View Full Version : Virtumonde Virus
My computer has been infected with the Virtumonde virus & possibly other nasties. Firefox is extremely slow in loading pages & I get adverts popping up including porn slides on web pages I know don't subscribe to that sort of thing!
I have run spybot many times & several others but ZoneAlarm still identifies this virus - just can't seem to get rid of it.
Any assistance is greatly appreciated.
Here is my hijackthis file for your review:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:43 AM, on 21/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\1stClock\1stClock.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C39230B-0FBF-4F63-A584-DA2CA1E419D3} - C:\WINDOWS\system32\mlJDvTKe.dll (file missing)
O2 - BHO: (no name) - {1C4B6EDC-D71F-DBCB-4964-8A8DBA558FCD} - (no file)
O2 - BHO: (no name) - {2C333030-7271-488F-B5DF-16291CBD4698} - C:\WINDOWS\system32\fccaBTMg.dll (file missing)
O2 - BHO: (no name) - {48CE99E9-7275-79A5-7712-7DB2691C8599} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {681D2656-A00B-4BB4-89B1-0D1995BCD3E6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7EC80294-4604-4E78-89AE-1B436BB94BDE} - C:\WINDOWS\system32\rqRkkLfe.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C5D07BB-BE0B-C9FF-2890-B39EF83355BB} - (no file)
O2 - BHO: (no name) - {9E56571C-EDD8-B75C-81AD-E6ABA80253C0} - (no file)
O2 - BHO: (no name) - {9F4D5E69-BEFF-B626-A0AA-B6DEBFC20AC6} - (no file)
O2 - BHO: (no name) - {AAFDB894-B8E6-4AE2-A9A8-07B0EFD564AA} - C:\WINDOWS\system32\iiffCSkl.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B0293C4B-86DD-DB5E-8C78-8BADD89024C5} - (no file)
O2 - BHO: (no name) - {CDB1D92C-62E8-3E38-EE2B-3E7615185497} - (no file)
O2 - BHO: (no name) - {D648F87A-C344-4385-A03D-6A5C113273AF} - C:\WINDOWS\system32\tuvUOgee.dll (file missing)
O2 - BHO: (no name) - {E0786A4B-878D-DF52-DB78-8BADD8C87291} - (no file)
O2 - BHO: (no name) - {FA5373B3-2B1B-4318-A63D-86A796477B1F} - C:\WINDOWS\system32\ddcBQiih.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BM4f9dd23a] Rundll32.exe "C:\WINDOWS\system32\pnfmfopl.dll",s
O4 - HKCU\..\Run: [MRC] "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKCU\..\Policies\Explorer\Run: [{4CAEE109-0BB8-3081-0315-05071604003d}] "C:\Program Files\Common Files\{4CAEE109-0BB8-3081-0315-05071604003d}\Update.exe" mc-110-12-0001411
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1stClock.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164707470031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: hyperproduction - {9d19a1a9-3cdf-4f15-a5ca-ea3905febded} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Documents and Settings\acacia\Desktop\Nick\Alcohol 52\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11547 bytes
pskelley
2008-06-21, 21:00
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.
You are still infected with Vundo and you are right, there may be more. My question is, I do not see an antivirus program running on the computer? It is cyber-suicide to go online without antivirus protection. If you need me to provide free programs, please make me aware. Once we take care of that issue we can go after the malware.
Thanks
Hi pskelley & thanks for your help.
I have ZoneAlarm by Checkpoint (legally purchased) so am confused as to why it doesn't show up?
If this is not a suitable anti-virus, please advise of one that is, it do not wish to be vulnerable!
Thanks again for your help :)
pskelley
2008-06-22, 10:27
Thanks for the feedbak, you are telling me that this is your antivirus program as well as your firewall, correct:
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
I apologize if this is the case, I have run ZA firewall for many years but I am not familiar with their antivirus protection. I suggest, as soon as possible that you make sure the ZA antivirus protection is up tp date and running correctly. We will proceed with the malware removal.
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
Oh dear!!!:sad:
I waited till Notepad opened with the log so I Workan post it here but it still froze on me!
Now working off lappy because not sure what to do with computer in the state that it is in.
What should I do....I am so confused & concerned. Should I reboot? Please advise.....
pskelley
2008-06-22, 12:16
You can try that, once the computer is restarted, try running combofix in safe mode to see if that works.
http://spyware-free.us/tutorials/safemode/
Before you do that, look on the C:\ drive for the log from combofix, it might have been produced?
This is a nasty infection that really messes up your computer and it is not going to work right until we get the junk off of it.
