View Full Version : Another Virtumonde Problem
Hi
Another poor computer user with this horrible virus. Help would be much appreciated.
Here is the Hijack This log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:37 AM, on 23/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/md5auth.srf?lc=1033
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BigPond] "F:\5100.exe" -r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BM4fdea442] Rundll32.exe "C:\WINDOWS\system32\bfkekfva.dll",s
O4 - HKLM\..\Run: [4ced97de] rundll32.exe "C:\WINDOWS\system32\dlymvbvh.dll",b
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4797] command /c del "C:\WINDOWS\system32\opnnlKax.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3153] cmd /c del "C:\WINDOWS\system32\opnnlKax.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4138] command /c del "C:\WINDOWS\system32\yayvUMCr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2736] cmd /c del "C:\WINDOWS\system32\yayvUMCr.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "d:\valve\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D76A45F6-AD06-4338-B839-75779A2489AB}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
--
End of file - 8901 bytes
The Kaspersky scan is bigger than a post so if you need the log please ask.
Thanks in advance for the help.
Hi
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log (taken in normal mode) in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
I cannot seem to run combofix; an error box pops up saying "rundll32.exe - Application error"
The application failed to initialize properly (0xc0000005).
It also cannot run CMD.exe with the same error code.
Please try downloading it again since download may have gotten corrupted. If it still gives same error then try this:
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Tried re-downloading and re-downloading/re-naming and both still give the same error message.
Note: This error occurs in safe mode and with a regular boot.
Hi
Sounds like rundll32.exe and maybe some other files have gotten corrupted. Let's try this:
Click Start --> Run --> write sfc /scannow, click ok and follow the instructions. Then try running ComboFix again.
The command box opens once I run that command, but immediately closes again. Nothing seems to be happening. Tried it many times.
Should I be in safe mode with networking disabled and checking the forums from another machine? Or does that not matter?
Hi
Definitely use safe mode without networking only and do forum checking thru other machine. Safe mode with networking makes the system most vulnerable since protection is not on and you're still connected to network.
I'll make some researching for your case and try to reply back asap.
Hi
Let's try following:
1. Uninstall Spybot for now.
2. Download ComboFix again naming it to MoveBadItems.exe file and saving to the root of C: drive (C:\). That way we can access it on every account.
3. Try running ComboFix thru in safe mode with command prompt. Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (I assume you have MoveBadItems.exe in C: root):
cd\
MoveBadItems.exe
When ComboFix reboots select safe mode with command prompt again so that ComboFix will finish there.
Even with the command prompt option, It still boots to windows desktop although I have to manually start explorer.exe through task manager.
Hi
While I think up something else could you post that Kaspersky log? You may post it as an attachment or upload to http://rapidshare.com for example.
Here it is...
http://rapidshare.com/files/117401637/kaspersky.txt.html
Would using the XP cd to boot into recovery mode give me access to the command prompt??
Hi
I renamed Deckard's System Scanner's DSS.exe to systemChecker.exe and uploaded it here (http://www.sendspace.com/file/ochsur). Please download the file to your desktop and run it. Post back the contents of main.txt and the extra.txt.
