View Full Version : Another virtumonde.dll victim
taekrndo
2008-05-21, 03:31
Hey .have scanned with spybot twice in safe mode then rebooted.spybot then scanned at startup and found nothing.now am sending both logs that were done before i scanned in safe mode.hope this helps...Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:19 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {10A64A7B-7D3F-4B73-BA13-A3596FE82B57} - (no file)
O2 - BHO: (no name) - {47551F98-CC7F-4701-A650-D7231EEA60BD} - C:\WINDOWS\system32\iiffgExy.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {78D861D3-87B3-40DC-B530-3FA300E7028A} - C:\WINDOWS\system32\xxyWOGVM.dll (file missing)
O2 - BHO: (no name) - {E6F2207C-F4A2-4D45-8C5E-F5C845C3919F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [cc3b8862] rundll32.exe "C:\WINDOWS\system32\ifnlweer.dll",b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2782] command /c del "C:\WINDOWS\system32\xxyWOGVM.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9962] cmd /c del "C:\WINDOWS\system32\xxyWOGVM.dll_old"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [CMWallpaperChanger] "C:\WINDOWS\system32\wallchan.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2284] command /c del "C:\WINDOWS\system32\xxyWOGVM.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4745] cmd /c del "C:\WINDOWS\system32\xxyWOGVM.dll_old"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172947860343
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://otter1.vanaqua.org/activex/AxisCamControl.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - Winlogon Notify: iiffgExy - C:\WINDOWS\SYSTEM32\iiffgExy.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 10644 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 20, 2008 3:45:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788306
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 73322
Number of viruses found: 12
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 03:29:16
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\epfwlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05202008-085209.log Object is locked skipped
C:\Documents and Settings\All Users\ntuser.dat Object is locked skipped
C:\Documents and Settings\All Users\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\History\History.IE5\MSHist012008052020080521\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/Script Infected: Trojan.Win32.Vapsup.epc skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0003 Infected: Trojan.Win32.Vapsup.fjb skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0004 Infected: Trojan.Win32.Vapsup.fhj skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0006 Infected: Trojan.Win32.Vapsup.fjc skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0007 Infected: Trojan.Win32.Vapsup.fjd skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0008 Infected: Trojan.Win32.Vapsup.fje skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0009 Infected: Trojan.Win32.Vapsup.fjf skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream Infected: Trojan.Win32.Vapsup.fjf skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat NSIS: infected - 8 skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\~DF8211.tmp Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\~DF822A.tmp Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\ntuser.dat.LOG Object is locked skipped
C:\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069684.exe/data0000.cab/SEED-I~1.EXE Infected: not-a-virus:AdWare.Win32.BargainBuddy.aq skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069684.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BargainBuddy.aq skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069684.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069690.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069690.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP570\A0069886.exe/data0000.cab/NERO-8~1.EXE/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP570\A0069886.exe/data0000.cab/NERO-8~1.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP570\A0069886.exe/data0000.cab Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP570\A0069886.exe Rsrc-Package: infected - 3 skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP584\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iiffgExy.dll Infected: Trojan.Win32.Inject.cdg skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\6a94deaedae2f7e77067f0\%temp%dd_msxml_retMSI.txt Object is locked skipped
Scan was interrupted by user!
taekrndo
2008-05-21, 06:28
rescanned wit-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 20, 2008 8:24:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788663
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 90072
Number of viruses found: 12
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 02:04:54
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\epfwlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05202008-085209.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F394920E-7EC7-44C0-A0BD-A445EC0A2A85} Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\History\History.IE5\MSHist012008052020080521\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/Script Infected: Trojan.Win32.Vapsup.epc skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0003 Infected: Trojan.Win32.Vapsup.fjb skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0004 Infected: Trojan.Win32.Vapsup.fhj skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0006 Infected: Trojan.Win32.Vapsup.fjc skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0007 Infected: Trojan.Win32.Vapsup.fjd skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0008 Infected: Trojan.Win32.Vapsup.fje skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream/data0009 Infected: Trojan.Win32.Vapsup.fjf skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat/stream Infected: Trojan.Win32.Vapsup.fjf skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temp\rq4gw0nfpv.dat NSIS: infected - 8 skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ron & Brunis\ntuser.dat.LOG Object is locked skipped
C:\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069684.exe/data0000.cab/SEED-I~1.EXE Infected: not-a-virus:AdWare.Win32.BargainBuddy.aq skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069684.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BargainBuddy.aq skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069684.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069690.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP569\A0069690.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP570\A0069886.exe/data0000.cab/NERO-8~1.EXE/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP570\A0069886.exe/data0000.cab/NERO-8~1.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP570\A0069886.exe/data0000.cab Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP570\A0069886.exe Rsrc-Package: infected - 3 skipped
C:\System Volume Information\_restore{644BE114-A9B4-4880-BA51-05DAF9D0AA6B}\RP584\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iiffgExy.dll Infected: Trojan.Win32.Inject.cdg skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\6a94deaedae2f7e77067f0\%temp%dd_msxml_retMSI.txt Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
h kaspersky
Rorschach112
2008-05-21, 14:18
Hello
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\WINDOWS\system32\iiffgExy.dll
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
taekrndo
2008-05-21, 19:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:49 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cc3b8862] rundll32.exe "C:\WINDOWS\system32\udnyexlh.dll",b
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [CMWallpaperChanger] "C:\WINDOWS\system32\wallchan.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172947860343
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://otter1.vanaqua.org/activex/AxisCamControl.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 9586 bytes
ComboFix 08-05-20.5 - Ron & Brunis 2008-05-21 8:55:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.614 [GMT -7:00]
Running from: C:\Documents and Settings\Ron & Brunis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ron & Brunis\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
Error: Cfiles.dat
Error: Cfolders.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\hrtawofs.ini
C:\WINDOWS\system32\iSvDNUvw.ini
C:\WINDOWS\system32\iSvDNUvw.ini2
C:\WINDOWS\system32\MVGOWyxx.ini
C:\WINDOWS\system32\MVGOWyxx.ini2
C:\WINDOWS\system32\reewlnfi.ini
C:\WINDOWS\system32\xoojlqrw.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.