If you want to see what the log will look like, there is a good example here in post #3: http://forums.spybot.info/showthread.php?t=29787
Thanks
Hey pskelly, I was lucky & as you suggested I did find a copy of combofix log :)
I also encountered a pop-up stating a rundll error, i have saved screen dump & have tried to aattach it. Not sure if it has worked.
Here are my combofix & hjt logs:
ComboFix 08-06-20.4 - acacia 2008-06-22 18:34:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.378 [GMT 10:00]
Running from: C:\Documents and Settings\acacia\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\acacia\Application Data\CURITY~1
C:\Documents and Settings\acacia\Application Data\macromedia\Flash Player\#SharedObjects\L7LWGH9E\www.broadcaster.com
C:\Documents and Settings\acacia\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\acacia\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\acacia\Application Data\SCURIT~1
C:\Documents and Settings\acacia\Application Data\SEMBLY~1
C:\Documents and Settings\acacia\Application Data\YMANTE~1
C:\Documents and Settings\acacia\My Documents\CURITY~1
C:\Documents and Settings\acacia\My Documents\RACLE~1
C:\Documents and Settings\acacia\My Documents\STEM~1
C:\Documents and Settings\acacia\My Documents\WNSXS~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\crosof~1
C:\Program Files\fnts~1
C:\Program Files\pppatc~1
C:\Program Files\ymbols~1
C:\WINDOWS\BM4f9dd23a.xml
C:\WINDOWS\crosof~1.net
C:\WINDOWS\ppatch~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\sstem3~1
C:\WINDOWS\system32\archiitb.ini
C:\WINDOWS\system32\axpbylgl.ini
C:\WINDOWS\system32\cmbgeljj.ini
C:\WINDOWS\system32\eegOUvut.ini
C:\WINDOWS\system32\eegOUvut.ini2
C:\WINDOWS\system32\efLkkRqr.ini
C:\WINDOWS\system32\efLkkRqr.ini2
C:\WINDOWS\system32\eKTvDJlm.ini
C:\WINDOWS\system32\eKTvDJlm.ini2
C:\WINDOWS\system32\gMTBaccf.ini
C:\WINDOWS\system32\gMTBaccf.ini2
C:\WINDOWS\system32\hiiQBcdd.ini
C:\WINDOWS\system32\hiiQBcdd.ini2
C:\WINDOWS\system32\itdcxlxc.ini
C:\WINDOWS\system32\lkSCffii.ini
C:\WINDOWS\system32\lkSCffii.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\odarudti.ini
C:\WINDOWS\system32\upnmjkeu.ini
C:\WINDOWS\system32\vfiwompo.ini
.
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.
2010-07-24 23:19 . 2006-11-25 09:04 <DIR> d-------- C:\Program Files\Eset
2008-06-20 23:35 . 2008-06-20 23:35 <DIR> d-------- C:\VundoFix Backups
2008-06-19 18:30 . 2008-06-19 18:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 14:08 . 2008-06-20 17:04 847 --a------ C:\WINDOWS\wininit.ini
2008-06-18 13:13 . 2008-06-18 13:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-18 13:13 . 2008-06-18 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 23:28 . 2008-06-14 23:28 24,576 --a------ C:\WINDOWS\system32\geBtTMCu.dll.vir
2008-06-14 18:15 . 2008-06-20 18:34 <DIR> d-------- C:\Program Files\Advanced Diary
2008-06-14 18:15 . 2002-02-01 19:00 293,888 --a------ C:\WINDOWS\system32\midas.dll
2008-06-13 22:30 . 2007-09-04 18:53 <DIR> d-------- C:\Program Files\Premiership
2008-06-12 16:11 . 2008-06-20 22:48 <DIR> d-------- C:\Documents and Settings\acacia\Application Data\Sports Interactive
2008-06-11 10:42 . 2008-05-09 00:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 10:41 . 2008-06-13 21:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 11:48 . 2008-06-11 10:34 <DIR> d-------- C:\Program Files\1stClock
2008-06-06 18:01 . 2008-06-06 18:02 <DIR> d-------- C:\Program Files\iTunes
2008-06-06 18:01 . 2008-06-06 18:01 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-06 18:00 . 2008-06-06 18:00 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-06 18:00 . 2007-09-04 19:04 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-06 10:02 . 2008-06-06 10:02 <DIR> d-------- C:\Documents and Settings\acacia\Application Data\.thinkingrock
2008-06-06 10:01 . 2008-06-06 10:01 <DIR> d-------- C:\Program Files\TR-2.0.1
2008-06-05 23:56 . 2008-06-05 23:57 <DIR> d-------- C:\Program Files\SiS VGA Utilities V3.70
2008-06-05 23:56 . 2008-06-05 23:57 73,973 --a------ C:\WINDOWS\system32\VGAunistlog.ini
2008-06-05 23:45 . 2008-06-05 23:57 1 --a------ C:\WINDOWS\~sisRslt
2008-06-05 23:36 . 2008-06-05 23:36 <DIR> d-------- C:\temp\uni_vga
2008-06-05 23:36 . 2005-10-04 23:56 1,735,168 --a------ C:\WINDOWS\system32\sisgrv.dll
2008-06-05 23:36 . 2005-10-04 23:56 1,735,168 --a--c--- C:\WINDOWS\system32\dllcache\sisgrv.dll
2008-06-05 23:36 . 2005-10-04 12:01 1,570,489 --a------ C:\WINDOWS\system32\sisgl.dll
