View Full Version : Another Virtumonde
Sorry, seems to be all you guys hear about. SBS&D picks it up but can't seem to get rid of it, any help you can offer would be greatly appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:33 PM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe
C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Hot Keyboard Pro\HotKeyb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\eFileCabinet\eFileCabinet.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jared\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {1011379C-DBA3-4E83-854C-78385E73A8B3} - C:\WINDOWS\system32\iifcAPjJ.dll (file missing)
O2 - BHO: (no name) - {1e0c570b-1903-43c4-8217-874833eb8290} - (no file)
O2 - BHO: (no name) - {2FDF7B42-DB9F-4F65-9F2E-8053D4D148CA} - C:\WINDOWS\system32\kHaXnkHy.dll (file missing)
O2 - BHO: (no name) - {42F3FB79-C2B4-4B99-9F18-A1E4DAF1A4F7} - C:\WINDOWS\system32\geBSmNHx.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {891E05D6-68AF-41D0-A2F6-74E3A9E47D40} - C:\WINDOWS\system32\tuvUOGyv.dll (file missing)
O2 - BHO: (no name) - {C7B4574D-4482-49AF-9373-3D2EC0CF1656} - C:\WINDOWS\system32\efcBuvWQ.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe /Station
O4 - HKLM\..\Run: [FTPWRENV] C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BM3fb12432] Rundll32.exe "C:\WINDOWS\system32\rtkscnnt.dll",s
O4 - HKLM\..\Run: [3c8217ae] rundll32.exe "C:\WINDOWS\system32\oybhsqtx.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA612] command /c del "C:\WINDOWS\system32\iifcAPjJ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2495] cmd /c del "C:\WINDOWS\system32\iifcAPjJ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5567] command /c del "C:\WINDOWS\system32\kHaXnkHy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9721] cmd /c del "C:\WINDOWS\system32\kHaXnkHy.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Hot Keyboard] C:\Hot Keyboard Pro\HotKeyb.exe -minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: eFileCabinet Server.lnk = D:\eFileCabinet\eFileCabinet.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Assign &hot key - C:\Hot Keyboard Pro\IEScript.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209887910718
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: efcBuvWQ - C:\WINDOWS\SYSTEM32\efcBuvWQ.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FJTWMKSV - PFU LIMITED - C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 8304 bytes
Hello domcler
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You have a few infections going on here, before we begin I need you to do a couple of things.
First go to C:\Program Files and create a new folder and name it Hijackthis, then go to where you currently have it installed and cut it and paste it into the new folder, it has to be in its own folder for backup purposes.
Second I need you to disable the TeaTimer in Spybot or it will interfere with the fix.
Disable the TeaTimer, you can re enable it when were done if you wish
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {1011379C-DBA3-4E83-854C-78385E73A8B3} - C:\WINDOWS\system32\iifcAPjJ.dll (file missing)
O2 - BHO: (no name) - {1e0c570b-1903-43c4-8217-874833eb8290} - (no file)
O2 - BHO: (no name) - {2FDF7B42-DB9F-4F65-9F2E-8053D4D148CA} - C:\WINDOWS\system32\kHaXnkHy.dll (file missing)
O2 - BHO: (no name) - {42F3FB79-C2B4-4B99-9F18-A1E4DAF1A4F7} - C:\WINDOWS\system32\geBSmNHx.dll (file missing)
O2 - BHO: (no name) - {891E05D6-68AF-41D0-A2F6-74E3A9E47D40} - C:\WINDOWS\system32\tuvUOGyv.dll (file missing)
O2 - BHO: (no name) - {C7B4574D-4482-49AF-9373-3D2EC0CF1656} - C:\WINDOWS\system32\efcBuvWQ.dll
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\rtkscnnt.dll",s
O4 - HKLM\..\Run: [3c8217ae] rundll32.exe "C:\WINDOWS\system32\oybhsqtx.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA612] command /c del "C:\WINDOWS\system32\iifcAPjJ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2495] cmd /c del "C:\WINDOWS\system32\iifcAPjJ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5567] command /c del "C:\WINDOWS\system32\kHaXnkHy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9721] cmd /c del "C:\WINDOWS\system32\kHaXnkHy.dll_old"
O20 - Winlogon Notify: efcBuvWQ - C:\WINDOWS\SYSTEM32\efcBuvWQ.dll
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
[b]Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Post the Malwarebytes log and then a New HJT log please
Thank you for the extremely fast reply, it is greatly appreciated. The network in the house has a few computers with shared root system drives, should i be worried the infections here have spread to the other systems on the network before i isolated them?
The following entries you asked me to fix did not display in Hijackthis to remove after the reboot to disable TeaTimer.
O4 - HKLM\..\Run: [BM3fb12432] Rundll32.exe "C:\WINDOWS\system32\rtkscnnt.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA612] command /c del "C:\WINDOWS\system32\iifcAPjJ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2495] cmd /c del "C:\WINDOWS\system32\iifcAPjJ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5567] command /c del "C:\WINDOWS\system32\kHaXnkHy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9721] cmd /c del "C:\WINDOWS\system32\kHaXnkHy.dll_old"
When loading windows i get the following error for Efile Cabinet
Efile Cabinet
The application or DLL c:\windows\system32\efcBuvWQ.dll is not a valid windows image
I believe the following entry is related to efile cabinet, is this an infected file? i can probably reinstall efile cabinet later if this is the case.