2008-05-21 08:13 . 2008-05-21 08:13 <DIR> d-------- C:\_OTMoveIt
2008-05-20 17:56 . 2008-05-20 17:56 0 --a------ C:\LOG180.tmp
2008-05-20 17:36 . 2008-05-20 17:36 91,264 --a------ C:\WINDOWS\system32\wrqljoox.dll
2008-05-20 17:35 . 2008-05-20 17:35 319,360 --a------ C:\WINDOWS\system32\wvUNDvSi.dll
2008-05-20 11:35 . 2008-05-20 11:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 11:35 . 2008-05-20 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 11:08 . 2008-05-20 11:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 08:52 . 2008-05-20 08:52 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-19 22:03 . 2008-05-19 22:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-19 21:59 . 2008-05-19 23:22 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\.housecall6.6
2008-05-19 21:58 . 2008-05-20 17:58 2,765 --a------ C:\WINDOWS\cookies.ini
2008-05-19 20:59 . 2008-05-20 08:24 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2008-05-19 20:01 . 2008-05-19 20:01 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\Application Data\ESET
2008-05-19 19:55 . 2008-05-19 19:55 <DIR> d-------- C:\Program Files\Marsu-Fix
2008-05-19 19:55 . 2008-05-19 19:55 159,847 --a------ C:\WINDOWS\Marsu-Fix Uninstaller.exe
2008-05-19 19:44 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-19 19:44 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-19 19:42 . 2008-05-19 19:42 <DIR> d-------- C:\Program Files\ESET
2008-05-19 19:42 . 2008-05-19 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-19 08:54 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-05-18 13:13 . 2008-05-18 13:13 28,800 --a------ C:\WINDOWS\system32\iiffgExy.dll
2008-05-18 13:13 . 2008-05-18 13:13 51 --a------ C:\smp.bat
2008-05-02 21:26 . 2008-05-08 15:41 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\Application Data\teamspeak2
2008-05-02 21:25 . 2008-05-02 21:26 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-05-02 21:25 . 2008-05-02 21:25 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-05-02 10:53 . 2008-05-03 20:04 140 --a------ C:\WINDOWS\winsysloge.cfg
2008-05-02 10:06 . 2008-05-02 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1.0.0.0
2008-05-02 09:08 . 2008-05-12 22:19 <DIR> d-------- C:\Program Files\dsslegends
2008-05-02 09:08 . 2007-08-02 20:08 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-02 09:08 . 2007-08-02 20:08 103,744 --a------ C:\WINDOWS\system32\MSCOMM32.OCX
2008-04-29 14:15 . 2008-04-29 14:15 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\Application Data\Intuit Canada
2008-04-29 14:14 . 2008-04-29 15:27 <DIR> d-------- C:\Program Files\QuickTax 2007
2008-04-29 14:14 . 2008-04-29 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit Canada
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 00:57 --------- d-----w C:\Documents and Settings\Ron & Brunis\Application Data\U3
2008-05-20 02:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 02:38 --------- d-----w C:\Program Files\Panda Software
2008-05-20 02:38 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-05-20 00:59 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-20 00:40 --------- d-----w C:\Documents and Settings\Ron & Brunis\Application Data\uTorrent
2008-05-20 00:27 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-18 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-04-29 21:15 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-16 00:30 --------- d-----w C:\Documents and Settings\Ron & Brunis\Application Data\LimeWire
2008-04-09 16:28 80,512 ----a-w C:\WINDOWS\system32\drivers\NmPar.sys
2008-04-04 14:30 70,016 ----a-w C:\WINDOWS\system32\drivers\NmSerial.sys
2008-04-03 19:37 --------- d-----w C:\Program Files\Java
2008-03-30 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-03-30 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-30 16:34 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-08 16:27 87,608 ----a-w C:\Documents and Settings\Ron & Brunis\Application Data\ezpinst.exe
2008-03-08 16:27 47,360 ----a-w C:\Documents and Settings\Ron & Brunis\Application Data\pcouffin.sys
2008-02-27 18:38 691,545 ----a-w C:\WINDOWS\unins000.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10A64A7B-7D3F-4B73-BA13-A3596FE82B57}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}]
2008-05-18 13:13 28800 --a------ C:\WINDOWS\system32\iiffgExy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7010D47A-5320-403E-B71E-A7041FE8899B}]
2008-05-20 17:35 319360 --a------ C:\WINDOWS\system32\wvUNDvSi.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{781EE9D2-C2D9-4C8A-9BB5-335BF6950304}]
2008-05-21 09:08 318848 --a------ C:\WINDOWS\system32\yayyVmnN.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78D861D3-87B3-40DC-B530-3FA300E7028A}]
C:\WINDOWS\system32\xxyWOGVM.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A54BA1FD-99D8-400B-97A7-2229BE3BB5CF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6F2207C-F4A2-4D45-8C5E-F5C845C3919F}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-01-23 09:06 204843]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 03:48 157592]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"CMWallpaperChanger"="C:\WINDOWS\system32\wallchan.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 07:14 188416]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 14:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 15:57 221184]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 12:24 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-20 14:15 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 12:10 221184]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 01:07 102400]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"cc3b8862"="C:\WINDOWS\system32\udnyexlh.dll" [2008-05-21 09:12 89088]
