO: (no name) - {46982F2D-4A15-4125-AD2F-FC9A7BD4FF10} - C:\WINDOWS\system32\vtUkJcda.dll (file missing)
O2 - BHO: (no name) - {5409E1DD-EF95-4B88-92E5-ACA0B4AE1B0F} - C:\WINDOWS\system32\ssqRJATL.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {780031BB-149E-46C4-B76D-B1721E29EFD1} - (no file)
O2 - BHO: (no name) - {8EA457F4-6C7B-4AA1-B27B-286D256EAE7B} - C:\WINDOWS\system32\khfffdbC.dll (file missing)
O2 - BHO: (no name) - {94D81741-0C95-41BD-9005-594AEE4FDADD} - (no file)
O2 - BHO: (no name) - {AE1A49AA-53ED-435C-992F-FC077D2AF061} - (no file)
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - C:\WINDOWS\system32\geBRjhIx.dll
O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f88ea82e] rundll32.exe "C:\WINDOWS\system32\uukpgurt.dll",b
O4 - HKLM\..\Run: [BMfbbd9bb2] Rundll32.exe "C:\WINDOWS\system32\xwlebbwl.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.22/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: geBRjhIx - C:\WINDOWS\SYSTEM32\geBRjhIx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 12824 bytes
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\uukpgurt.dll
C:\WINDOWS\system32\wsvduykq.dll
C:\WINDOWS\system32\yxfcsvip.exe
C:\WINDOWS\system32\xwlebbwl.dll
C:\WINDOWS\system32\wvUKBTjK.dll
C:\WINDOWS\system32\lwyhxrou.dll
C:\WINDOWS\system32\egwyhphj.dll
C:\WINDOWS\system32\xgwhetwo.dll
C:\WINDOWS\system32\dkykiatm.dll
C:\WINDOWS\system32\ymcudoxq.dll
C:\WINDOWS\system32\rfnshpvi.dll
C:\WINDOWS\system32\chwvsjeg.dll
C:\WINDOWS\system32\nubqvcqs.dll
C:\WINDOWS\system32\r
C:\WINDOWS\system32\hyxhkwti.dll
C:\WINDOWS\system32\lbdflgwb.dll
C:\WINDOWS\system32\ilqcsefu.dll
C:\WINDOWS\system32\xoyvmkjy.dll
C:\WINDOWS\system32\xmehagnp.dll
C:\WINDOWS\system32\tohwwkkx.dll
C:\WINDOWS\system32\lnrjlsve.dll
C:\WINDOWS\system32\yyqyqmoa.dll
C:\WINDOWS\system32\yvfveums.dll
C:\WINDOWS\system32\mtxpvugh.dll
C:\WINDOWS\BMfbbd9bb2.xml
C:\WINDOWS\system32\ljJCvUKE.dll
C:\WINDOWS\system32\hgGaBurO.dll
C:\WINDOWS\system32\geBRjhIx.dll
C:\WINDOWS\system32\trugpkuu.ini
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00CD30B3-8E65-43A3-BC86-C71F162342E0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27B0A233-0BF4-4F93-BD26-814F0CC8EA97}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BA2F71C-408D-4C3B-8A92-1768F5ABFAB0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33312ed7-dfc5-4119-93e1-c314250937a5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46982F2D-4A15-4125-AD2F-FC9A7BD4FF10}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5409E1DD-EF95-4B88-92E5-ACA0B4AE1B0F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{780031BB-149E-46C4-B76D-B1721E29EFD1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA457F4-6C7B-4AA1-B27B-286D256EAE7B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94D81741-0C95-41BD-9005-594AEE4FDADD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE1A49AA-53ED-435C-992F-FC077D2AF061}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f88ea82e"=-
"BMfbbd9bb2"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBRjhIx]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Run Kaspersky online scanner (full scan) and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).