O2 - BHO: (no name) - {C7B4574D-4482-49AF-9373-3D2EC0CF1656} - C:\WINDOWS\system32\efcBuvWQ.dll
Here are the new log reports
Malwarebytes' Anti-Malware 1.17
Database version: 869
5:51:44 PM 6/18/2008
mbam-log-6-18-2008 (17-51-44).txt
Scan type: Quick Scan
Objects scanned: 45657
Time elapsed: 2 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 20
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\cbXNDTmJ.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\efcBuvWQ.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{304048b9-ef6f-4593-8072-b1f0faf6a8d2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{304048b9-ef6f-4593-8072-b1f0faf6a8d2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c7b4574d-4482-49af-9373-3d2ec0cf1656} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7b4574d-4482-49af-9373-3d2ec0cf1656} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcbuvwq (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM3fb12432 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c7b4574d-4482-49af-9373-3d2ec0cf1656} (Trojan.Vundo) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxndtmj -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxndtmj -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\cbXNDTmJ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\JmTDNXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JmTDNXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\edlmkhsh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hshkmlde.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsghphqc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cqhphgsh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oybhsqtx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xtqshbyo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqnlybxy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yxbylnqr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\GUDU59PM\css4[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\GUDU59PM\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\M9R3D2QL\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\QWIH5F5M\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dndrkdsu.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nnnkHwTn.dll (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcBqoPG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcBuvWQ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:41 PM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe
C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {4b4c9f89-211c-ffca-7f24-c2dece053e12} - {21e350ec-ed2c-42f7-acff-c11298f9c4b4} - C:\WINDOWS\system32\lkssonmr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BD121C26-B9AE-48AC-BEF2-3CE1E1583257} - C:\WINDOWS\system32\bievyeju.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe /Station
O4 - HKLM\..\Run: [FTPWRENV] C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Hot Keyboard] C:\Hot Keyboard Pro\HotKeyb.exe -minimized
O4 - Global Startup: eFileCabinet Server.lnk = D:\eFileCabinet\eFileCabinet.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Assign &hot key - C:\Hot Keyboard Pro\IEScript.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209887910718
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FJTWMKSV - PFU LIMITED - C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 6685 bytes
Hello,
I doubt the type of infection this system has will spread but you never know, it may be a good idea to disconnect it from your network when your not posting here until its all clean.
This is part of the Vundo Trojan
I believe the following entry is related to efile cabinet, is this an infected file? i can probably reinstall efile cabinet later if this is the case.
O2 - BHO: (no name) - {C7B4574D-4482-49AF-9373-3D2EC0CF1656} - C:\WINDOWS\system32\efcBuvWQ.dll
Remove these with HJT.
O2 - BHO: {4b4c9f89-211c-ffca-7f24-c2dece053e12} - {21e350ec-ed2c-42f7-acff-c11298f9c4b4} - C:\WINDOWS\system32\lkssonmr.dll
O2 - BHO: (no name) - {BD121C26-B9AE-48AC-BEF2-3CE1E1583257} - C:\WINDOWS\system32\bievyeju.dll
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\lkssonmr.dll
C:\WINDOWS\system32\bievyeju.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
I need to see the OTMoveIt log, the Combofix log and a New HJT log please
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lkssonmr.dll
C:\WINDOWS\system32\lkssonmr.dll NOT unregistered.
C:\WINDOWS\system32\lkssonmr.dll moved successfully.
C:\WINDOWS\system32\bievyeju.dll unregistered successfully.
C:\WINDOWS\system32\bievyeju.dll moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06182008_201213
ComboFix 08-06-16.5 - Jared 2008-06-18 20:25:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1636 [GMT -6:00]
Running from: C:\Documents and Settings\Jared\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM3fb12432.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bthxeikd.dll
C:\WINDOWS\system32\cbXNDTmJ.dll
C:\WINDOWS\system32\cenryukl.dll
C:\WINDOWS\system32\dndrkdsu.dll
C:\WINDOWS\system32\efcBuvWQ.dll
C:\WINDOWS\system32\JjPAcfii.ini
C:\WINDOWS\system32\JjPAcfii.ini2
C:\WINDOWS\system32\JmTDNXbc.ini
C:\WINDOWS\system32\jvuoobbc.dll
C:\WINDOWS\system32\lbcxtkos.dll
C:\WINDOWS\system32\nikmfbet.dll
C:\WINDOWS\system32\nrfmcseg.dll
C:\WINDOWS\system32\puhbvgec.dll
C:\WINDOWS\system32\qpgxdowv.ini
C:\WINDOWS\system32\rtkscnnt.dll
C:\WINDOWS\system32\vyGOUvut.ini
C:\WINDOWS\system32\vyGOUvut.ini2
C:\WINDOWS\system32\xHNmSBeg.ini
C:\WINDOWS\system32\xHNmSBeg.ini2
C:\WINDOWS\system32\yHknXaHk.ini
C:\WINDOWS\system32\yHknXaHk.ini2
.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.