"@"="" []
C:\Documents and Settings\Ron & Brunis\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2007-12-10 17:22:13 581632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{47551F98-CC7F-4701-A650-D7231EEA60BD}"= C:\WINDOWS\system32\iiffgExy.dll [2008-05-18 13:13 28800]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffgExy]
iiffgExy.dll 2008-05-18 13:13 28800 C:\WINDOWS\system32\iiffgExy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.l3acm"= l3codecp.acm
"vidc.yv12"= yv12vfw.dll
"VIDC.JDCT"= jl_jdct.drv
"msacm.l3codec"= l3codecp.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\yayyVmnN
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%SystemDir%\\winsecurityxp\\mswinup.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"C:\\Program Files\\Roxio\\Creator Classic 9\\Creator9.exe"=
"C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"=
R3 NmPar;Unusable Parallel Port;C:\WINDOWS\system32\DRIVERS\NmPar.sys [2008-04-09 09:28]
R3 nmserial;PCI Serial Port;C:\WINDOWS\system32\DRIVERS\nmserial.sys [2008-04-04 07:30]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 05:00]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 01:06]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-01-26 21:09]
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\System32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 16:58:10 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN35S1B11ME0.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
"2008-05-21 00:58:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2008-05-21 16:02:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 09:03:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\yayyVmnN.dll 318848 bytes executable
C:\WINDOWS\system32\NnmVyyay.ini 441 bytes
C:\WINDOWS\system32\NnmVyyay.ini2 344 bytes
scan completed successfully
hidden files: 3
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iiffgExy.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-21 9:12:50 - machine was rebooted [Ron & Brunis]
ComboFix-quarantined-files.txt 2008-05-21 16:12:45
Pre-Run: 44,497,076,224 bytes free
Post-Run: 56,430,112,768 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
225 --- E O F --- 2008-05-17 02:20:43
taekrndo
2008-05-21, 19:26
forgot this report::::
Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iiffgExy.dll
C:\WINDOWS\system32\iiffgExy.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\iiffgExy.dll scheduled to be moved on reboot.
< purity >
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05212008_081345
Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iiffgExy.dll
C:\WINDOWS\system32\iiffgExy.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\iiffgExy.dll scheduled to be moved on reboot.
Rorschach112
2008-05-21, 19:38
Hello
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\wrqljoox.dll
C:\WINDOWS\system32\wvUNDvSi.dll
C:\WINDOWS\system32\iiffgExy.dll
C:\smp.bat
C:\WINDOWS\winsysloge.cfg
Folder::
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{47551F98-CC7F-4701-A650-D7231EEA60BD}"=-
Rootkit::
C:\WINDOWS\system32\yayyVmnN.dll
C:\WINDOWS\system32\NnmVyyay.ini
C:\WINDOWS\system32\NnmVyyay.ini2
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Also post a new HijackThis log
taekrndo
2008-05-21, 20:05
combo fix reboots my pc and then my av and spybot resident fires up..should i let them run or close them upon startup? new logs here....Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:13 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {78D861D3-87B3-40DC-B530-3FA300E7028A} - C:\WINDOWS\system32\xxyWOGVM.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cc3b8862] rundll32.exe "C:\WINDOWS\system32\udnyexlh.dll",b
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [CMWallpaperChanger] "C:\WINDOWS\system32\wallchan.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172947860343
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://otter1.vanaqua.org/activex/AxisCamControl.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - Winlogon Notify: iiffgExy - iiffgExy.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 10074 bytes
ComboFix 08-05-20.5 - Ron & Brunis 2008-05-21 9:47:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.573 [GMT -7:00]
Running from: C:\Documents and Settings\Ron & Brunis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ron & Brunis\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\smp.bat
C:\WINDOWS\system32\iiffgExy.dll
C:\WINDOWS\system32\wrqljoox.dll
C:\WINDOWS\system32\wvUNDvSi.dll
C:\WINDOWS\winsysloge.cfg
.
Error: Cfiles.dat
Error: Cfolders.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\smp.bat
C:\WINDOWS\system32\hlxeyndu.ini
C:\WINDOWS\system32\iiffgExy.dll
C:\WINDOWS\system32\NnmVyyay.ini
C:\WINDOWS\system32\NnmVyyay.ini2
C:\WINDOWS\system32\wrqljoox.dll
C:\WINDOWS\system32\wvUNDvSi.dll
C:\WINDOWS\system32\yayyVmnN.dll
C:\WINDOWS\winsysloge.cfg
.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.