nunyabizniz2399
2008-05-20, 08:46
I'm still having a few problems.....I tried to run kaspersky online scanner but it's still not working. Also my windows security automatic updates will not stay on. I still can't visit certain websites that I could visit before. My internet either freezes, crashes, or the page doesnt load or work properly when i go to those sites i.e. yahoo mail, facebook, etc...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:46 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: {94b186aa-5a0e-a0aa-ab74-5ca97466ee45} - {54ee6647-9ac5-47ba-aa0a-e0a5aa681b49} - C:\WINDOWS\system32\urxqmujn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A0A048F6-96CA-4EA3-8334-872A2F685851} - C:\WINDOWS\system32\tuvSmlJb.dll
O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.22/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 11647 bytes
ComboFix 08-05-19.4 - Charya 2008-05-20 0:26:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.377 [GMT -5:00]
Running from: C:\Documents and Settings\Charya\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charya\Desktop\CFScript.txt
* Created a new restore point
[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BMfbbd9bb2.xml
C:\WINDOWS\system32\chwvsjeg.dll
C:\WINDOWS\system32\dkykiatm.dll
C:\WINDOWS\system32\egwyhphj.dll
C:\WINDOWS\system32\geBRjhIx.dll
C:\WINDOWS\system32\hgGaBurO.dll
C:\WINDOWS\system32\hyxhkwti.dll
C:\WINDOWS\system32\ilqcsefu.dll
C:\WINDOWS\system32\lbdflgwb.dll
C:\WINDOWS\system32\ljJCvUKE.dll
C:\WINDOWS\system32\lnrjlsve.dll
C:\WINDOWS\system32\lwyhxrou.dll
C:\WINDOWS\system32\mtxpvugh.dll
C:\WINDOWS\system32\nubqvcqs.dll
C:\WINDOWS\system32\r
C:\WINDOWS\system32\rfnshpvi.dll
C:\WINDOWS\system32\tohwwkkx.dll
C:\WINDOWS\system32\trugpkuu.ini
C:\WINDOWS\system32\uukpgurt.dll
C:\WINDOWS\system32\wsvduykq.dll
C:\WINDOWS\system32\wvUKBTjK.dll
C:\WINDOWS\system32\xgwhetwo.dll
C:\WINDOWS\system32\xmehagnp.dll
C:\WINDOWS\system32\xoyvmkjy.dll
C:\WINDOWS\system32\xwlebbwl.dll
C:\WINDOWS\system32\ymcudoxq.dll
C:\WINDOWS\system32\yvfveums.dll
C:\WINDOWS\system32\yxfcsvip.exe
C:\WINDOWS\system32\yyqyqmoa.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Charya\Application Data\inst.exe
C:\WINDOWS\BMfbbd9bb2.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bJlmSvut.ini
C:\WINDOWS\system32\bJlmSvut.ini2
C:\WINDOWS\system32\chwvsjeg.dll
C:\WINDOWS\system32\dkykiatm.dll
C:\WINDOWS\system32\egwyhphj.dll
C:\WINDOWS\system32\geBRjhIx.dll
C:\WINDOWS\system32\hgGaBurO.dll
C:\WINDOWS\system32\hyxhkwti.dll
C:\WINDOWS\system32\ilqcsefu.dll
C:\WINDOWS\system32\jnctnocw.ini
C:\WINDOWS\system32\lbdflgwb.dll
C:\WINDOWS\system32\ljJCvUKE.dll
C:\WINDOWS\system32\lnrjlsve.dll
C:\WINDOWS\system32\lwyhxrou.dll
C:\WINDOWS\system32\mtxpvugh.dll
C:\WINDOWS\system32\nubqvcqs.dll
C:\WINDOWS\system32\r
C:\WINDOWS\system32\rfnshpvi.dll
C:\WINDOWS\system32\tohwwkkx.dll
C:\WINDOWS\system32\trugpkuu.ini
C:\WINDOWS\system32\uukpgurt.dll
C:\WINDOWS\system32\wsvduykq.dll
C:\WINDOWS\system32\wvUKBTjK.dll
C:\WINDOWS\system32\xgwhetwo.dll
C:\WINDOWS\system32\xmehagnp.dll
C:\WINDOWS\system32\xoyvmkjy.dll
C:\WINDOWS\system32\xwlebbwl.dll
C:\WINDOWS\system32\ymcudoxq.dll
C:\WINDOWS\system32\yvfveums.dll
C:\WINDOWS\system32\yxfcsvip.exe
C:\WINDOWS\system32\yyqyqmoa.dll
H:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.