MAIN:
Deckard's System Scanner v20071014.68
Run by Tim on 2008-05-25 20:12:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
34: 2008-05-25 10:12:09 UTC - RP942 - Deckard's System Scanner Restore Point
33: 2008-05-22 00:38:43 UTC - RP941 - Last known good configuration
32: 2008-05-22 00:38:34 UTC - RP940 - Restore Operation
31: 2008-05-22 00:38:33 UTC - RP939 - Last known good configuration
30: 2008-05-22 00:38:33 UTC - RP938 - System Checkpoint
-- First Restore Point --
1: 2008-05-22 00:38:31 UTC - RP909 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Tim.exe) -------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:32 PM, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\USER\Desktop\systemChecker.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Tim.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CA9840B8-7CF8-4761-BA31-B636059D7EDA} - C:\WINDOWS\system32\rqRKDWMc.dll (file missing)
O2 - BHO: (no name) - {D760BB28-F11D-44D9-AC34-E74BCE8B1C71} - C:\WINDOWS\system32\yayvUMCr.dll (file missing)
O4 - HKLM\..\Run: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BigPond] "F:\5100.exe" -r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BM4fdea442] Rundll32.exe "C:\WINDOWS\system32\bfkekfva.dll",s
O4 - HKLM\..\Run: [4ced97de] rundll32.exe "C:\WINDOWS\system32\dlymvbvh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - G:\Other Crap\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - G:\Other Crap\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D76A45F6-AD06-4338-B839-75779A2489AB}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AB364.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
--
End of file - 9802 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R2 BT848 (MuchTV Fusion WDM Video Capture) - c:\windows\system32\drivers\bt848.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 BTTUNER (MuchTV Fusion WDM Tuner) - c:\windows\system32\drivers\bttuner.sys <Not Verified; TelSignal Co., Ltd.; BTTUNER.SYS>
R2 BTXBAR (MuchTV Fusion WDM Crossbar) - c:\windows\system32\drivers\btxbar.sys <Not Verified; TelSignal Co., Ltd.; BTXBAR.SYS>
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
S3 dtscsi - c:\windows\system32\drivers\dtscsi.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 LHidUsbK (Logitech SetPoint USB Receiver Device Driver) - c:\windows\system32\drivers\lhidusbk.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
S3 LMouKE (Logitech SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)
S3 LUsbKbd (Logitech SetPoint USB Keyboard Filter) - c:\windows\system32\drivers\lusbkbd.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe
S3 bpcService (BigPond Broadband Cable Login) - "c:\program files\telstra\cable login\bpcservice.exe"
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\C5FFEAE01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\C5FFEAE01800
Service: NIC1394
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\5113C4EA23C01
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\5113C4EA23C01
Service: NIC1394
-- Scheduled Tasks -------------------------------------------------------------
2008-05-16 20:00:49 526 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Tim.job
-- Files created between 2008-04-25 and 2008-05-25 -----------------------------
2008-05-25 17:11:24 0 d-------- C:\WINDOWS\setup.pss
2008-05-25 17:10:56 0 d-------- C:\WINDOWS\setupupd
2008-05-25 17:08:46 0 d-------- C:\WINDOWS\LastGood
2008-05-23 19:04:48 1974863 --a------ C:\ComboFix.exe
2008-05-23 09:14:23 51200 --a------ C:\WINDOWS\system32\__c00AB364.dat
2008-05-23 09:14:22 51200 --a------ C:\WINDOWS\system32\ovrefnyj.dll
2008-05-23 09:14:04 51200 --a------ C:\WINDOWS\system32\juxsmxpk.dll
2008-05-23 09:07:53 51200 --a------ C:\WINDOWS\system32\__c0094D98.dat