2008-05-21 09:12 . 2008-05-21 09:12 89,088 --a------ C:\WINDOWS\system32\udnyexlh.dll
2008-05-21 08:13 . 2008-05-21 08:13 <DIR> d-------- C:\_OTMoveIt
2008-05-20 17:56 . 2008-05-20 17:56 0 --a------ C:\LOG180.tmp
2008-05-20 11:35 . 2008-05-20 11:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 11:35 . 2008-05-20 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 11:08 . 2008-05-20 11:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 08:52 . 2008-05-20 08:52 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-19 22:03 . 2008-05-19 22:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-19 21:59 . 2008-05-19 23:22 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\.housecall6.6
2008-05-19 21:58 . 2008-05-20 17:58 2,765 --a------ C:\WINDOWS\cookies.ini
2008-05-19 20:59 . 2008-05-20 08:24 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2008-05-19 20:01 . 2008-05-19 20:01 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\Application Data\ESET
2008-05-19 19:55 . 2008-05-19 19:55 <DIR> d-------- C:\Program Files\Marsu-Fix
2008-05-19 19:55 . 2008-05-19 19:55 159,847 --a------ C:\WINDOWS\Marsu-Fix Uninstaller.exe
2008-05-19 19:44 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-19 19:44 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-19 19:42 . 2008-05-19 19:42 <DIR> d-------- C:\Program Files\ESET
2008-05-19 19:42 . 2008-05-19 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-19 08:54 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-05-02 21:26 . 2008-05-08 15:41 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\Application Data\teamspeak2
2008-05-02 21:25 . 2008-05-02 21:26 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-05-02 21:25 . 2008-05-02 21:25 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-05-02 10:06 . 2008-05-02 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1.0.0.0
2008-05-02 09:08 . 2008-05-12 22:19 <DIR> d-------- C:\Program Files\dsslegends
2008-05-02 09:08 . 2007-08-02 20:08 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-02 09:08 . 2007-08-02 20:08 103,744 --a------ C:\WINDOWS\system32\MSCOMM32.OCX
2008-04-29 14:15 . 2008-04-29 14:15 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\Application Data\Intuit Canada
2008-04-29 14:14 . 2008-04-29 15:27 <DIR> d-------- C:\Program Files\QuickTax 2007
2008-04-29 14:14 . 2008-04-29 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit Canada
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 00:57 --------- d-----w C:\Documents and Settings\Ron & Brunis\Application Data\U3
2008-05-20 02:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 02:38 --------- d-----w C:\Program Files\Panda Software
2008-05-20 02:38 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-05-20 00:59 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-20 00:40 --------- d-----w C:\Documents and Settings\Ron & Brunis\Application Data\uTorrent
2008-05-20 00:27 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-18 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-04-29 21:15 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-16 00:30 --------- d-----w C:\Documents and Settings\Ron & Brunis\Application Data\LimeWire
2008-04-09 16:28 80,512 ----a-w C:\WINDOWS\system32\drivers\NmPar.sys
2008-04-04 14:32 39,936 ----a-w C:\WINDOWS\system32\pnpports.dll
2008-04-04 14:30 70,016 ----a-w C:\WINDOWS\system32\drivers\NmSerial.sys
2008-04-03 19:37 --------- d-----w C:\Program Files\Java
2008-03-30 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-03-30 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-30 16:34 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-08 16:27 87,608 ----a-w C:\Documents and Settings\Ron & Brunis\Application Data\ezpinst.exe
2008-03-08 16:27 47,360 ----a-w C:\Documents and Settings\Ron & Brunis\Application Data\pcouffin.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 18:38 691,545 ----a-w C:\WINDOWS\unins000.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-21_ 9.12.15.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 15:59:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 16:50:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 16:51:22 16,384 --sha-w C:\WINDOWS\TEMP\Cookies\index.dat
+ 2008-05-21 16:51:22 16,384 --sha-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-05-21 16:51:22 32,768 --sha-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10A64A7B-7D3F-4B73-BA13-A3596FE82B57}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7010D47A-5320-403E-B71E-A7041FE8899B}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78D861D3-87B3-40DC-B530-3FA300E7028A}]
C:\WINDOWS\system32\xxyWOGVM.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A54BA1FD-99D8-400B-97A7-2229BE3BB5CF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6F2207C-F4A2-4D45-8C5E-F5C845C3919F}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-01-23 09:06 204843]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 03:48 157592]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"CMWallpaperChanger"="C:\WINDOWS\system32\wallchan.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 07:14 188416]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 14:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 15:57 221184]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 12:24 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-20 14:15 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 12:10 221184]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 01:07 102400]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"cc3b8862"="C:\WINDOWS\system32\sfowatrh.dll" [ ]
"@"="" []
C:\Documents and Settings\Ron & Brunis\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2007-12-10 17:22:13 581632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffgExy]
iiffgExy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.l3acm"= l3codecp.acm
"vidc.yv12"= yv12vfw.dll
"VIDC.JDCT"= jl_jdct.drv
"msacm.l3codec"= l3codecp.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%SystemDir%\\winsecurityxp\\mswinup.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"C:\\Program Files\\Roxio\\Creator Classic 9\\Creator9.exe"=
"C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"=
R3 NmPar;Unusable Parallel Port;C:\WINDOWS\system32\DRIVERS\NmPar.sys [2008-04-09 09:28]
R3 nmserial;PCI Serial Port;C:\WINDOWS\system32\DRIVERS\nmserial.sys [2008-04-04 07:30]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 05:00]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 01:06]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-01-26 21:09]
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\System32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 16:58:10 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN35S1B11ME0.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
"2008-05-21 16:58:02 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2008-05-21 16:53:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 09:51:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-21 10:00:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 17:00:06
ComboFix2.txt 2008-05-21 16:12:51
Pre-Run: 56,417,640,448 bytes free
Post-Run: 56,384,970,752 bytes free
216 --- E O F --- 2008-05-17 02:20:43
Rorschach112
2008-05-21, 22:43
Hello
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {78D861D3-87B3-40DC-B530-3FA300E7028A} - C:\WINDOWS\system32\xxyWOGVM.dll (file missing)
O4 - HKLM\..\Run: [cc3b8862] rundll32.exe "C:\WINDOWS\system32\udnyexlh.dll",b
O20 - Winlogon Notify: iiffgExy - iiffgExy.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\udnyexlh.dll
C:\WINDOWS\cookies.ini
Folder::
Registry::
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Also post a new HijackThis log
taekrndo
2008-05-21, 23:18
ComboFix 08-05-20.5 - Ron & Brunis 2008-05-21 13:00:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT -7:00]
Running from: C:\Documents and Settings\Ron & Brunis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ron & Brunis\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\udnyexlh.dll
.