2008-06-18 20:12 . 2008-06-18 20:12 <DIR> d-------- C:\_OTMoveIt
2008-06-18 17:47 . 2008-06-18 17:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-18 17:47 . 2008-06-18 17:47 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Malwarebytes
2008-06-18 17:47 . 2008-06-18 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-18 17:47 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-18 17:47 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 12:28 . 2008-04-13 12:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-17 12:28 . 2008-04-13 12:45 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-17 12:28 . 2008-04-13 12:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-17 12:28 . 2008-04-13 12:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-06-17 11:11 . 2008-06-18 15:09 731 --a------ C:\WINDOWS\wininit.ini
2008-06-17 10:29 . 2008-06-17 10:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-17 10:29 . 2008-06-17 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 16:15 . 2008-06-16 16:15 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-13 15:56 . 2008-06-16 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-13 15:51 . 2008-06-16 16:11 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-13 15:28 . 2008-06-16 15:34 <DIR> d-------- C:\Temp\DOWNLOAD
2008-06-13 15:24 . 2008-06-13 15:24 12,499 --a------ C:\WINDOWS\system32\Seagate.bin
2008-06-13 15:22 . 2008-06-16 14:17 <DIR> d-------- C:\Program Files\nbpro
2008-06-13 15:20 . 2008-06-13 15:24 <DIR> d-------- C:\Temp\nbpro
2008-06-13 14:49 . 2008-06-13 14:49 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-13 13:55 . 2008-06-13 13:55 25,418,114 --a------ C:\eFileCabinet.zip
2008-06-13 13:18 . 2008-06-13 13:18 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Fujitsu
2008-06-13 13:10 . 2008-06-13 13:10 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-13 13:09 . 2008-06-13 13:28 <DIR> d-------- C:\Program Files\eFileCabinet
2008-06-13 13:09 . 2007-10-02 10:26 1,929,216 --a------ C:\WINDOWS\system32\cdintf250.dll
2008-06-13 13:03 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-13 13:03 . 2008-04-13 12:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-13 13:02 . 2008-06-13 14:16 <DIR> d-------- C:\Program Files\fjtwain
2008-06-13 13:01 . 2008-06-13 13:01 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\InstallShield
2008-06-13 13:01 . 2005-09-27 07:07 40,960 --------- C:\WINDOWS\UninstOP.exe
2008-06-13 12:34 . 2008-06-13 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFileCabinet
2008-06-13 12:32 . 2008-06-13 12:32 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-06-13 12:32 . 2008-06-18 17:58 13,030 --a------ C:\PDOXUSRS.NET
2008-06-12 17:26 . 2008-06-12 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-12 17:26 . 2008-06-12 17:26 118,784 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-06-12 17:26 . 2008-06-12 17:26 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-06-12 17:26 . 2008-06-12 17:26 115 --a------ C:\WINDOWS\wpd99.drv
2008-06-12 17:25 . 2008-06-12 17:26 <DIR> d-------- C:\pdf995
2008-06-12 16:18 . 2008-06-12 16:18 <DIR> d-------- C:\DRAKEDDM
2008-06-12 16:18 . 2008-06-12 16:18 <DIR> d-------- C:\DRAKE07
2008-06-12 13:50 . 2008-06-12 13:50 <DIR> d-------- C:\Program Files\Intuit
2008-06-12 13:50 . 2008-06-12 13:50 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-06-12 13:50 . 2008-06-12 13:50 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Intuit
2008-06-12 13:47 . 2008-06-12 13:47 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17
2008-06-12 13:47 . 2006-04-12 10:11 1,933,312 --a------ C:\WINDOWS\system32\cdintf251.dll
2008-06-12 13:44 . 2008-06-18 20:03 <DIR> d-------- C:\QuickBooks 2007
2008-06-12 13:44 . 2008-06-12 13:45 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-06-12 13:44 . 2008-06-12 13:44 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-12 13:44 . 2008-06-12 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-06-12 13:04 . 2008-06-12 13:04 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-06-11 03:06 . 2008-06-11 03:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-10 21:15 . 2008-05-08 08:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 21:11 . 2008-04-14 06:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 00:09 . 2008-06-10 00:09 <DIR> d-------- C:\Documents and Settings\spencertax\Application Data\Logitech
2008-06-10 00:09 . 2008-06-10 00:09 <DIR> d-------- C:\Documents and Settings\spencertax
2008-06-10 00:03 . 2008-04-13 18:12 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2008-06-10 00:03 . 2008-04-13 18:12 295,424 --a--c--- C:\WINDOWS\system32\dllcache\termsrv.dll
2008-06-09 22:05 . 2005-09-01 12:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-06-09 22:05 . 2005-09-01 12:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-06-09 22:04 . 2004-07-26 17:16 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-06-09 22:04 . 2004-07-26 17:16 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-06-09 22:04 . 2004-07-26 17:16 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-06-09 22:04 . 2004-07-09 09:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-06-09 22:04 . 2004-07-26 17:16 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-06-09 22:04 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-06-09 21:46 . 2008-06-09 21:46 <DIR> d-------- C:\FileZilla FTP Client
2008-06-09 21:43 . 2008-06-09 23:26 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\FileZilla
2008-06-09 21:25 . 2008-06-09 21:44 <DIR> d-------- C:\temp2
2008-06-09 21:07 . 2008-06-09 21:26 <DIR> d-------- C:\Temp\windows sp3