2008-05-20 00:16 . 2008-05-20 00:17 <DIR> d-------- C:\Documents and Settings\Charya\Application Data\MSNInstaller
2008-05-19 20:19 . 2008-05-19 20:19 134,656 --a------ C:\WINDOWS\system32\urxqmujn.dll
2008-05-19 20:16 . 2008-05-19 20:16 114,688 --a------ C:\WINDOWS\system32\wcontcnj.dll
2008-05-19 20:13 . 2008-05-19 20:13 2,560 --a------ C:\WINDOWS\system32\fmkgneno.exe
2008-05-19 20:11 . 2008-05-19 20:11 124,928 --a------ C:\WINDOWS\system32\ficgipur.dll
2008-05-19 20:10 . 2008-05-19 20:10 371,712 --a------ C:\WINDOWS\system32\tuvSmlJb.dll
2008-05-17 19:35 . 2008-05-17 19:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 12:29 . 2007-11-26 12:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-17 12:29 . 2008-05-17 12:29 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 12:29 . 2008-05-19 23:53 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-17 11:00 . 2008-05-17 11:00 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-16 00:38 . 2008-05-16 00:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 00:38 . 2008-05-16 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-15 23:52 . 2008-05-19 18:19 <DIR> d-------- C:\Documents and Settings\Charya\Application Data\MSN6
2008-05-15 23:52 . 2008-05-15 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-05-15 23:45 . 2008-05-15 23:46 <DIR> d-------- C:\Program Files\Microsoft Picture It! 9
2008-05-15 23:44 . 2008-05-15 23:44 <DIR> d-------- C:\Program Files\Design Science
2008-05-15 23:43 . 2008-05-15 23:43 <DIR> d-------- C:\Program Files\MSN Messenger
2008-05-15 23:43 . 2008-05-15 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN Messenger 6.1.0207
2008-05-15 21:27 . 2008-05-18 18:03 958 --a------ C:\WINDOWS\wininit.ini
2008-05-15 20:40 . 2008-05-19 18:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 20:40 . 2008-05-19 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 10:14 . 2008-05-13 11:55 <DIR> d-------- C:\Program Files\DVDFab 5
2008-05-12 21:04 . 2008-05-12 21:04 <DIR> d-------- C:\Program Files\iPod
2008-05-12 15:36 . 2008-05-12 15:36 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-28 22:46 . 2008-04-28 22:47 <DIR> d-------- C:\Program Files\Diner Dash Flo on the Go
2008-04-28 22:46 . 2008-05-15 10:10 <DIR> d-------- C:\Program Files\BFG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 05:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-20 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-20 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-05-18 15:42 --------- d-----w C:\Documents and Settings\Charya\Application Data\Vso
2008-05-13 15:34 47,360 ----a-w C:\Documents and Settings\Charya\Application Data\pcouffin.sys
2008-05-13 14:05 --------- d-----w C:\Documents and Settings\Charya\Application Data\FUJIFILM
2008-05-13 13:56 --------- d-----w C:\Program Files\Apple Software Update
2008-05-13 02:04 --------- d-----w C:\Program Files\iTunes
2008-05-13 02:02 --------- d-----w C:\Program Files\QuickTime
2008-05-12 23:16 --------- d-----w C:\Documents and Settings\Charya\Application Data\LimeWire
2008-05-12 20:32 --------- d-----w C:\Program Files\Norton 360
2008-04-29 03:48 --------- d-----w C:\Documents and Settings\Charya\Application Data\PlayFirst
2008-04-29 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-04-12 22:11 --------- d-----w C:\Program Files\Sally's Salon
2008-04-10 14:36 --------- d-----w C:\Program Files\Go-Go Gourmet
2008-04-10 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-10 04:10 --------- d-----w C:\Documents and Settings\Charya\Application Data\Jane s Hotel Family Hero
2008-04-09 22:20 --------- d-----w C:\Program Files\Fashion Boutique-a section8 release
2008-04-09 22:16 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-09 22:15 --------- d-----w C:\Program Files\The Sims Carnival - BumperBlast
2008-04-09 22:14 --------- d-----w C:\Program Files\Ice Cream Craze
2008-04-09 22:06 --------- d-----w C:\Documents and Settings\Charya\Application Data\SprillBermudeEng
2008-04-09 22:05 --------- d-----w C:\Program Files\Hometown Hero
2008-04-09 22:01 --------- d-----w C:\Program Files\Youdagames
2008-04-09 22:01 --------- d-----w C:\Program Files\Jane's Hotel. Family Hero
2008-04-09 22:01 --------- d-----w C:\Documents and Settings\Charya\Application Data\Youdagames
2008-04-07 15:11 --------- d-----w C:\Program Files\WinAVI MP4 Converter
2008-04-07 15:09 --------- d-----w C:\Program Files\Xilisoft
2008-04-02 23:06 --------- d-----w C:\Program Files\BitComet
2008-03-31 22:39 --------- d-----w C:\Program Files\Java
2008-03-30 00:47 --------- d-----w C:\Documents and Settings\Charya\Application Data\ZoomBrowser EX
2008-03-30 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-03-30 00:25 --------- d-----w C:\Program Files\Canon
2008-03-30 00:22 --------- d-----w C:\Program Files\Common Files\Canon
2008-03-23 21:20 --------- d-----w C:\Program Files\American Airlines DealFinder
2008-03-23 21:19 --------- d-----w C:\Program Files\Star Defender 4
.