Error: Cfiles.dat
Error: Cfolders.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\udnyexlh.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.
2008-05-21 10:00 . 2008-05-21 11:39 706 ---hs---- C:\WINDOWS\system32\hlxeyndu.ini
2008-05-21 08:13 . 2008-05-21 08:13 <DIR> d-------- C:\_OTMoveIt
2008-05-20 17:56 . 2008-05-20 17:56 0 --a------ C:\LOG180.tmp
2008-05-20 11:35 . 2008-05-20 11:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 11:35 . 2008-05-20 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 11:08 . 2008-05-20 11:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 08:52 . 2008-05-20 08:52 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-19 22:03 . 2008-05-19 22:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-19 21:59 . 2008-05-19 23:22 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\.housecall6.6
2008-05-19 20:59 . 2008-05-20 08:24 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2008-05-19 20:01 . 2008-05-19 20:01 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\Application Data\ESET
2008-05-19 19:55 . 2008-05-19 19:55 <DIR> d-------- C:\Program Files\Marsu-Fix
2008-05-19 19:55 . 2008-05-19 19:55 159,847 --a------ C:\WINDOWS\Marsu-Fix Uninstaller.exe
2008-05-19 19:44 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-19 19:44 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-19 19:42 . 2008-05-19 19:42 <DIR> d-------- C:\Program Files\ESET
2008-05-19 19:42 . 2008-05-19 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-19 08:54 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-05-02 21:26 . 2008-05-08 15:41 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\Application Data\teamspeak2
2008-05-02 21:25 . 2008-05-02 21:26 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-05-02 21:25 . 2008-05-02 21:25 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-05-02 10:06 . 2008-05-02 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1.0.0.0
2008-05-02 09:08 . 2008-05-12 22:19 <DIR> d-------- C:\Program Files\dsslegends
2008-05-02 09:08 . 2007-08-02 20:08 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-02 09:08 . 2007-08-02 20:08 103,744 --a------ C:\WINDOWS\system32\MSCOMM32.OCX
2008-04-29 14:15 . 2008-04-29 14:15 <DIR> d-------- C:\Documents and Settings\Ron & Brunis\Application Data\Intuit Canada
2008-04-29 14:14 . 2008-04-29 15:27 <DIR> d-------- C:\Program Files\QuickTax 2007
2008-04-29 14:14 . 2008-04-29 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit Canada
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 00:57 --------- d-----w C:\Documents and Settings\Ron & Brunis\Application Data\U3
2008-05-20 02:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 02:38 --------- d-----w C:\Program Files\Panda Software
2008-05-20 02:38 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-05-20 00:59 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-20 00:40 --------- d-----w C:\Documents and Settings\Ron & Brunis\Application Data\uTorrent
2008-05-20 00:27 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-18 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-04-29 21:15 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-16 00:30 --------- d-----w C:\Documents and Settings\Ron & Brunis\Application Data\LimeWire
2008-04-09 16:28 80,512 ----a-w C:\WINDOWS\system32\drivers\NmPar.sys
2008-04-04 14:32 39,936 ----a-w C:\WINDOWS\system32\pnpports.dll
2008-04-04 14:30 70,016 ----a-w C:\WINDOWS\system32\drivers\NmSerial.sys
2008-04-03 19:37 --------- d-----w C:\Program Files\Java
2008-03-30 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-03-30 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-30 16:34 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-08 16:27 87,608 ----a-w C:\Documents and Settings\Ron & Brunis\Application Data\ezpinst.exe
2008-03-08 16:27 47,360 ----a-w C:\Documents and Settings\Ron & Brunis\Application Data\pcouffin.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 18:38 691,545 ----a-w C:\WINDOWS\unins000.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-21_ 9.12.15.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 15:59:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 18:39:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-01-23 09:06 204843]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 03:48 157592]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"CMWallpaperChanger"="C:\WINDOWS\system32\wallchan.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 07:14 188416]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 14:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 15:57 221184]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 12:24 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-20 14:15 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 12:10 221184]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 01:07 102400]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"cc3b8862"="C:\WINDOWS\system32\udnyexlh.dll" [ ]
C:\Documents and Settings\Ron & Brunis\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2007-12-10 17:22:13 581632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.l3acm"= l3codecp.acm
"vidc.yv12"= yv12vfw.dll
"VIDC.JDCT"= jl_jdct.drv
"msacm.l3codec"= l3codecp.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%SystemDir%\\winsecurityxp\\mswinup.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"C:\\Program Files\\Roxio\\Creator Classic 9\\Creator9.exe"=
"C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"=
R3 NmPar;Unusable Parallel Port;C:\WINDOWS\system32\DRIVERS\NmPar.sys [2008-04-09 09:28]