2008-06-09 21:01 . 2008-06-09 21:01 <DIR> d-------- C:\Program Files\DVDFab 5
2008-06-09 21:01 . 2008-06-10 00:49 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Vso
2008-06-09 21:01 . 2008-06-09 21:01 87,608 --a------ C:\Documents and Settings\Jared\Application Data\inst.exe
2008-06-09 21:01 . 2008-06-09 21:01 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-09 21:01 . 2008-06-09 21:01 47,360 --a------ C:\Documents and Settings\Jared\Application Data\pcouffin.sys
2008-06-09 19:38 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-09 19:38 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-09 19:38 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-09 19:38 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-09 19:37 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-09 18:23 . 2008-06-09 18:48 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\HLSW
2008-06-09 17:30 . 2008-06-09 17:25 7,156,336 --a------ C:\Temp\DVDFab5030.exe
2008-06-09 17:04 . 2008-06-09 17:05 <DIR> d-------- C:\Program Files\Winamp
2008-06-09 17:04 . 2008-06-09 17:05 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Winamp
2008-06-09 16:48 . 2008-04-24 01:08 2,464,595 --a------ C:\Temp\FileZilla_Server-0_9_25.exe
2008-06-09 16:29 . 2008-04-23 23:34 2,337,592 --a------ C:\Temp\WindowsXP-KB896256-v4-x86-ENU.exe
2008-06-09 16:28 . 2008-05-09 22:52 331,805,736 --a------ C:\Temp\WindowsXP-KB936929-SP3-x86-ENU.exe
2008-06-09 16:28 . 2008-04-19 23:08 8,990,072 --a------ C:\Temp\winamp5531_full_emusic-7plus_en-us.exe
2008-06-09 16:26 . 2008-05-06 23:44 4,293,724 --a------ C:\Temp\hlsw_1_2_1_2_setup.exe
2008-06-09 01:43 . 2008-06-12 11:02 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-09 01:43 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-08 23:38 . 2008-06-08 23:38 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-08 23:26 . 2007-01-01 20:03 40,960 -ra------ C:\WINDOWS\system32\psfind.dll
2008-06-08 01:45 . 2008-06-08 01:58 2,337 --a------ C:\WINDOWS\TGshell.MIF
2008-06-08 00:53 . 1996-09-11 08:33 48,640 --a------ C:\WINDOWS\system32\INETWH32.dll
2008-06-08 00:53 . 1997-07-06 09:14 28,160 --a------ C:\WINDOWS\SFMAN32.DLL
2008-06-08 00:53 . 1996-08-28 00:48 9,136 --a------ C:\WINDOWS\system32\INETWH16.DLL
2008-06-08 00:53 . 1996-08-28 00:48 4,528 --a------ C:\WINDOWS\system32\SETBROWS.EXE
2008-06-08 00:51 . 2008-06-09 23:26 <DIR> d-------- C:\Games
2008-06-08 00:51 . 2008-06-08 00:51 <DIR> d-------- C:\Documents and Settings\Jared\WINDOWS
2008-06-08 00:51 . 1996-11-06 06:56 300,032 --a------ C:\WINDOWS\unin0411.exe
2008-06-08 00:51 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2008-06-06 21:45 . 2008-06-06 22:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-06 21:37 . 2005-01-11 17:32 68,608 -ra------ C:\WINDOWS\system32\drivers\nvraid.sys
2008-06-06 21:37 . 2005-01-11 17:32 17,408 --a------ C:\WINDOWS\system32\nvraiins.dll
2008-06-06 21:37 . 2005-01-11 17:32 17,408 -ra------ C:\WINDOWS\system32\nvraidco.dll
2008-06-06 17:24 . 2008-06-06 17:24 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Zeon
2008-06-06 17:24 . 2008-06-18 18:17 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\ScanSoft
2008-06-06 11:48 . 2008-06-06 11:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Zeon
2008-06-06 11:48 . 2008-06-06 11:48 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-06-06 11:48 . 2008-06-06 11:48 <DIR> d-------- C:\PDF Create 4
2008-06-06 11:48 . 2008-06-06 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zeon
2008-06-06 11:47 . 2008-06-06 11:47 <DIR> d-------- C:\Program Files\ScanSoft
2008-06-06 11:47 . 2008-06-06 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-06-06 11:47 . 2008-06-06 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-06 11:47 . 2008-06-06 11:47 349 --a------ C:\WINDOWS\MAXLINK.INI
2008-06-06 11:46 . 2008-06-06 11:47 <DIR> d-------- C:\OmniPage16
2008-06-05 17:27 . 2008-06-13 18:28 58 --a------ C:\WINDOWS\sview.ini
2008-06-05 17:24 . 2008-06-05 17:24 <DIR> d-------- C:\Temp\Signature Custom Mill, Inc
2008-06-05 17:24 . 2008-06-05 17:25 <DIR> d-------- C:\Temp\Signature Concrete
2008-06-05 13:33 . 2008-06-05 13:33 <DIR> d-------- C:\Remote Access Viewer
2008-06-05 13:31 . 2008-06-03 15:02 1,165,296 --a------ C:\Temp\RemoteAccessViewer4.3.7.exe
2008-06-05 12:48 . 2001-07-06 06:41 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2008-06-05 12:48 . 2001-07-06 04:44 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2008-06-05 12:48 . 2001-07-06 10:24 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 20:12 --------- d-----w C:\Program Files\SpeedFan
2008-06-13 19:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-07 03:34 8 ----a-w C:\DFIMB.DAT
2008-06-06 17:47 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 09:47 --------- d-----w C:\Documents and Settings\Jared\Application Data\Logitech
2008-05-04 09:31 --------- d-----w C:\Program Files\Logitech
2008-05-04 09:31 --------- d-----w C:\Program Files\Common Files\Logitech
2008-05-04 09:24 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-04 09:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-04 08:27 --------- d-----w C:\Program Files\Lavalys
2008-05-04 06:22 --------- d-----w C:\Program Files\Marvell
2008-05-04 06:19 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-05-04 06:19 --------- d-----w C:\Program Files\AvRack
2008-05-04 06:15 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-05-04 06:15 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-05-04 06:02 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-03 04:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
.