2008-05-23 09:07:51 51200 --a------ C:\WINDOWS\system32\fcsalldk.dll
2008-05-23 06:37:30 51200 --a------ C:\WINDOWS\system32\ilyjspyj.dll
2008-05-23 06:34:23 51200 --a------ C:\WINDOWS\system32\tcehuloa.dll
2008-05-23 06:34:21 51200 --a------ C:\WINDOWS\system32\hcjuybnl.dll
2008-05-23 06:31:23 51200 --a------ C:\WINDOWS\system32\wcsfhqtx.dll
2008-05-23 06:31:21 51200 --a------ C:\WINDOWS\system32\cmmijjxs.dll
2008-05-23 06:28:23 51200 --a------ C:\WINDOWS\system32\bfggnubw.dll
2008-05-23 06:28:21 0 --a------ C:\WINDOWS\system32\ecpmqeej.exe
2008-05-23 06:22:22 51200 --a------ C:\WINDOWS\system32\wtucejye.dll
2008-05-23 06:20:06 115200 --a------ C:\WINDOWS\system32\dlymvbvh.dll
2008-05-23 06:19:55 126464 --a------ C:\WINDOWS\system32\bfkekfva.dll
2008-05-22 19:41:09 592960 --ahs---- C:\WINDOWS\system32\cMWDKRqr.ini2
2008-05-22 11:47:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-22 11:47:49 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-22 11:44:10 0 d-------- C:\Program Files\Trend Micro
2008-05-22 11:03:19 0 d-------- C:\VundoFix Backups
2008-05-22 10:53:50 59392 --a------ C:\WINDOWS\system32\awtsPFVo.dll
2008-05-22 10:47:22 51200 --a------ C:\WINDOWS\system32\__c00CAE93.dat
2008-05-22 10:47:21 51200 --a------ C:\WINDOWS\system32\wfpoeuwk.dll
2008-05-22 10:31:46 0 d-------- C:\327882R2FWJFW
2008-05-21 11:29:44 51200 --a------ C:\WINDOWS\system32\__c0027EB.dat
2008-05-21 11:23:40 696938 --ahs---- C:\WINDOWS\system32\xaKlnnpo.ini2
2008-05-20 19:27:07 10485760 --a------ C:\Documents and Settings\USER\ntuser.dat
2008-05-20 19:26:53 620267 --ahs---- C:\WINDOWS\system32\rCMUvyay.ini2
2008-05-20 19:22:16 58880 --a------ C:\WINDOWS\system32\fccbBQIX.dll
2008-05-20 19:21:40 58880 --a------ C:\WINDOWS\system32\yayvUOgF.dll
-- Find3M Report ---------------------------------------------------------------
2008-05-25 16:56:34 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000D-00001102-00000004-20021102}.dat
2008-05-25 16:56:34 384 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000D-00001102-00000004-20021102}.dat
2008-05-25 01:08:55 0 d-------- C:\Documents and Settings\USER\Application Data\Lavasoft
2008-05-22 10:53:36 0 d-------- C:\Documents and Settings\USER\Application Data\Azureus
2008-05-22 09:18:44 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-24 00:25:22 0 d-------- C:\Documents and Settings\USER\Application Data\Skype
2008-04-07 13:47:26 0 d-------- C:\Documents and Settings\USER\Application Data\Adobe
2008-04-05 08:44:21 0 d-------- C:\Program Files\Common Files\Teleca Shared
2008-04-05 08:44:20 0 d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2008-04-05 08:43:45 0 d-------- C:\Program Files\Common Files
2008-04-05 08:43:38 0 d-------- C:\Program Files\Sony Ericsson
2008-04-03 16:48:33 0 d-------- C:\Program Files\Common Files\Real
2008-04-03 16:48:12 0 d-------- C:\Program Files\Real
2008-03-29 16:11:30 0 d-------- C:\Program Files\MSN Messenger
2008-03-29 16:11:28 0 d-------- C:\Program Files\Messenger Plus! Live
2008-03-17 13:16:42 530 --a------ C:\WINDOWS\eReg.dat
-- Registry Dump ---------------------------------------------------------------
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8544 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-05-25 20:15:04 ------------
EXTRA:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) 64 Processor 3500+
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 1023.23 MiB / 509.68 MiB
Pagefile Memory (total/avail): 2459.86 MiB / 1937.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.33 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 19.53 GiB total, 5.43 GiB free.
D: is Fixed (NTFS) - 129.51 GiB total, 43.49 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Fixed (NTFS) - 232.88 GiB total, 114.74 GiB free.