2008-06-05 23:36 . 2003-11-26 00:10 65,536 --a------ C:\WINDOWS\system32\sis760.bin
2008-06-05 23:36 . 2003-11-26 00:10 65,536 --a------ C:\WINDOWS\system32\sis741.bin
2008-06-05 23:36 . 2005-10-04 11:06 49,152 --a------ C:\WINDOWS\system32\sis660.bin
2008-06-05 23:36 . 2005-10-04 10:56 28,672 --a------ C:\WINDOWS\system32\SiSPInst.dll
2008-06-05 23:36 . 2005-10-04 18:32 12,032 --a------ C:\WINDOWS\system32\drivers\srvkp.sys
2008-06-05 22:54 . 2008-06-05 22:54 <DIR> d-------- C:\temp\sis180
2008-06-05 22:54 . 2008-06-05 23:57 <DIR> d-------- C:\Program Files\sisagp
2008-06-05 22:54 . 2001-03-30 22:58 135,168 --a------ C:\WINDOWS\system32\property.dll
2008-06-05 22:53 . 2008-06-05 22:53 <DIR> d-------- C:\temp\agp121
2008-06-05 22:53 . 2008-06-17 11:54 <DIR> d-------- C:\temp
2008-06-05 22:21 . 2008-06-05 22:21 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-05 22:12 . 2008-06-05 22:12 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-05 22:09 . 2008-06-05 22:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-05 22:07 . 2008-06-05 22:07 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-05 22:07 . 2008-06-05 22:07 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-06-05 22:05 . 2003-08-19 21:36 65,536 --a------ C:\WINDOWS\system32\Audio3D.dll
2008-06-05 22:05 . 2008-04-14 10:11 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-06-05 21:31 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-05 21:31 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-05 21:31 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-05 21:31 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-05 21:27 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-05 21:07 . 2008-04-14 10:12 69,120 --a------ C:\WINDOWS\system32\wlanapi.dll
2008-06-05 21:05 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-06-05 21:04 . 2008-04-14 10:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-06-05 20:28 . 2008-04-14 10:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-04 17:54 . 2008-06-04 17:55 <DIR> d-------- C:\WINDOWS\system32\Euro Football Pools Greece dir
2008-06-04 17:54 . 2008-06-04 17:54 201,728 --a------ C:\WINDOWS\system32\Euro Football Pools Greece.scr
2008-06-03 10:18 . 2008-06-03 10:18 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-03 10:17 . 2008-06-03 10:17 <DIR> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-03 10:17 . 2008-06-03 10:17 <DIR> d--h----- C:\Program Files\CanonBJ
2008-06-03 10:17 . 2007-03-23 17:30 1,400,832 --a------ C:\WINDOWS\system32\CNC310C.DLL
2008-06-03 10:17 . 2007-03-19 11:39 200,704 --a------ C:\WINDOWS\system32\CNC310L.DLL
2008-06-03 10:17 . 2007-03-15 15:12 188,416 --a------ C:\WINDOWS\system32\CNC310O.DLL
2008-06-03 10:17 . 2007-03-23 17:29 98,304 --a------ C:\WINDOWS\system32\CNC310I.DLL
2008-06-02 21:33 . 2008-06-02 21:36 <DIR> d-------- C:\usb
2008-05-29 17:07 . 2008-06-18 22:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 17:07 . 2008-06-06 18:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 21:04 . 2008-05-26 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-05-26 19:41 . 2008-05-26 19:41 <DIR> d-------- C:\Program Files\VSO
2008-05-26 19:41 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-05-26 19:41 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-05-26 19:41 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-05-26 19:41 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-05-26 19:41 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-05-26 19:41 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-05-26 19:03 . 2008-05-26 19:04 <DIR> d-------- C:\Documents and Settings\acacia\Application Data\ICAClient
2008-05-25 10:58 . 2008-05-25 10:58 <DIR> d-------- C:\Documents and Settings\acacia\Application Data\Thinstall
2008-05-24 13:37 . 2008-05-24 13:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\MailFrontier
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 08:48 17,923,616 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-22 08:45 245,252 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-21 14:31 --------- d-----w C:\Program Files\LogMeIn
2008-06-21 14:24 --------- d-----w C:\Program Files\Full Tilt Poker
2008-06-20 11:57 --------- d-----w C:\Program Files\Java
2008-06-16 06:36 --------- d-----w C:\Documents and Settings\acacia\Application Data\uTorrent
2008-06-16 00:44 --------- d-----w C:\Program Files\PC Tune-Up
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 01:52 --------- d-----w C:\Documents and Settings\acacia\Application Data\Green Parrots Software