------- Sigcheck -------
2008-05-04 02:33 506880 bbb128d4d36d82a3588de37966acdab0 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-06-09 20:40 507904 679a7259741f6a09994f02ce261b5f2e C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1676E20E-6E1A-47D7-B3B9-677C78EFD3FB}]
C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\M9R3D2QL\3077ahntdksr[1].dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD121C26-B9AE-48AC-BEF2-3CE1E1583257}]
C:\WINDOWS\system32\bievyeju.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"Hot Keyboard"="C:\Hot Keyboard Pro\HotKeyb.exe" [2007-04-05 23:56 992176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"FtLnSOP_setup"="C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2007-03-07 18:24 212992]
"FJTWAIN Setup"="C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe" [2007-03-08 16:25 131072]
"FTPWRENV"="C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe" [2007-10-16 19:58 45056]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFileCabinet Server.lnk - D:\eFileCabinet\eFileCabinet.exe [2008-06-13 14:01:11 2788352]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-04 03:31:50 434176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Database Server Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Database Server Manager.lnk
backup=C:\WINDOWS\pss\QuickBooks Database Server Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c8217ae]
C:\WINDOWS\system32\vwodxgpq.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM3fb12432]
C:\WINDOWS\system32\bthxeikd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 22:46 13529088 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a------ 2004-10-07 17:53 131072 C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpAgent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
--a------ 2007-07-20 09:50 328992 C:\OmniPage16\Ereg\Ereg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-01-11 17:31 73728 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Games\\HLSW\\hlsw.exe"=
"C:\\QuickBooks 2007\\QBDBMgrN.exe"=
"D:\\eFileCabinet\\eFileCabinet.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16]
R2 FJTWMKSV;FJTWMKSV;C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe [2007-03-08 16:23]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2004-08-01 08:09]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2004-08-01 08:09]
S4 QuickBooksDB17;QuickBooksDB17;C:\QUICKB~1\QBDBMgrN.exe [2006-09-13 10:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f3d6fcf-18a1-11dd-b0b4-806d6172696f}]
\Shell\AutoRun\command - D:\SETUP.EXE /UPDATE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f3d6fd0-18a1-11dd-b0b4-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 20:29:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-06-18 20:32:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-19 02:32:57
Pre-Run: 115,088,642,048 bytes free
Post-Run: 115,198,881,792 bytes free
306 --- E O F --- 2008-06-13 09:00:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:02 PM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe
C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\eFileCabinet\eFileCabinet.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {1676E20E-6E1A-47D7-B3B9-677C78EFD3FB} - C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\M9R3D2QL\3077ahntdksr[1].dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BD121C26-B9AE-48AC-BEF2-3CE1E1583257} - C:\WINDOWS\system32\bievyeju.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe /Station
O4 - HKLM\..\Run: [FTPWRENV] C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Hot Keyboard] C:\Hot Keyboard Pro\HotKeyb.exe -minimized
O4 - Global Startup: eFileCabinet Server.lnk = D:\eFileCabinet\eFileCabinet.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Assign &hot key - C:\Hot Keyboard Pro\IEScript.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209887910718
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FJTWMKSV - PFU LIMITED - C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 6830 bytes
Good Morning,
Almost home :bigthumb:
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\M9R3D2QL\3077ahntdksr[1].dll
C:\WINDOWS\system32\vwodxgpq.dll
C:\WINDOWS\system32\bthxeikd.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1676E20E-6E1A-47D7-B3B9-677C78EFD3FB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD121C26-B9AE-48AC-BEF2-3CE1E1583257}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c8217ae]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM3fb12432]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Need to see the new Combofix log and a new HJT log please
ComboFix 08-06-16.5 - Jared 2008-06-19 10:24:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1627 [GMT -6:00]
Running from: C:\Documents and Settings\Jared\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jared\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\M9R3D2QL\3077ahntdksr[1].dll
C:\WINDOWS\system32\bthxeikd.dll
C:\WINDOWS\system32\vwodxgpq.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jared\Application Data\inst.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.