((((((((((((((((((((((((((((( snapshot@2008-05-19_19.04.12.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 23:37:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 05:32:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54ee6647-9ac5-47ba-aa0a-e0a5aa681b49}]
2008-05-19 20:19 134656 --a------ C:\WINDOWS\system32\urxqmujn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0A048F6-96CA-4EA3-8334-872A2F685851}]
2008-05-19 20:10 371712 --a------ C:\WINDOWS\system32\tuvSmlJb.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48 157592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2003-12-18 00:02 4677632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorkFlow"="D:\Install\WorkFlow.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 02:43 8466432]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42 1404928]
"nwiz"="nwiz.exe" [2007-06-29 02:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 02:43 81920]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 10:21 823296]
"MXOBG"="C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE" [ ]
"RetroExpress"="C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" [2004-07-30 17:47 6946816]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 19:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 10:38 241664]
"DXDllRegExe"="dxdllreg.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 02:47 31016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 13:09 63712]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 16:59 115816]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-08 21:13 1695744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
C:\Documents and Settings\Charya\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-09-02 16:06:54 557568]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 07:19:24 237568]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"23294:TCP"= 23294:TCP:BitComet 23294 TCP
"23294:UDP"= 23294:UDP:BitComet 23294 UDP
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5bb5add-87ef-11dc-be6c-0013205313ed}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 01:25:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 00:54:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\Retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
.
**************************************************************************
.
Completion time: 2008-05-20 1:03:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 06:02:58
ComboFix2.txt 2008-05-20 00:04:42
Pre-Run: 33,528,287,232 bytes free
Post-Run: 33,482,067,968 bytes free
257 --- E O F --- 2008-04-13 05:30:31
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\urxqmujn.dll
C:\WINDOWS\system32\wcontcnj.dll
C:\WINDOWS\system32\fmkgneno.exe
C:\WINDOWS\system32\ficgipur.dll
C:\WINDOWS\system32\tuvSmlJb.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54ee6647-9ac5-47ba-aa0a-e0a5aa681b49}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0A048F6-96CA-4EA3-8334-872A2F685851}]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
What error do you get with Kaspersky scanner? Let's try Malwarebytes' Anti-malware scanner.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log in your next reply.
nunyabizniz2399
2008-05-21, 00:31
Kaspersky errors:
ActiveX does not pop up.
It tells me that I am not using a account with administrator privileges when the account does.
Just in case the log doesn’t mention it......When Malwarebytes finish, it stated that there were two .dll files it could not delete and needed to reboot.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:30 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: {7a4473be-f4a0-cbdb-7f24-a0a6758825b1} - {1b528857-6a0a-42f7-bdbc-0a4feb3744a7} - C:\WINDOWS\system32\nchrxakk.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.22/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 11532 bytes
Malwarebytes' Anti-Malware 1.12
Database version: 770
Scan type: Full Scan (C:\|H:\|)
Objects scanned: 176115
Time elapsed: 1 hour(s), 30 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 17
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\bbptyuhu.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f88ea82e (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMfbbd9bb2 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\bbptyuhu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\uhuytpbb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvSmlJb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\uukpgurt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wcontcnj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUKBTjK.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP224\A0023331.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP276\A0031587.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP276\A0031589.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP278\A0031747.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP278\A0031755.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP266\A0028886.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
H:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP266\A0028911.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
H:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP266\A0028914.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
H:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP266\A0028936.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
H:\System Volume Information\_restore{32888CC8-0C17-42B7-BCDC-096CA6B0221A}\RP266\A0028950.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aygvnrah.dll (Trojan.Agent) -> Delete on reboot.
Ok. I assume these were the two files:
C:\WINDOWS\system32\bbptyuhu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aygvnrah.dll (Trojan.Agent) -> Delete on reboot.
Could you post ComboFix log (contents of c:\ComboFix.txt file) too, please? :)
nunyabizniz2399
2008-05-21, 23:26
Those files you listed look right. I didn't write them down...
I have also noticed that Mozilla Firefox internet browser/page works perfectly but internet explorer and MSN continues to crash and stall.
:oops:Sorry about not posting the combofix log....
ComboFix 08-05-19.4 - Charya 2008-05-20 10:36:42.3 - NTFSx86
Running from: C:\Documents and Settings\Charya\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charya\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\ficgipur.dll
C:\WINDOWS\system32\fmkgneno.exe
C:\WINDOWS\system32\tuvSmlJb.dll
C:\WINDOWS\system32\urxqmujn.dll
C:\WINDOWS\system32\wcontcnj.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bJlmSvut.ini
C:\WINDOWS\system32\bJlmSvut.ini2
C:\WINDOWS\system32\ficgipur.dll
C:\WINDOWS\system32\fmkgneno.exe
C:\WINDOWS\system32\tuvSmlJb.dll
C:\WINDOWS\system32\urxqmujn.dll
C:\WINDOWS\system32\wcontcnj.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.