2008-06-09 09:08 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-09 04:22 --------- d-----w C:\Documents and Settings\acacia\Application Data\Canon
2008-06-06 10:52 --------- d-----w C:\Documents and Settings\acacia\Application Data\Vso
2008-06-06 08:01 --------- d-----w C:\Program Files\iPod
2008-06-05 13:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 12:48 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-03 00:32 --------- d-----w C:\Program Files\Canon
2008-06-03 00:10 --------- d-----w C:\Program Files\NCH Swift Sound
2008-05-30 04:00 --------- d-----w C:\Program Files\Nokia
2008-05-30 04:00 --------- d-----w C:\Program Files\Google
2008-05-26 09:41 87,608 -c--a-w C:\Documents and Settings\acacia\Application Data\inst.exe
2008-05-26 09:41 47,360 -c--a-w C:\Documents and Settings\acacia\Application Data\pcouffin.sys
2008-05-26 09:41 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-21 23:15 --------- d-----w C:\Program Files\Windows Desktop Search
2008-05-21 13:05 --------- d-----w C:\Documents and Settings\acacia\Application Data\FusionDesk
2008-05-21 13:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 00:10 --------- d-----w C:\Program Files\WinAVI MP4 Converter
2008-05-19 06:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-05-16 16:30 --------- d-----w C:\Documents and Settings\acacia\Application Data\Nokia
2008-05-14 00:32 --------- d-----w C:\Documents and Settings\acacia\Application Data\AdobeUM
2008-05-12 13:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-10 05:47 --------- d-----w C:\Documents and Settings\acacia\Application Data\Media Player Classic
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-24 14:01 --------- d-----w C:\Program Files\ActionOutline
2008-04-22 14:14 --------- d-----w C:\Program Files\MSECache
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C39230B-0FBF-4F63-A584-DA2CA1E419D3}]
C:\WINDOWS\system32\mlJDvTKe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C4B6EDC-D71F-DBCB-4964-8A8DBA558FCD}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C333030-7271-488F-B5DF-16291CBD4698}]
C:\WINDOWS\system32\fccaBTMg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48CE99E9-7275-79A5-7712-7DB2691C8599}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{681D2656-A00B-4BB4-89B1-0D1995BCD3E6}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EC80294-4604-4E78-89AE-1B436BB94BDE}]
C:\WINDOWS\system32\rqRkkLfe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C5D07BB-BE0B-C9FF-2890-B39EF83355BB}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E56571C-EDD8-B75C-81AD-E6ABA80253C0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F4D5E69-BEFF-B626-A0AA-B6DEBFC20AC6}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAFDB894-B8E6-4AE2-A9A8-07B0EFD564AA}]
C:\WINDOWS\system32\iiffCSkl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0293C4B-86DD-DB5E-8C78-8BADD89024C5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CDB1D92C-62E8-3E38-EE2B-3E7615185497}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D648F87A-C344-4385-A03D-6A5C113273AF}]
C:\WINDOWS\system32\tuvUOgee.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0786A4B-878D-DF52-DB78-8BADD8C87291}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA5373B3-2B1B-4318-A63D-86A796477B1F}]
C:\WINDOWS\system32\ddcBQiih.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MRC"="C:\Program Files\PC Tune-Up\PCTuneUp.exe" [2007-10-12 17:57 2435072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 08:03 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 11:02 79400]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35 20480]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 22:11 919016]
"Cmaudio"="cmicnfg.cpl,CMICtrlWnd" []
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe" [2005-05-18 14:44 905216]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 19:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower"="SiSPower.dll" [2005-10-04 10:56 49152 C:\WINDOWS\system32\SiSPower.dll]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"BM4f9dd23a"="C:\WINDOWS\system32\pnfmfopl.dll" [ ]
C:\Documents and Settings\acacia\Start Menu\Programs\Startup\
1st Clock.lnk - C:\Program Files\1stClock\1stClock.exe [4/17/2000 11:25:50 PM 829440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [6/5/2008 11:57:06 PM 262144]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{4CAEE109-0BB8-3081-0315-05071604003d}"= "C:\Program Files\Common Files\{4CAEE109-0BB8-3081-0315-05071604003d}\Update.exe" mc-110-12-0001411