H: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - WDC WD1600JB-00GVA0 - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 19.53 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 129.51 GiB - D:
\\.\PHYSICALDRIVE1 - WDC WD25 00JS-00NCB1 SCSI Disk Device - 232.88 GiB - 1 partition
\PARTITION0 - Installable File System - 232.88 GiB - G:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
FW: Norton AntiVirus v2007 (Symantec Corporation)
AV: Norton AntiVirus v2007 (Symantec Corporation)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Lexmark 3500-4500 Series\\app4r.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe"="C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe:*:Enabled:BigPond Cable Client"
"C:\\Program Files\\Telstra\\Cable Login\\bpcService.exe"="C:\\Program Files\\Telstra\\Cable Login\\bpcService.exe:*:Enabled:BigPond Cable Client (running as a service)"
"D:\\Valve\\Steam\\Steam.exe"="D:\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"D:\\Microsoft Games\\Age Of Empires II\\age2_x1.exe"="D:\\Microsoft Games\\Age Of Empires II\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"G:\\Other Crap\\The All-Seeing Eye\\eye.exe"="G:\\Other Crap\\The All-Seeing Eye\\eye.exe:*:Enabled:Yahoo! All-Seeing Eye"
"D:\\Valve\\Steam\\SteamApps\\ripper1984\\counter-strike source\\hl2.exe"="D:\\Valve\\Steam\\SteamApps\\ripper1984\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"D:\\Medievia\\Mud Master\\MudMast.exe"="D:\\Medievia\\Mud Master\\MudMast.exe:*:Enabled:MudMast"
"D:\\Microsoft Games\\Age.of.Empires.II.The.Conquerors.(Myth-RiP-Standalone).-={BluX}=-\\age2_x1.exe"="D:\\Microsoft Games\\Age.of.Empires.II.The.Conquerors.(Myth-RiP-Standalone).-={BluX}=-\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"D:\\Microsoft Games\\Age.of.Empires.II.The.Conquerors.(Myth-RiP-Standalone).-={BluX}=-\\aoe20a_crk.exe"="D:\\Microsoft Games\\Age.of.Empires.II.The.Conquerors.(Myth-RiP-Standalone).-={BluX}=-\\aoe20a_crk.exe:*:Enabled:Age of Empires II"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"G:\\StubInstaller.exe"="G:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"G:\\MP3z Stuff\\LimeWire\\LimeWire.exe"="G:\\MP3z Stuff\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Valve\\Steam\\SteamApps\\ripper1984\\lostcoast\\hl2.exe"="D:\\Valve\\Steam\\SteamApps\\ripper1984\\lostcoast\\hl2.exe:*:Enabled:hl2"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"G:\\Other Crap\\GetRight\\getright.exe"="G:\\Other Crap\\GetRight\\getright.exe:*:Enabled:GetRight® Download Manager. www.GetRight.com"
"G:\\MP3z Stuff\\LimeWire\\Limewire Pro\\LimeWire.exe"="G:\\MP3z Stuff\\LimeWire\\Limewire Pro\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="D:\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"D:\\Valve\\Steam\\SteamApps\\ripper1984\\half-life 2\\hl2.exe"="D:\\Valve\\Steam\\SteamApps\\ripper1984\\half-life 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"G:\\Other Crap\\BitComet\\BitComet.exe"="G:\\Other Crap\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"D:\\Blizzard\\Warcraft III\\Warcraft III.exe"="D:\\Blizzard\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"G:\\Other Crap\\Azureus\\Azureus.exe"="G:\\Other Crap\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Documents and Settings\\USER\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\USER\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"G:\\utorrent.exe"="G:\\utorrent.exe:*:Enabled:µTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"D:\\Spring\\spring.exe"="D:\\Spring\\spring.exe:*:Enabled:spring"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Documents and Settings\\USER\\My Documents\\mIRC\\mirc.exe"="C:\\Documents and Settings\\USER\\My Documents\\mIRC\\mirc.exe:*:Enabled:mIRC"
"G:\\Other Crap\\Real Media Player\\realplay.exe"="G:\\Other Crap\\Real Media Player\\realplay.exe:*:Enabled:RealPlayer"
"G:\\Azureus\\Azureus.exe"="G:\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"D:\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="D:\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"D:\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="D:\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"D:\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="D:\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe:*:Enabled:Device Monitor"
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe:*:Enabled:Device Monitor Application"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe:*:Enabled:Printing Application"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe:*:Enabled:Printer Status Window Interface"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe:*:Enabled:Job Status Window Interface"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe:*:Enabled:Lexmark Connect Time Executable"
-- Environment Variables -------------------------------------------------------
-- User Profiles ---------------------------------------------------------------
USER [I](admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
-- Application Event Log -------------------------------------------------------
Event Record #/Type42380 / Success
Event Submitted/Written: 05/23/2008 07:40:20 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.
Event Record #/Type42352 / Success
Event Submitted/Written: 05/22/2008 07:19:45 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.
Event Record #/Type42328 / Error
Event Submitted/Written: 05/22/2008 01:04:50 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application msnmsgr.exe, version 8.5.1302.1018, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type42312 / Success
Event Submitted/Written: 05/22/2008 10:40:26 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.