2008-05-20 10:46 . 2008-05-20 10:46 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-20 01:31 . 2008-05-20 01:31 114,688 --a------ C:\WINDOWS\system32\bbptyuhu.dll
2008-05-20 01:31 . 2008-05-20 01:35 354 ---hs---- C:\WINDOWS\system32\uhuytpbb.ini
2008-05-20 01:26 . 2008-05-20 01:26 134,656 --a------ C:\WINDOWS\system32\nchrxakk.dll
2008-05-20 01:26 . 2008-05-20 01:26 124,928 --a------ C:\WINDOWS\system32\aygvnrah.dll
2008-05-20 01:26 . 2008-05-20 01:26 2,560 --a------ C:\WINDOWS\system32\lndvrhcm.exe
2008-05-20 01:26 . 2008-05-20 01:26 0 --a------ C:\WINDOWS\BMfbbd9bb2.xml
2008-05-20 00:16 . 2008-05-20 00:17 <DIR> d-------- C:\Documents and Settings\Charya\Application Data\MSNInstaller
2008-05-17 19:35 . 2008-05-17 19:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 12:29 . 2007-11-26 12:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-17 12:29 . 2008-05-17 12:29 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 12:29 . 2008-05-20 10:46 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-17 11:00 . 2008-05-17 11:00 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-16 00:38 . 2008-05-16 00:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 00:38 . 2008-05-16 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-15 23:52 . 2008-05-20 10:40 <DIR> d-------- C:\Documents and Settings\Charya\Application Data\MSN6
2008-05-15 23:52 . 2008-05-15 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-05-15 23:45 . 2008-05-15 23:46 <DIR> d-------- C:\Program Files\Microsoft Picture It! 9
2008-05-15 23:44 . 2008-05-15 23:44 <DIR> d-------- C:\Program Files\Design Science
2008-05-15 23:43 . 2008-05-15 23:43 <DIR> d-------- C:\Program Files\MSN Messenger
2008-05-15 23:43 . 2008-05-15 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN Messenger 6.1.0207
2008-05-15 21:27 . 2008-05-18 18:03 958 --a------ C:\WINDOWS\wininit.ini
2008-05-15 20:40 . 2008-05-19 18:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 20:40 . 2008-05-19 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 10:14 . 2008-05-13 11:55 <DIR> d-------- C:\Program Files\DVDFab 5
2008-05-12 21:04 . 2008-05-12 21:04 <DIR> d-------- C:\Program Files\iPod
2008-05-12 15:36 . 2008-05-12 15:36 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-28 22:46 . 2008-04-28 22:47 <DIR> d-------- C:\Program Files\Diner Dash Flo on the Go
2008-04-28 22:46 . 2008-05-15 10:10 <DIR> d-------- C:\Program Files\BFG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 15:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-20 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-05-20 06:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-20 06:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-18 15:42 --------- d-----w C:\Documents and Settings\Charya\Application Data\Vso
2008-05-13 15:34 47,360 ----a-w C:\Documents and Settings\Charya\Application Data\pcouffin.sys
2008-05-13 14:05 --------- d-----w C:\Documents and Settings\Charya\Application Data\FUJIFILM
2008-05-13 13:56 --------- d-----w C:\Program Files\Apple Software Update
2008-05-13 02:04 --------- d-----w C:\Program Files\iTunes
2008-05-13 02:02 --------- d-----w C:\Program Files\QuickTime
2008-05-12 23:16 --------- d-----w C:\Documents and Settings\Charya\Application Data\LimeWire
2008-05-12 20:32 --------- d-----w C:\Program Files\Norton 360
2008-04-29 03:48 --------- d-----w C:\Documents and Settings\Charya\Application Data\PlayFirst
2008-04-29 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-04-12 22:11 --------- d-----w C:\Program Files\Sally's Salon
2008-04-10 14:36 --------- d-----w C:\Program Files\Go-Go Gourmet
2008-04-10 04:10 --------- d-----w C:\Documents and Settings\Charya\Application Data\Jane s Hotel Family Hero
2008-04-09 22:20 --------- d-----w C:\Program Files\Fashion Boutique-a section8 release
2008-04-09 22:16 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-09 22:15 --------- d-----w C:\Program Files\The Sims Carnival - BumperBlast
2008-04-09 22:14 --------- d-----w C:\Program Files\Ice Cream Craze
2008-04-09 22:06 --------- d-----w C:\Documents and Settings\Charya\Application Data\SprillBermudeEng
2008-04-09 22:05 --------- d-----w C:\Program Files\Hometown Hero
2008-04-09 22:01 --------- d-----w C:\Program Files\Youdagames
2008-04-09 22:01 --------- d-----w C:\Program Files\Jane's Hotel. Family Hero
2008-04-09 22:01 --------- d-----w C:\Documents and Settings\Charya\Application Data\Youdagames
2008-04-07 15:11 --------- d-----w C:\Program Files\WinAVI MP4 Converter
2008-04-07 15:09 --------- d-----w C:\Program Files\Xilisoft
2008-04-02 23:06 --------- d-----w C:\Program Files\BitComet
2008-03-31 22:39 --------- d-----w C:\Program Files\Java
2008-03-30 00:47 --------- d-----w C:\Documents and Settings\Charya\Application Data\ZoomBrowser EX
2008-03-30 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-03-30 00:25 --------- d-----w C:\Program Files\Canon
2008-03-30 00:22 --------- d-----w C:\Program Files\Common Files\Canon
2008-03-23 21:20 --------- d-----w C:\Program Files\American Airlines DealFinder
2008-03-23 21:19 --------- d-----w C:\Program Files\Star Defender 4
.