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2008-04-30 18:08 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.fraunhoferacm"= l3codecp.acm
"MSACM.CEGSM"= mobilev.acm
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
"BM4f9dd23a"=Rundll32.exe "C:\WINDOWS\system32\pnfmfopl.dll",s
"4caee1a6"=rundll32.exe "C:\WINDOWS\system32\uekjmnpu.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12053:TCP"= 12053:TCP:UTorrent - port
"12053:UDP"= 12053:UDP:UTorrent
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 13:53]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 MELCS;MailEnable List Connector;C:\Program Files\Mail Enable\Bin\MELSC.EXE [2005-07-08 12:19]
R2 MEMTAS;MailEnable Mail Transfer Agent;C:\Program Files\Mail Enable\Bin\MEMTA.EXE [2005-07-08 12:19]
R2 MEPOCS;MailEnable Postoffice Connector;C:\Program Files\Mail Enable\Bin\MEPOC.EXE [2005-07-08 12:19]
R2 MEPOPS;MailEnable POP Service;C:\Program Files\Mail Enable\Bin\MEPOPS.EXE [2005-10-24 10:46]
R2 MESMTPCS;MailEnable SMTP Connector;C:\Program Files\Mail Enable\Bin\MESMTPC.EXE [2005-07-14 09:34]
S3 DFE528TX;D-Link DFE-528TX PCI Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTL.SYS [2002-06-24 14:30]
S3 USB_RNDIS;NetComm NB5 USB;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-14 04:56]
S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\W35UND.SYS [2006-09-12 16:18]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d10e5de-1069-11da-8935-000fead611c1}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CF27C812-0CA0-11d4-A672-00605205B0B3}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\1stcllt.inf,ACL.Install.PerUser.NT
.
Contents of the 'Scheduled Tasks' folder
"2008-06-16 07:54:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 18:48:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
.
**************************************************************************
.
Completion time: 2008-06-22 18:52:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 08:52:24
Pre-Run: 10,612,695,040 bytes free
Post-Run: 10,694,918,144 bytes free
306 --- E O F --- 2008-06-21 04:18:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:44 PM, on 22/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\1stClock\1stClock.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C39230B-0FBF-4F63-A584-DA2CA1E419D3} - C:\WINDOWS\system32\mlJDvTKe.dll (file missing)
O2 - BHO: (no name) - {1C4B6EDC-D71F-DBCB-4964-8A8DBA558FCD} - (no file)
O2 - BHO: (no name) - {2C333030-7271-488F-B5DF-16291CBD4698} - C:\WINDOWS\system32\fccaBTMg.dll (file missing)
O2 - BHO: (no name) - {48CE99E9-7275-79A5-7712-7DB2691C8599} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {681D2656-A00B-4BB4-89B1-0D1995BCD3E6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7EC80294-4604-4E78-89AE-1B436BB94BDE} - C:\WINDOWS\system32\rqRkkLfe.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C5D07BB-BE0B-C9FF-2890-B39EF83355BB} - (no file)
O2 - BHO: (no name) - {9E56571C-EDD8-B75C-81AD-E6ABA80253C0} - (no file)
O2 - BHO: (no name) - {9F4D5E69-BEFF-B626-A0AA-B6DEBFC20AC6} - (no file)
O2 - BHO: (no name) - {AAFDB894-B8E6-4AE2-A9A8-07B0EFD564AA} - C:\WINDOWS\system32\iiffCSkl.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B0293C4B-86DD-DB5E-8C78-8BADD89024C5} - (no file)
O2 - BHO: (no name) - {CDB1D92C-62E8-3E38-EE2B-3E7615185497} - (no file)
O2 - BHO: (no name) - {D648F87A-C344-4385-A03D-6A5C113273AF} - C:\WINDOWS\system32\tuvUOgee.dll (file missing)
O2 - BHO: (no name) - {E0786A4B-878D-DF52-DB78-8BADD8C87291} - (no file)
O2 - BHO: (no name) - {FA5373B3-2B1B-4318-A63D-86A796477B1F} - C:\WINDOWS\system32\ddcBQiih.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BM4f9dd23a] Rundll32.exe "C:\WINDOWS\system32\pnfmfopl.dll",s
O4 - HKCU\..\Run: [MRC] "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKCU\..\Policies\Explorer\Run: [{4CAEE109-0BB8-3081-0315-05071604003d}] "C:\Program Files\Common Files\{4CAEE109-0BB8-3081-0315-05071604003d}\Update.exe" mc-110-12-0001411
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1stClock.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164707470031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: hyperproduction - {9d19a1a9-3cdf-4f15-a5ca-ea3905febded} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Documents and Settings\acacia\Desktop\Nick\Alcohol 52\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11493 bytes
pskelley
2008-06-22, 13:48
Thanks for returning the information I requested. Please read and follow the directions carefully and in the numbered order.