R3 nmserial;PCI Serial Port;C:\WINDOWS\system32\DRIVERS\nmserial.sys [2008-04-04 07:30]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 05:00]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 01:06]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-01-26 21:09]
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\System32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 16:58:10 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN35S1B11ME0.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7200#CN35S1B11ME0
"2008-05-21 16:58:02 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2008-05-21 18:42:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 13:01:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-05-21 13:04:47
ComboFix-quarantined-files.txt 2008-05-21 20:03:44
ComboFix2.txt 2008-05-21 17:00:11
ComboFix3.txt 2008-05-21 16:12:51
Pre-Run: 56,312,774,656 bytes free
Post-Run: 56,303,722,496 bytes free
170 --- E O F --- 2008-05-17 02:20:43
Malwarebytes' Anti-Malware 1.12
Database version: 775
Scan type: Quick Scan
Objects scanned: 36080
Time elapsed: 5 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cc3b8862 (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:13 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {10A64A7B-7D3F-4B73-BA13-A3596FE82B57} - (no file)
O2 - BHO: (no name) - {47551F98-CC7F-4701-A650-D7231EEA60BD} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7010D47A-5320-403E-B71E-A7041FE8899B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A54BA1FD-99D8-400B-97A7-2229BE3BB5CF} - (no file)
O2 - BHO: (no name) - {E6F2207C-F4A2-4D45-8C5E-F5C845C3919F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cc3b8862] rundll32.exe "C:\WINDOWS\system32\udnyexlh.dll",b
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [CMWallpaperChanger] "C:\WINDOWS\system32\wallchan.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172947860343
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://otter1.vanaqua.org/activex/AxisCamControl.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 10234 bytes
Rorschach112
2008-05-22, 00:00
Hello
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {10A64A7B-7D3F-4B73-BA13-A3596FE82B57} - (no file)
O2 - BHO: (no name) - {47551F98-CC7F-4701-A650-D7231EEA60BD} - (no file)
O2 - BHO: (no name) - {7010D47A-5320-403E-B71E-A7041FE8899B} - (no file)
O2 - BHO: (no name) - {A54BA1FD-99D8-400B-97A7-2229BE3BB5CF} - (no file)
O2 - BHO: (no name) - {E6F2207C-F4A2-4D45-8C5E-F5C845C3919F} - (no file)
O4 - HKLM\..\Run: [cc3b8862] rundll32.exe "C:\WINDOWS\system32\udnyexlh.dll",b
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\WINDOWS\system32\hlxeyndu.ini
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Reboot and do this
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
taekrndo
2008-05-22, 02:04
Explorer killed successfully
C:\WINDOWS\system32\hlxeyndu.ini moved successfully.
< purity >
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05212008_155238
Deckard's System Scanner v20071014.68
Run by Ron & Brunis on 2008-05-21 15:58:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
111: 2008-05-21 22:58:09 UTC - RP593 - Deckard's System Scanner Restore Point
110: 2008-05-21 20:00:08 UTC - RP592 - ComboFix created restore point
109: 2008-05-21 19:07:29 UTC - RP591 - Spybot-S&D Spyware removal
108: 2008-05-21 18:37:57 UTC - RP590 - ComboFix created restore point
107: 2008-05-21 18:08:21 UTC - RP589 - ComboFix created restore point
-- First Restore Point --
1: 2008-05-21 16:13:01 UTC - RP483 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Ron & Brunis.exe) ----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:07 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ron & Brunis\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ron & Brunis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [CMWallpaperChanger] "C:\WINDOWS\system32\wallchan.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172947860343
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://otter1.vanaqua.org/activex/AxisCamControl.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 9321 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080521-125322-603 O20 - Winlogon Notify: iiffgExy - iiffgExy.dll (file missing)
backup-20080521-125322-823 O4 - HKLM\..\Run: [cc3b8862] rundll32.exe "C:\WINDOWS\system32\udnyexlh.dll",b
backup-20080521-125322-906 O2 - BHO: (no name) - {78D861D3-87B3-40DC-B530-3FA300E7028A} - C:\WINDOWS\system32\xxyWOGVM.dll (file missing)
backup-20080521-155039-132 O2 - BHO: (no name) - {10A64A7B-7D3F-4B73-BA13-A3596FE82B57} - (no file)
backup-20080521-155039-224 O2 - BHO: (no name) - {7010D47A-5320-403E-B71E-A7041FE8899B} - (no file)
backup-20080521-155039-264 O4 - HKLM\..\Run: [cc3b8862] rundll32.exe "C:\WINDOWS\system32\udnyexlh.dll",b
backup-20080521-155039-799 O2 - BHO: (no name) - {E6F2207C-F4A2-4D45-8C5E-F5C845C3919F} - (no file)
backup-20080521-155039-829 O2 - BHO: (no name) - {47551F98-CC7F-4701-A650-D7231EEA60BD} - (no file)
backup-20080521-155039-976 O2 - BHO: (no name) - {A54BA1FD-99D8-400B-97A7-2229BE3BB5CF} - (no file)
-- File Associations -----------------------------------------------------------
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R4 catchme - c:\combofix\catchme.sys (file missing)
S3 APLMp50 (APLMp50 NDIS Protocol Driver) - c:\windows\system32\drivers\aplmp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 JL2005C (Dual Mode Camera) - c:\windows\system32\drivers\jl2005c.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
S3 PavSRK.sys - c:\windows\system32\pavsrk.sys (file missing)
S3 PavTPK.sys - c:\windows\system32\pavtpk.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 ScsiAccess - c:\program files\photodex\proshowproducer\scsiaccess.exe