((((((((((((((((((((((((((((( snapshot@2008-05-19_19.04.12.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
- 2008-05-19 23:37:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 15:42:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-10-27 22:04:08 497,504 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MORPH9.DLL
+ 2006-10-27 03:09:36 136,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PRTF9.DLL
+ 2006-10-27 22:04:06 624,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PTXT9.DLL
+ 2006-10-27 22:23:04 347,432 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WINWORD.EXE
- 2008-04-10 08:05:17 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-05-20 15:47:38 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-04-10 08:05:17 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-20 15:47:39 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-10 08:05:17 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-05-20 15:47:39 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-04-10 08:05:17 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-05-20 15:47:39 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-10 08:05:17 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-20 15:47:39 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-10 08:05:17 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-05-20 15:47:39 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-10 08:05:17 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-20 15:47:39 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-10 08:05:17 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-05-20 15:47:39 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-04-10 08:05:17 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-05-20 15:47:39 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-10 08:05:17 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-05-20 15:47:39 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-04-10 08:05:17 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-20 15:47:39 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-10 08:05:17 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-20 15:47:39 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2004-08-04 10:00:00 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2004-08-04 10:00:00 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-04 10:00:00 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2004-08-04 10:00:00 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-08-04 10:00:00 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-04 10:00:00 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2004-08-04 10:00:00 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-04 10:00:00 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2004-08-04 10:00:00 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-04 10:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2004-08-04 10:00:00 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-04 10:00:00 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-04 10:00:00 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-04 10:00:00 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2004-08-04 10:00:00 831,519 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2004-08-04 10:00:00 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-04 10:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
- 2004-08-04 10:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 10:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2004-08-04 10:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-08-04 10:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 10:00:00 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
+ 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
- 2004-08-04 10:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 10:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 10:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 10:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-04 10:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 10:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 10:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 10:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-04 10:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 10:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 10:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1b528857-6a0a-42f7-bdbc-0a4feb3744a7}]
2008-05-20 01:26 134656 --a------ C:\WINDOWS\system32\nchrxakk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48 157592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2003-12-18 00:02 4677632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorkFlow"="D:\Install\WorkFlow.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 02:43 8466432]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42 1404928]
"nwiz"="nwiz.exe" [2007-06-29 02:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 02:43 81920]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 10:21 823296]
"MXOBG"="C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE" [ ]
"RetroExpress"="C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" [2004-07-30 17:47 6946816]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 19:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 10:38 241664]
"DXDllRegExe"="dxdllreg.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 02:47 31016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 13:09 63712]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 16:59 115816]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-08 21:13 1695744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"f88ea82e"="C:\WINDOWS\system32\bbptyuhu.dll" [2008-05-20 01:31 114688]
"BMfbbd9bb2"="C:\WINDOWS\system32\aygvnrah.dll" [2008-05-20 01:26 124928]
C:\Documents and Settings\Charya\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-09-02 16:06:54 557568]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 07:19:24 237568]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"23294:TCP"= 23294:TCP:BitComet 23294 TCP
"23294:UDP"= 23294:UDP:BitComet 23294 UDP
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5bb5add-87ef-11dc-be6c-0013205313ed}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 01:25:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 10:48:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\pskt.ini 22 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\bbptyuhu.dll
-> C:\WINDOWS\system32\aygvnrah.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\Retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
.
**************************************************************************
.