I also encountered a pop-up stating a rundll error, i have saved screen dump & have tried to aattach it. Not sure if it has worked
Post only what I ask for...
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
(follow the CFScript directions very carefully)
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\pnfmfopl.dll
C:\WINDOWS\system32\geBtTMCu.dll.vir
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C39230B-0FBF-4F63-A584-DA2CA1E419D3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C4B6EDC-D71F-DBCB-4964-8A8DBA558FCD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C333030-7271-488F-B5DF-16291CBD4698}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48CE99E9-7275-79A5-7712-7DB2691C8599}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{681D2656-A00B-4BB4-89B1-0D1995BCD3E6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EC80294-4604-4E78-89AE-1B436BB94BDE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C5D07BB-BE0B-C9FF-2890-B39EF83355BB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E56571C-EDD8-B75C-81AD-E6ABA80253C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F4D5E69-BEFF-B626-A0AA-B6DEBFC20AC6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAFDB894-B8E6-4AE2-A9A8-07B0EFD564AA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0293C4B-86DD-DB5E-8C78-8BADD89024C5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CDB1D92C-62E8-3E38-EE2B-3E7615185497}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D648F87A-C344-4385-A03D-6A5C113273AF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0786A4B-878D-DF52-DB78-8BADD8C87291}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA5373B3-2B1B-4318-A63D-86A796477B1F}]
Folder::
C:\VundoFix Backups
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some items may be gone, removed by CFScript)
O2 - BHO: (no name) - {0C39230B-0FBF-4F63-A584-DA2CA1E419D3} - C:\WINDOWS\system32\mlJDvTKe.dll (file missing)
O2 - BHO: (no name) - {1C4B6EDC-D71F-DBCB-4964-8A8DBA558FCD} - (no file)
O2 - BHO: (no name) - {2C333030-7271-488F-B5DF-16291CBD4698} - C:\WINDOWS\system32\fccaBTMg.dll (file missing)
O2 - BHO: (no name) - {48CE99E9-7275-79A5-7712-7DB2691C8599} - (no file)
O2 - BHO: (no name) - {681D2656-A00B-4BB4-89B1-0D1995BCD3E6} - (no file)
O2 - BHO: (no name) - {7EC80294-4604-4E78-89AE-1B436BB94BDE} - C:\WINDOWS\system32\rqRkkLfe.dll (file missing)
O2 - BHO: (no name) - {9C5D07BB-BE0B-C9FF-2890-B39EF83355BB} - (no file)
O2 - BHO: (no name) - {9E56571C-EDD8-B75C-81AD-E6ABA80253C0} - (no file)
O2 - BHO: (no name) - {9F4D5E69-BEFF-B626-A0AA-B6DEBFC20AC6} - (no file)
O2 - BHO: (no name) - {AAFDB894-B8E6-4AE2-A9A8-07B0EFD564AA} - C:\WINDOWS\system32\iiffCSkl.dll (file missing)
O2 - BHO: (no name) - {B0293C4B-86DD-DB5E-8C78-8BADD89024C5} - (no file)
O2 - BHO: (no name) - {CDB1D92C-62E8-3E38-EE2B-3E7615185497} - (no file)
O2 - BHO: (no name) - {D648F87A-C344-4385-A03D-6A5C113273AF} - C:\WINDOWS\system32\tuvUOgee.dll (file missing)
O2 - BHO: (no name) - {E0786A4B-878D-DF52-DB78-8BADD8C87291} - (no file)
O2 - BHO: (no name) - {FA5373B3-2B1B-4318-A63D-86A796477B1F} - C:\WINDOWS\system32\ddcBQiih.dll (file missing)
O4 - HKLM\..\Run: [BM4f9dd23a] Rundll32.exe "C:\WINDOWS\system32\pnfmfopl.dll",s
O4 - HKCU\..\Policies\Explorer\Run: [{4CAEE109-0BB8-3081-0315-05071604003d}] "C:\Program Files\Common Files\{4CAEE109-0BB8-3081-0315-05071604003d}\Update.exe" mc-110-12-0001411
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O22 - SharedTaskScheduler: hyperproduction - {9d19a1a9-3cdf-4f15-a5ca-ea3905febded} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the combofix log from CFScript, a new HJT log and some feedback from you. How is the computer running now?