2008-06-18 20:12 . 2008-06-18 20:12 <DIR> d-------- C:\_OTMoveIt
2008-06-18 17:47 . 2008-06-18 17:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-18 17:47 . 2008-06-18 17:47 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Malwarebytes
2008-06-18 17:47 . 2008-06-18 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-18 17:47 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-18 17:47 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 12:28 . 2008-04-13 12:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-17 12:28 . 2008-04-13 12:45 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-17 12:28 . 2008-04-13 12:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-17 12:28 . 2008-04-13 12:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-06-17 11:11 . 2008-06-18 15:09 731 --a------ C:\WINDOWS\wininit.ini
2008-06-17 10:29 . 2008-06-17 10:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-17 10:29 . 2008-06-17 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 16:15 . 2008-06-16 16:15 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-13 15:56 . 2008-06-16 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-13 15:51 . 2008-06-16 16:11 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-13 15:28 . 2008-06-16 15:34 <DIR> d-------- C:\Temp\DOWNLOAD
2008-06-13 15:24 . 2008-06-13 15:24 12,499 --a------ C:\WINDOWS\system32\Seagate.bin
2008-06-13 15:22 . 2008-06-16 14:17 <DIR> d-------- C:\Program Files\nbpro
2008-06-13 15:20 . 2008-06-13 15:24 <DIR> d-------- C:\Temp\nbpro
2008-06-13 14:49 . 2008-06-13 14:49 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-13 13:55 . 2008-06-13 13:55 25,418,114 --a------ C:\eFileCabinet.zip
2008-06-13 13:18 . 2008-06-13 13:18 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Fujitsu
2008-06-13 13:10 . 2008-06-13 13:10 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-13 13:09 . 2008-06-13 13:28 <DIR> d-------- C:\Program Files\eFileCabinet
2008-06-13 13:09 . 2007-10-02 10:26 1,929,216 --a------ C:\WINDOWS\system32\cdintf250.dll
2008-06-13 13:03 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-13 13:03 . 2008-04-13 12:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-13 13:02 . 2008-06-13 14:16 <DIR> d-------- C:\Program Files\fjtwain
2008-06-13 13:01 . 2008-06-13 13:01 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\InstallShield
2008-06-13 13:01 . 2005-09-27 07:07 40,960 --------- C:\WINDOWS\UninstOP.exe
2008-06-13 12:34 . 2008-06-13 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFileCabinet
2008-06-13 12:32 . 2008-06-13 12:32 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-06-13 12:32 . 2008-06-18 21:17 13,030 --a------ C:\PDOXUSRS.NET
2008-06-12 17:26 . 2008-06-12 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-12 17:26 . 2008-06-12 17:26 118,784 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-06-12 17:26 . 2008-06-12 17:26 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-06-12 17:26 . 2008-06-12 17:26 115 --a------ C:\WINDOWS\wpd99.drv
2008-06-12 17:25 . 2008-06-12 17:26 <DIR> d-------- C:\pdf995
2008-06-12 16:18 . 2008-06-12 16:18 <DIR> d-------- C:\DRAKEDDM
2008-06-12 16:18 . 2008-06-12 16:18 <DIR> d-------- C:\DRAKE07
2008-06-12 13:50 . 2008-06-12 13:50 <DIR> d-------- C:\Program Files\Intuit
2008-06-12 13:50 . 2008-06-12 13:50 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-06-12 13:50 . 2008-06-12 13:50 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Intuit
2008-06-12 13:47 . 2008-06-12 13:47 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17
2008-06-12 13:47 . 2006-04-12 10:11 1,933,312 --a------ C:\WINDOWS\system32\cdintf251.dll
2008-06-12 13:44 . 2008-06-18 20:03 <DIR> d-------- C:\QuickBooks 2007
2008-06-12 13:44 . 2008-06-12 13:45 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-06-12 13:44 . 2008-06-12 13:44 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-12 13:44 . 2008-06-12 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-06-12 13:04 . 2008-06-12 13:04 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-06-11 03:06 . 2008-06-11 03:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-10 21:15 . 2008-05-08 08:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 21:11 . 2008-04-14 06:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 00:09 . 2008-06-10 00:09 <DIR> d-------- C:\Documents and Settings\spencertax\Application Data\Logitech
2008-06-10 00:09 . 2008-06-10 00:09 <DIR> d-------- C:\Documents and Settings\spencertax
2008-06-10 00:03 . 2008-04-13 18:12 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2008-06-10 00:03 . 2008-04-13 18:12 295,424 --a--c--- C:\WINDOWS\system32\dllcache\termsrv.dll
2008-06-09 22:05 . 2005-09-01 12:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-06-09 22:05 . 2005-09-01 12:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-06-09 22:04 . 2004-07-26 17:16 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-06-09 22:04 . 2004-07-26 17:16 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-06-09 22:04 . 2004-07-26 17:16 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-06-09 22:04 . 2004-07-09 09:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-06-09 22:04 . 2004-07-26 17:16 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-06-09 22:04 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-06-09 21:46 . 2008-06-09 21:46 <DIR> d-------- C:\FileZilla FTP Client
2008-06-09 21:43 . 2008-06-09 23:26 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\FileZilla
2008-06-09 21:25 . 2008-06-09 21:44 <DIR> d-------- C:\temp2
2008-06-09 21:07 . 2008-06-09 21:26 <DIR> d-------- C:\Temp\windows sp3
2008-06-09 21:01 . 2008-06-09 21:01 <DIR> d-------- C:\Program Files\DVDFab 5
2008-06-09 21:01 . 2008-06-10 00:49 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Vso