Completion time: 2008-05-20 10:57:23 - machine was rebooted [Charya]
ComboFix-quarantined-files.txt 2008-05-20 15:57:14
ComboFix2.txt 2008-05-20 06:03:06
ComboFix3.txt 2008-05-20 00:04:42
Pre-Run: 33,520,545,792 bytes free
Post-Run: 33,340,239,872 bytes free
336 --- E O F --- 2008-05-20 15:47:41
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\bbptyuhu.dll
C:\WINDOWS\system32\uhuytpbb.ini
C:\WINDOWS\system32\nchrxakk.dll
C:\WINDOWS\system32\aygvnrah.dll
C:\WINDOWS\system32\lndvrhcm.exe
C:\WINDOWS\BMfbbd9bb2.xml
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1b528857-6a0a-42f7-bdbc-0a4feb3744a7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f88ea82e"=-
"BMfbbd9bb2"=-
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running after all this?
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
nunyabizniz2399
2008-05-22, 07:34
With the exception of what I mentioned previously about IE and MSN, it's working fine. Do you think I should delete IE and MSN and re-install them after this problem is resolved?
ComboFix 08-05-19.4 - Charya 2008-05-22 0:20:27.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.399 [GMT -5:00]
Running from: C:\Documents and Settings\Charya\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charya\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BMfbbd9bb2.xml
C:\WINDOWS\system32\aygvnrah.dll
C:\WINDOWS\system32\bbptyuhu.dll
C:\WINDOWS\system32\lndvrhcm.exe
C:\WINDOWS\system32\nchrxakk.dll
C:\WINDOWS\system32\uhuytpbb.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMfbbd9bb2.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\lndvrhcm.exe
C:\WINDOWS\system32\nchrxakk.dll
H:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.
2008-05-21 18:23 . 2008-05-21 18:23 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-20 21:16 . 2008-05-20 21:23 <DIR> d-------- C:\Documents and Settings\Charya\Application Data\MSNInstaller
2008-05-20 11:00 . 2008-05-20 11:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 11:00 . 2008-05-20 11:00 <DIR> d-------- C:\Documents and Settings\Charya\Application Data\Malwarebytes
2008-05-20 11:00 . 2008-05-20 11:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-20 11:00 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-20 11:00 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-17 19:35 . 2008-05-17 19:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 12:29 . 2007-11-26 12:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-17 12:29 . 2008-05-17 12:29 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 12:29 . 2008-05-21 14:34 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-17 11:00 . 2008-05-17 11:00 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-16 00:38 . 2008-05-16 00:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 00:38 . 2008-05-16 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-15 23:52 . 2008-05-21 18:51 <DIR> d-------- C:\Documents and Settings\Charya\Application Data\MSN6
2008-05-15 23:52 . 2008-05-15 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-05-15 23:45 . 2008-05-15 23:46 <DIR> d-------- C:\Program Files\Microsoft Picture It! 9
2008-05-15 23:44 . 2008-05-15 23:44 <DIR> d-------- C:\Program Files\Design Science
2008-05-15 23:43 . 2008-05-20 21:21 <DIR> d-------- C:\Program Files\MSN Messenger
2008-05-15 21:27 . 2008-05-18 18:03 958 --a------ C:\WINDOWS\wininit.ini
2008-05-15 20:40 . 2008-05-19 18:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 20:40 . 2008-05-19 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 10:14 . 2008-05-13 11:55 <DIR> d-------- C:\Program Files\DVDFab 5
2008-05-12 21:04 . 2008-05-12 21:04 <DIR> d-------- C:\Program Files\iPod
2008-05-12 15:36 . 2008-05-12 15:36 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-28 22:46 . 2008-04-28 22:47 <DIR> d-------- C:\Program Files\Diner Dash Flo on the Go
2008-04-28 22:46 . 2008-05-15 10:10 <DIR> d-------- C:\Program Files\BFG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 01:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-22 01:47 --------- d-----w C:\Documents and Settings\Charya\Application Data\Vso
2008-05-21 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-05-20 15:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-20 06:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-13 15:34 47,360 ----a-w C:\Documents and Settings\Charya\Application Data\pcouffin.sys
2008-05-13 14:05 --------- d-----w C:\Documents and Settings\Charya\Application Data\FUJIFILM
2008-05-13 13:56 --------- d-----w C:\Program Files\Apple Software Update
2008-05-13 02:04 --------- d-----w C:\Program Files\iTunes
2008-05-13 02:02 --------- d-----w C:\Program Files\QuickTime
2008-05-12 23:16 --------- d-----w C:\Documents and Settings\Charya\Application Data\LimeWire
2008-05-12 20:32 --------- d-----w C:\Program Files\Norton 360
2008-04-29 03:48 --------- d-----w C:\Documents and Settings\Charya\Application Data\PlayFirst
2008-04-29 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-04-12 22:11 --------- d-----w C:\Program Files\Sally's Salon
2008-04-10 14:36 --------- d-----w C:\Program Files\Go-Go Gourmet
2008-04-10 04:10 --------- d-----w C:\Documents and Settings\Charya\Application Data\Jane s Hotel Family Hero