Event Record #/Type42187 / Error
Event Submitted/Written: 05/21/2008 11:16:18 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type85253 / Error
Event Submitted/Written: 05/25/2008 04:58:53 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053
Event Record #/Type85252 / Error
Event Submitted/Written: 05/25/2008 04:58:53 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
Event Record #/Type85248 / Error
Event Submitted/Written: 05/25/2008 04:58:53 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The lxdiCATSCustConnectService service failed to start due to the following error:
%%1053
Event Record #/Type85247 / Error
Event Submitted/Written: 05/25/2008 04:58:53 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the lxdiCATSCustConnectService service to connect.
Event Record #/Type85243 / Error
Event Submitted/Written: 05/25/2008 04:58:01 PM / 05/25/2008 04:58:30 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type
-- End of Deckard's System Scanner: finished at 2008-05-25 20:15:04 ------------
Hi
This doesn't look like renamed ComboFix.exe to me:
2008-05-23 19:04:48 1974863 --a------ C:\ComboFix.exe
I instructed in post #11 (http://forums.spybot.info/showpost.php?p=194814&postcount=11) to name it as MoveBadItems.exe.
We'll try with ComboFix once more. This time please download this (http://www.sendspace.com/file/76yr66) renamed copy to root of your C: drive (C:\). Run it and post back the log in case it works.
It wasn't booted in safe mode; my fault.
I cannot get into command prompt in order to execute those commands or run it via clicking.
Well, did you download the file I uploaded (removeBadItems.exe) and try to run it in normal way?
Yes, command prompt won't work in either safe mode or normal boot.
Hi
I see you've run VundoFix earlier. Let's check what it has removed. I've seen some case where VundoFix accidentally removed bunch of legal files making system ready for reformat.
Creating & executing batch file
-------------------------------
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file findFiles.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File))
@echo off
c:
cd\VundoFix backups
dir *.* /s >findFiles.txt
notepad findFiles.txt
Double-click on findFiles.bat file to execute it.
Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe -> something.exe
Start hjt (by clicking something.exe file), do a system scan, check (if found):
O2 - BHO: (no name) - {CA9840B8-7CF8-4761-BA31-B636059D7EDA} - C:\WINDOWS\system32\rqRKDWMc.dll (file missing)
O2 - BHO: (no name) - {D760BB28-F11D-44D9-AC34-E74BCE8B1C71} - C:\WINDOWS\system32\yayvUMCr.dll (file missing)
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\bfkekfva.dll",s
O4 - HKLM\..\Run: [4ced97de] rundll32.exe "C:\WINDOWS\system32\dlymvbvh.dll",b
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AB364.dat
Close browsers and fix checked.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
[b]Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\WINDOWS\system32\__c00AB364.dat
C:\WINDOWS\system32\ovrefnyj.dll
C:\WINDOWS\system32\juxsmxpk.dll
C:\WINDOWS\system32\__c0094D98.dat
C:\WINDOWS\system32\fcsalldk.dll
C:\WINDOWS\system32\ilyjspyj.dll
C:\WINDOWS\system32\tcehuloa.dll
C:\WINDOWS\system32\hcjuybnl.dll
C:\WINDOWS\system32\wcsfhqtx.dll
C:\WINDOWS\system32\cmmijjxs.dll
C:\WINDOWS\system32\bfggnubw.dll
C:\WINDOWS\system32\ecpmqeej.exe
C:\WINDOWS\system32\wtucejye.dll
C:\WINDOWS\system32\dlymvbvh.dll
C:\WINDOWS\system32\bfkekfva.dll
C:\WINDOWS\system32\cMWDKRqr.ini2
C:\WINDOWS\system32\awtsPFVo.dll
C:\WINDOWS\system32\__c00CAE93.dat
C:\WINDOWS\system32\wfpoeuwk.dll
C:\327882R2FWJFW
C:\WINDOWS\system32\__c0027EB.dat
C:\WINDOWS\system32\xaKlnnpo.ini2
C:\WINDOWS\system32\rCMUvyay.ini2
C:\WINDOWS\system32\fccbBQIX.dll
C:\WINDOWS\system32\yayvUOgF.dll
Return to OTMoveIt2, right click in the
Paste Standard List of Files/Folders to Move
window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Post also contents of findFiles.txt and a fresh hjt log.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.