Thanks
Computer & internet running better already...:)
:oops: I can't seem to locate the saved cfscript log...where do i look for it because i know i saved it???
Sorry for my inadequacies...just a little comp illiterate :red:
Here is a fresh log of hjt for your review:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:25 PM, on 22/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\sistray.exe
C:\Program Files\1stClock\1stClock.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BM4f9dd23a] Rundll32.exe "C:\WINDOWS\system32\pnfmfopl.dll",s
O4 - HKCU\..\Run: [MRC] "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1stClock.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164707470031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Documents and Settings\acacia\Desktop\Nick\Alcohol 52\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9451 bytes
pskelley
2008-06-22, 16:54
Should be in the same place on the C:\
post it as soon as you find it.
Thanks
Hope this is it:red:
ComboFix 08-06-20.4 - acacia 2008-06-22 23:12:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.358 [GMT 10:00]
Running from: C:\Documents and Settings\acacia\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\acacia\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\geBtTMCu.dll.vir
C:\WINDOWS\system32\pnfmfopl.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\acacia\Application Data\inst.exe
C:\VundoFix Backups
C:\WINDOWS\system32\geBtTMCu.dll.vir
.
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.
2010-07-24 23:19 . 2006-11-25 09:04 <DIR> d-------- C:\Program Files\Eset
2008-06-19 18:30 . 2008-06-19 18:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 14:08 . 2008-06-20 17:04 847 --a------ C:\WINDOWS\wininit.ini
2008-06-18 13:13 . 2008-06-18 13:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-18 13:13 . 2008-06-18 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 18:15 . 2008-06-20 18:34 <DIR> d-------- C:\Program Files\Advanced Diary
2008-06-14 18:15 . 2002-02-01 19:00 293,888 --a------ C:\WINDOWS\system32\midas.dll
2008-06-13 22:30 . 2007-09-04 18:53 <DIR> d-------- C:\Program Files\Premiership
2008-06-12 16:11 . 2008-06-20 22:48 <DIR> d-------- C:\Documents and Settings\acacia\Application Data\Sports Interactive
2008-06-11 10:42 . 2008-05-09 00:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 10:41 . 2008-06-13 21:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 11:48 . 2008-06-11 10:34 <DIR> d-------- C:\Program Files\1stClock
2008-06-06 18:01 . 2008-06-06 18:02 <DIR> d-------- C:\Program Files\iTunes
2008-06-06 18:01 . 2008-06-06 18:01 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-06 18:00 . 2008-06-06 18:00 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-06 18:00 . 2007-09-04 19:04 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-06 10:02 . 2008-06-06 10:02 <DIR> d-------- C:\Documents and Settings\acacia\Application Data\.thinkingrock
2008-06-06 10:01 . 2008-06-06 10:01 <DIR> d-------- C:\Program Files\TR-2.0.1
2008-06-05 23:56 . 2008-06-05 23:57 <DIR> d-------- C:\Program Files\SiS VGA Utilities V3.70
2008-06-05 23:56 . 2008-06-05 23:57 73,973 --a------ C:\WINDOWS\system32\VGAunistlog.ini
2008-06-05 23:45 . 2008-06-05 23:57 1 --a------ C:\WINDOWS\~sisRslt
2008-06-05 23:36 . 2008-06-05 23:36 <DIR> d-------- C:\temp\uni_vga
2008-06-05 23:36 . 2005-10-04 23:56 1,735,168 --a------ C:\WINDOWS\system32\sisgrv.dll
2008-06-05 23:36 . 2005-10-04 23:56 1,735,168 --a--c--- C:\WINDOWS\system32\dllcache\sisgrv.dll
2008-06-05 23:36 . 2005-10-04 12:01 1,570,489 --a------ C:\WINDOWS\system32\sisgl.dll
2008-06-05 23:36 . 2003-11-26 00:10 65,536 --a------ C:\WINDOWS\system32\sis760.bin
2008-06-05 23:36 . 2003-11-26 00:10 65,536 --a------ C:\WINDOWS\system32\sis741.bin
2008-06-05 23:36 . 2005-10-04 11:06 49,152 --a------ C:\WINDOWS\system32\sis660.bin
2008-06-05 23:36 . 2005-10-04 10:56 28,672 --a------ C:\WINDOWS\system32\SiSPInst.dll
2008-06-05 23:36 . 2005-10-04 18:32 12,032 --a------ C:\WINDOWS\system32\drivers\srvkp.sys
2008-06-05 22:54 . 2008-06-05 22:54 <DIR> d-------- C:\temp\sis180
2008-06-05 22:54 . 2008-06-05 23:57 <DIR> d-------- C:\Program Files\sisagp
2008-06-05 22:54 . 2001-03-30 22:58 135,168 --a------ C:\WINDOWS\system32\property.dll
2008-06-05 22:53 . 2008-06-05 22:53 <DIR> d-------- C:\temp\agp121
2008-06-05 22:53 . 2008-06-17 11:54 <DIR> d-------- C:\temp