S2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe (file missing)
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-05-21 13:58:00 356 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
2008-05-21 11:42:37 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-03 09:58:10 334 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN35S1B11ME0.job
-- Files created between 2008-04-21 and 2008-05-21 -----------------------------
2008-05-21 13:07:32 0 d-------- C:\Documents and Settings\Ron & Brunis\Application Data\Malwarebytes
2008-05-21 13:07:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-21 13:07:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 08:55:26 0 d-------- C:\cmdcons
2008-05-21 08:54:17 68096 --a------ C:\WINDOWS\zip.exe
2008-05-21 08:54:17 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-21 08:54:17 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-21 08:54:17 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-21 08:54:17 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-21 08:54:17 98816 --a------ C:\WINDOWS\sed.exe
2008-05-21 08:54:17 80412 --a------ C:\WINDOWS\grep.exe
2008-05-21 08:54:17 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-20 11:35:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 11:35:43 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 11:08:42 0 d-------- C:\Program Files\Trend Micro
2008-05-20 08:52:00 0 d-------- C:\Program Files\Windows Defender
2008-05-19 21:59:51 0 d-------- C:\Documents and Settings\Ron & Brunis\.housecall6.6
2008-05-19 20:01:25 0 d-------- C:\Documents and Settings\Ron & Brunis\Application Data\ESET
2008-05-19 19:55:28 159847 --a------ C:\WINDOWS\Marsu-Fix Uninstaller.exe
2008-05-19 19:55:28 0 d-------- C:\Program Files\Marsu-Fix
2008-05-19 19:44:36 5702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-19 19:44:36 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-19 19:42:23 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-02 21:26:29 0 d-------- C:\Documents and Settings\Ron & Brunis\Application Data\teamspeak2
2008-05-02 21:25:42 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-05-02 10:06:11 0 d-------- C:\Documents and Settings\All Users\Application Data\1.0.0.0
2008-05-02 09:08:30 0 d-------- C:\Program Files\dsslegends
2008-04-29 14:15:18 0 d-------- C:\Documents and Settings\Ron & Brunis\Application Data\Intuit Canada
2008-04-29 14:14:56 0 d-------- C:\Program Files\QuickTax 2007
2008-04-29 14:14:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Intuit Canada
-- Find3M Report ---------------------------------------------------------------
2008-05-20 17:57:17 0 d-------- C:\Documents and Settings\Ron & Brunis\Application Data\U3
2008-05-19 21:54:36 0 d-------- C:\Program Files\Common Files
2008-05-19 19:38:42 0 d-------- C:\Program Files\Panda Software
2008-05-19 19:38:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-19 19:38:41 0 d-------- C:\Program Files\Common Files\Panda Software
2008-05-19 17:59:57 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-19 17:40:16 0 d-------- C:\Documents and Settings\Ron & Brunis\Application Data\uTorrent
2008-05-19 17:27:46 0 d-------- C:\Program Files\PeerGuardian2
2008-04-29 14:15:04 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-15 17:30:35 0 d-------- C:\Documents and Settings\Ron & Brunis\Application Data\LimeWire
2008-04-03 12:37:53 0 d-------- C:\Program Files\Java
2008-03-30 09:34:42 0 d-------- C:\Program Files\SystemRequirementsLab
2008-03-28 08:24:59 288 --a------ C:\WINDOWS\packegtag.reg
2008-03-08 09:28:03 34 --a------ C:\Documents and Settings\Ron & Brunis\Application Data\pcouffin.log
2008-03-08 09:27:45 47360 --a------ C:\Documents and Settings\Ron & Brunis\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-08 09:27:45 1144 --a------ C:\Documents and Settings\Ron & Brunis\Application Data\pcouffin.inf
2008-03-08 09:27:45 7824 --a------ C:\Documents and Settings\Ron & Brunis\Application Data\pcouffin.cat
2008-02-27 11:39:32 2557 --a------ C:\WINDOWS\unins000.dat
2008-02-27 11:38:03 691545 --a------ C:\WINDOWS\unins000.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [07/25/2003 07:14 AM]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [08/20/2003 02:23 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [08/20/2003 03:57 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [06/25/2003 12:24 PM]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [08/20/2003 02:15 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [08/10/2006 12:10 PM]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [08/14/2006 01:07 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [03/13/2008 04:48 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [01/23/2007 09:06 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [11/12/2006 03:48 AM]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]
"CMWallpaperChanger"="C:\WINDOWS\system32\wallchan.exe" []
C:\Documents and Settings\Ron & Brunis\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [12/10/2007 5:22:13 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 01/31/2005 04:13 PM 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
-- End of Deckard's System Scanner: finished at 2008-05-21 16:00:53 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) XP 2200+
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 1023.48 MiB / 571.2 MiB
Pagefile Memory (total/avail): 2463.84 MiB / 2146.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.54 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 74.55 GiB total, 52.38 GiB free.