2008-04-09 22:20 --------- d-----w C:\Program Files\Fashion Boutique-a section8 release
2008-04-09 22:16 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-09 22:15 --------- d-----w C:\Program Files\The Sims Carnival - BumperBlast
2008-04-09 22:14 --------- d-----w C:\Program Files\Ice Cream Craze
2008-04-09 22:06 --------- d-----w C:\Documents and Settings\Charya\Application Data\SprillBermudeEng
2008-04-09 22:05 --------- d-----w C:\Program Files\Hometown Hero
2008-04-09 22:01 --------- d-----w C:\Program Files\Youdagames
2008-04-09 22:01 --------- d-----w C:\Program Files\Jane's Hotel. Family Hero
2008-04-09 22:01 --------- d-----w C:\Documents and Settings\Charya\Application Data\Youdagames
2008-04-07 15:11 --------- d-----w C:\Program Files\WinAVI MP4 Converter
2008-04-07 15:09 --------- d-----w C:\Program Files\Xilisoft
2008-04-02 23:06 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
2008-04-02 23:06 --------- d-----w C:\Program Files\BitComet
2008-03-31 22:39 --------- d-----w C:\Program Files\Java
2008-03-30 00:47 --------- d-----w C:\Documents and Settings\Charya\Application Data\ZoomBrowser EX
2008-03-30 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-03-30 00:25 --------- d-----w C:\Program Files\Canon
2008-03-30 00:22 --------- d-----w C:\Program Files\Common Files\Canon
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 21:20 --------- d-----w C:\Program Files\American Airlines DealFinder
2008-03-23 21:19 --------- d-----w C:\Program Files\Star Defender 4
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot_2008-05-20_10.56.51.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 15:42:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 02:25:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 02:21:25 22,798 ----a-r C:\WINDOWS\Installer\{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}\MsblIco.Exe
+ 2008-03-25 01:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 01:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2003-12-12 01:56:18 94,720 ----a-w C:\WINDOWS\system32\msnphoto.scr
+ 2007-02-17 04:21:02 110,080 ----a-w C:\WINDOWS\system32\msnphoto.scr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48 157592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-09-04 16:40 6856704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorkFlow"="D:\Install\WorkFlow.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 02:43 8466432]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42 1404928]
"nwiz"="nwiz.exe" [2007-06-29 02:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 02:43 81920]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 10:21 823296]
"MXOBG"="C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE" [ ]
"RetroExpress"="C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" [2004-07-30 17:47 6946816]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 19:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 10:38 241664]
"DXDllRegExe"="dxdllreg.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 02:47 31016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 13:09 63712]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 16:59 115816]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-08 21:13 1695744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36 50688]
C:\Documents and Settings\Charya\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-09-02 16:06:54 557568]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 07:19:24 237568]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"23294:TCP"= 23294:TCP:BitComet 23294 TCP
"23294:UDP"= 23294:UDP:BitComet 23294 UDP
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5bb5add-87ef-11dc-be6c-0013205313ed}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 01:25:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 00:23:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-22 0:25:02
ComboFix-quarantined-files.txt 2008-05-22 05:24:50
ComboFix2.txt 2008-05-20 15:57:24
ComboFix3.txt 2008-05-20 06:03:06
ComboFix4.txt 2008-05-20 00:04:42
Pre-Run: 33,167,060,992 bytes free
Post-Run: 33,166,163,968 bytes free
196 --- E O F --- 2008-05-20 15:47:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:08 AM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqdirec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Charya\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.22/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 11565 bytes
With the exception of what I mentioned previously about IE and MSN, it's working fine. Do you think I should delete IE and MSN and re-install them after this problem is resolved?
Hi
You could try reinstalling those at this point :)
nunyabizniz2399
2008-05-23, 05:28
I contacted Microsoft about my internet explorer problem and I had no luck with them. They basically gave me the run around. I reinstalled Internet Explorer and so far yahoo mail still does not load properly. I'm all out of options, any suggestions?:scratch:
Hi
One thing that comes into my mind is to uninstall IE 7 and then install IE 8 beta (http://www.microsoft.com/windows/products/winfamily/ie/ie8/getitnow.mspx) to see if it works.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.