2008-06-09 21:01 . 2008-06-09 21:01 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-09 21:01 . 2008-06-09 21:01 47,360 --a------ C:\Documents and Settings\Jared\Application Data\pcouffin.sys
2008-06-09 19:38 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-09 19:38 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-09 19:38 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-09 19:38 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-09 19:37 . 2008-06-09 19:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-09 18:23 . 2008-06-09 18:48 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\HLSW
2008-06-09 17:30 . 2008-06-09 17:25 7,156,336 --a------ C:\Temp\DVDFab5030.exe
2008-06-09 17:04 . 2008-06-09 17:05 <DIR> d-------- C:\Program Files\Winamp
2008-06-09 17:04 . 2008-06-09 17:05 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Winamp
2008-06-09 16:48 . 2008-04-24 01:08 2,464,595 --a------ C:\Temp\FileZilla_Server-0_9_25.exe
2008-06-09 16:29 . 2008-04-23 23:34 2,337,592 --a------ C:\Temp\WindowsXP-KB896256-v4-x86-ENU.exe
2008-06-09 16:28 . 2008-05-09 22:52 331,805,736 --a------ C:\Temp\WindowsXP-KB936929-SP3-x86-ENU.exe
2008-06-09 16:28 . 2008-04-19 23:08 8,990,072 --a------ C:\Temp\winamp5531_full_emusic-7plus_en-us.exe
2008-06-09 16:26 . 2008-05-06 23:44 4,293,724 --a------ C:\Temp\hlsw_1_2_1_2_setup.exe
2008-06-09 01:43 . 2008-06-12 11:02 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-09 01:43 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-08 23:38 . 2008-06-08 23:38 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-08 23:26 . 2007-01-01 20:03 40,960 -ra------ C:\WINDOWS\system32\psfind.dll
2008-06-08 01:45 . 2008-06-08 01:58 2,337 --a------ C:\WINDOWS\TGshell.MIF
2008-06-08 00:53 . 1996-09-11 08:33 48,640 --a------ C:\WINDOWS\system32\INETWH32.dll
2008-06-08 00:53 . 1997-07-06 09:14 28,160 --a------ C:\WINDOWS\SFMAN32.DLL
2008-06-08 00:53 . 1996-08-28 00:48 9,136 --a------ C:\WINDOWS\system32\INETWH16.DLL
2008-06-08 00:53 . 1996-08-28 00:48 4,528 --a------ C:\WINDOWS\system32\SETBROWS.EXE
2008-06-08 00:51 . 2008-06-09 23:26 <DIR> d-------- C:\Games
2008-06-08 00:51 . 2008-06-08 00:51 <DIR> d-------- C:\Documents and Settings\Jared\WINDOWS
2008-06-08 00:51 . 1996-11-06 06:56 300,032 --a------ C:\WINDOWS\unin0411.exe
2008-06-08 00:51 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2008-06-06 21:45 . 2008-06-06 22:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-06 21:37 . 2005-01-11 17:32 68,608 -ra------ C:\WINDOWS\system32\drivers\nvraid.sys
2008-06-06 21:37 . 2005-01-11 17:32 17,408 --a------ C:\WINDOWS\system32\nvraiins.dll
2008-06-06 21:37 . 2005-01-11 17:32 17,408 -ra------ C:\WINDOWS\system32\nvraidco.dll
2008-06-06 17:24 . 2008-06-06 17:24 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Zeon
2008-06-06 17:24 . 2008-06-18 18:17 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\ScanSoft
2008-06-06 11:48 . 2008-06-06 11:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Zeon
2008-06-06 11:48 . 2008-06-06 11:48 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-06-06 11:48 . 2008-06-06 11:48 <DIR> d-------- C:\PDF Create 4
2008-06-06 11:48 . 2008-06-06 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zeon
2008-06-06 11:47 . 2008-06-06 11:47 <DIR> d-------- C:\Program Files\ScanSoft
2008-06-06 11:47 . 2008-06-06 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-06-06 11:47 . 2008-06-06 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-06 11:47 . 2008-06-06 11:47 349 --a------ C:\WINDOWS\MAXLINK.INI
2008-06-06 11:46 . 2008-06-06 11:47 <DIR> d-------- C:\OmniPage16
2008-06-05 17:27 . 2008-06-13 18:28 58 --a------ C:\WINDOWS\sview.ini
2008-06-05 17:24 . 2008-06-05 17:24 <DIR> d-------- C:\Temp\Signature Custom Mill, Inc
2008-06-05 17:24 . 2008-06-05 17:25 <DIR> d-------- C:\Temp\Signature Concrete
2008-06-05 13:33 . 2008-06-05 13:33 <DIR> d-------- C:\Remote Access Viewer
2008-06-05 13:31 . 2008-06-03 15:02 1,165,296 --a------ C:\Temp\RemoteAccessViewer4.3.7.exe
2008-06-05 12:48 . 2001-07-06 06:41 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2008-06-05 12:48 . 2001-07-06 04:44 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2008-06-05 12:48 . 2001-07-06 10:24 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2008-06-05 12:48 . 2001-06-26 00:15 38,912 -ra------ C:\WINDOWS\system32\picn20.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 20:12 --------- d-----w C:\Program Files\SpeedFan
2008-06-13 19:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-10 02:40 507,904 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-06-07 03:34 8 ----a-w C:\DFIMB.DAT
2008-06-06 17:47 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-04 09:47 --------- d-----w C:\Documents and Settings\Jared\Application Data\Logitech
2008-05-04 09:31 --------- d-----w C:\Program Files\Logitech
2008-05-04 09:31 --------- d-----w C:\Program Files\Common Files\Logitech
2008-05-04 09:24 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-04 09:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-04 08:27 --------- d-----w C:\Program Files\Lavalys
2008-05-04 06:22 --------- d-----w C:\Program Files\Marvell
2008-05-04 06:19 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-05-04 06:19 --------- d-----w C:\Program Files\AvRack
2008-05-04 06:15 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-05-04 06:15 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-05-04 06:02 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-30 23:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 11:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 11:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 11:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:28 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:23 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
2008-04-13 17:23 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.