D: is Fixed (NTFS) - 186.31 GiB total, 104.35 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - SAMSUNG SP0802N SCSI Disk Device - 74.56 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.55 GiB - C:
\\.\PHYSICALDRIVE1 - ST320082 2A SCSI Disk Device - 186.31 GiB - 1 partition
\PARTITION0 - Installable File System - 186.31 GiB - D:
\\.\PHYSICALDRIVE2 - HP photosmart 7200 USB Device
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before install.
Windows Internal Firewall is disabled.
FW: ESET Personal firewall v3.0.650.0 (ESET, spol. s r. o.)
AV: ESET Smart Security 3.0 v3.0 (ESET, spol. s r. o.)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"="C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"%SystemDir%\\winsecurityxp\\mswinup.exe"="%SystemDir%\\winsecurityxp\\mswinup.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"
"C:\\Program Files\\Roxio\\Creator Classic 9\\Creator9.exe"="C:\\Program Files\\Roxio\\Creator Classic 9\\Creator9.exe:*:Enabled:Creator9"
"C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"="C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ron & Brunis\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RON-U5HTDLBYZYQ
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ron & Brunis
LOGONSERVER=\\RON-U5HTDLBYZYQ
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\DLLSHARED;C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\9.0\DLLSHARED;C:\PROGRAM FILES\COMMON FILES\ADOBE\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\RON&BR~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\RON&BR~1\LOCALS~1\Temp
USERDOMAIN=RON-U5HTDLBYZYQ
USERNAME=Ron & Brunis
USERPROFILE=C:\Documents and Settings\Ron & Brunis
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Ron & Brunis [I](admin)
-- Add/Remove Programs ---------------------------------------------------------
-- Application Event Log -------------------------------------------------------
Event Record #/Type6677 / Error
Event Submitted/Written: 05/21/2008 11:39:44 AM
Event ID/Source: 3003 / WinDefendRtp
Event Description:
%RON-U5HTDLBYZYQ27 Real-Time Protection checkpoint has encountered an error and failed to start.
User: RON-U5HTDLBYZYQ\Ron & Brunis
Checkpoint ID: 1
Error Code: 0x8000ffff
Error description: Catastrophic failure
Event Record #/Type6674 / Error
Event Submitted/Written: 05/21/2008 11:39:44 AM
Event ID/Source: 3003 / WinDefendRtp
Event Description:
%RON-U5HTDLBYZYQ27 Real-Time Protection checkpoint has encountered an error and failed to start.
User: RON-U5HTDLBYZYQ\Ron & Brunis
Checkpoint ID: 1
Error Code: 0x80070005
Error description: Access is denied.
Event Record #/Type6668 / Error
Event Submitted/Written: 05/21/2008 11:24:45 AM
Event ID/Source: 3003 / WinDefendRtp
Event Description:
%RON-U5HTDLBYZYQ27 Real-Time Protection checkpoint has encountered an error and failed to start.
User: RON-U5HTDLBYZYQ\Ron & Brunis
Checkpoint ID: 1
Error Code: 0x8000ffff
Error description: Catastrophic failure
Event Record #/Type6667 / Error
Event Submitted/Written: 05/21/2008 11:24:45 AM
Event ID/Source: 3003 / WinDefendRtp
Event Description:
%RON-U5HTDLBYZYQ27 Real-Time Protection checkpoint has encountered an error and failed to start.
User: RON-U5HTDLBYZYQ\Ron & Brunis
Checkpoint ID: 1
Error Code: 0x80070005
Error description: Access is denied.
Event Record #/Type6660 / Error
Event Submitted/Written: 05/21/2008 11:12:51 AM
Event ID/Source: 3003 / WinDefendRtp
Event Description:
%RON-U5HTDLBYZYQ27 Real-Time Protection checkpoint has encountered an error and failed to start.
User: RON-U5HTDLBYZYQ\Ron & Brunis
Checkpoint ID: 1
Error Code: 0x8000ffff
Error description: Catastrophic failure
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type29651 / Warning
Event Submitted/Written: 05/21/2008 11:11:53 AM / 05/21/2008 11:12:24 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.
Event Record #/Type29650 / Warning
Event Submitted/Written: 05/21/2008 11:11:53 AM / 05/21/2008 11:12:24 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.
Event Record #/Type29649 / Warning
Event Submitted/Written: 05/21/2008 11:11:53 AM / 05/21/2008 11:12:24 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.
Event Record #/Type29648 / Warning
Event Submitted/Written: 05/21/2008 11:11:53 AM / 05/21/2008 11:12:24 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.
Event Record #/Type29647 / Warning
Event Submitted/Written: 05/21/2008 11:11:53 AM / 05/21/2008 11:12:24 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.
-- End of Deckard's System Scanner: finished at 2008-05-21 16:00:53 ------------
Rorschach112
2008-05-22, 16:10
Your logs are clean
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
taekrndo
2008-05-22, 17:45
Thank you for all the help!!!! Great step by step instructions for a new or old user...Thank you again..
Peace
Rorschach112
2008-05-22, 17:53
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.