------- Sigcheck -------
2008-05-04 02:33 506880 bbb128d4d36d82a3588de37966acdab0 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-06-09 20:40 507904 679a7259741f6a09994f02ce261b5f2e C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-18_20.32.49.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 02:28:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 16:20:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 16:20:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"Hot Keyboard"="C:\Hot Keyboard Pro\HotKeyb.exe" [2007-04-05 23:56 992176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"FtLnSOP_setup"="C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2007-03-07 18:24 212992]
"FJTWAIN Setup"="C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe" [2007-03-08 16:25 131072]
"FTPWRENV"="C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe" [2007-10-16 19:58 45056]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFileCabinet Server.lnk - D:\eFileCabinet\eFileCabinet.exe [2008-06-13 14:01:11 2788352]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-04 03:31:50 434176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Database Server Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Database Server Manager.lnk
backup=C:\WINDOWS\pss\QuickBooks Database Server Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 22:46 13529088 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a------ 2004-10-07 17:53 131072 C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpAgent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
--a------ 2007-07-20 09:50 328992 C:\OmniPage16\Ereg\Ereg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-01-11 17:31 73728 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Games\\HLSW\\hlsw.exe"=
"C:\\QuickBooks 2007\\QBDBMgrN.exe"=
"D:\\eFileCabinet\\eFileCabinet.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16]
R2 FJTWMKSV;FJTWMKSV;C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe [2007-03-08 16:23]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2004-08-01 08:09]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2004-08-01 08:09]
S4 QuickBooksDB17;QuickBooksDB17;C:\QUICKB~1\QBDBMgrN.exe [2006-09-13 10:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f3d6fcf-18a1-11dd-b0b4-806d6172696f}]
\Shell\AutoRun\command - D:\SETUP.EXE /UPDATE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f3d6fd0-18a1-11dd-b0b4-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 10:25:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-19 10:27:42
ComboFix-quarantined-files.txt 2008-06-19 16:27:10
ComboFix2.txt 2008-06-19 02:33:00
Pre-Run: 115,222,298,624 bytes free
Post-Run: 115,207,618,560 bytes free
309 --- E O F --- 2008-06-13 09:00:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:28 AM, on 6/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe
C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\eFileCabinet\eFileCabinet.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe /Station
O4 - HKLM\..\Run: [FTPWRENV] C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Hot Keyboard] C:\Hot Keyboard Pro\HotKeyb.exe -minimized
O4 - Global Startup: eFileCabinet Server.lnk = D:\eFileCabinet\eFileCabinet.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Assign &hot key - C:\Hot Keyboard Pro\IEScript.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209887910718
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FJTWMKSV - PFU LIMITED - C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 6494 bytes
Looking Good :bigthumb:
How are things running now ???
Everything seems to be running normally now. Thank you so much for the help getting things cleaned up, I was not too thrilled with the idea of having to reformat this machine. Apparently I need to tighten up my system security a lot and use some better common sense online. :oops:
Now to find that donate button, a local computer repair shop would have charged a lot of money and handed me back a wiped computer.
Thats great, glad things are running better for you. :bigthumb: If you look at the very Top/ Right on this thread you will see a DONATE link, thanks for your offer, it goes to help keep us online.
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
I know this sounds corny but keep in mind that after installing all these free programs that the weakest link in the chain is the person sitting behind the monitor, so practice safe surfing, don't open attachments from emails or people you don't know. Stay out of porn sites, there a hotbed of nasty infections. Don't download any cracked or illegal software, they all come with malware attached. Don't use any file sharing programs like Limewire and the like, you never know whats going to be attached to the music or video file you download. Don't download any registry cleaners or any programs that pop up offering you a free scan because they say your infected, your not but you will be when you accept the scan. Be wary of a site asking you to download a codec to view the site properly, some are legit but some are not, google the program first before you download it.
Safe Surfn
Ken
Is there anything I should do to "clean up" the programs used to (combofix Otmoveit and such) or do I just delete the exe files? I assume I should also clear all the windows restore points? Is there anything else I'm missing that could get me reinfected?
Yep, lets do this.
Malwarebytes is the free version and yours to keep, check for updates and run a scan once a week or so.
ATF Cleaner is also yours to keep, run it a few times a month to keep your system free of all the not needed temp files and such.
Time for some housekeeping
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Take care,
Ken:)