2008-06-05 22:21 . 2008-06-05 22:21 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-05 22:12 . 2008-06-05 22:12 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-05 22:09 . 2008-06-05 22:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-05 22:07 . 2008-06-05 22:07 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-05 22:07 . 2008-06-05 22:07 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-06-05 22:05 . 2003-08-19 21:36 65,536 --a------ C:\WINDOWS\system32\Audio3D.dll
2008-06-05 22:05 . 2008-04-14 10:11 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-06-05 21:31 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-05 21:31 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-05 21:31 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-05 21:31 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-05 21:27 . 2008-06-05 21:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-05 21:07 . 2008-04-14 10:12 69,120 --a------ C:\WINDOWS\system32\wlanapi.dll
2008-06-05 21:05 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-06-05 21:04 . 2008-04-14 10:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-06-05 20:28 . 2008-04-14 10:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-04 17:54 . 2008-06-04 17:55 <DIR> d-------- C:\WINDOWS\system32\Euro Football Pools Greece dir
2008-06-04 17:54 . 2008-06-04 17:54 201,728 --a------ C:\WINDOWS\system32\Euro Football Pools Greece.scr
2008-06-03 10:18 . 2008-06-03 10:18 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-03 10:17 . 2008-06-03 10:17 <DIR> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-03 10:17 . 2008-06-03 10:17 <DIR> d--h----- C:\Program Files\CanonBJ
2008-06-03 10:17 . 2007-03-23 17:30 1,400,832 --a------ C:\WINDOWS\system32\CNC310C.DLL
2008-06-03 10:17 . 2007-03-19 11:39 200,704 --a------ C:\WINDOWS\system32\CNC310L.DLL
2008-06-03 10:17 . 2007-03-15 15:12 188,416 --a------ C:\WINDOWS\system32\CNC310O.DLL
2008-06-03 10:17 . 2007-03-23 17:29 98,304 --a------ C:\WINDOWS\system32\CNC310I.DLL
2008-06-02 21:33 . 2008-06-02 21:36 <DIR> d-------- C:\usb
2008-05-29 17:07 . 2008-06-18 22:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 17:07 . 2008-06-06 18:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 21:04 . 2008-05-26 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-05-26 19:41 . 2008-05-26 19:41 <DIR> d-------- C:\Program Files\VSO
2008-05-26 19:41 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-05-26 19:41 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-05-26 19:41 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-05-26 19:41 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-05-26 19:41 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-05-26 19:41 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-05-26 19:03 . 2008-05-26 19:04 <DIR> d-------- C:\Documents and Settings\acacia\Application Data\ICAClient
2008-05-25 10:58 . 2008-05-25 10:58 <DIR> d-------- C:\Documents and Settings\acacia\Application Data\Thinstall
2008-05-24 13:37 . 2008-05-24 13:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\MailFrontier
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 13:18 17,975,584 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-22 08:46 10,477,658 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-22 08:45 245,252 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-21 14:31 --------- d-----w C:\Program Files\LogMeIn
2008-06-21 14:24 --------- d-----w C:\Program Files\Full Tilt Poker
2008-06-20 13:45 3,181,056 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp
2008-06-20 11:57 --------- d-----w C:\Program Files\Java
2008-06-19 14:33 2,688,512 ----a-w C:\WINDOWS\Internet Logs\xDB2D.tmp
2008-06-16 06:36 --------- d-----w C:\Documents and Settings\acacia\Application Data\uTorrent
2008-06-16 00:44 --------- d-----w C:\Program Files\PC Tune-Up
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 01:52 --------- d-----w C:\Documents and Settings\acacia\Application Data\Green Parrots Software
2008-06-09 09:08 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-09 04:22 --------- d-----w C:\Documents and Settings\acacia\Application Data\Canon
2008-06-06 10:52 --------- d-----w C:\Documents and Settings\acacia\Application Data\Vso
2008-06-06 08:01 --------- d-----w C:\Program Files\iPod
2008-06-05 13:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 12:48 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-03 00:32 --------- d-----w C:\Program Files\Canon
2008-06-03 00:10 --------- d-----w C:\Program Files\NCH Swift Sound
2008-05-30 04:00 --------- d-----w C:\Program Files\Nokia
2008-05-30 04:00 --------- d-----w C:\Program Files\Google
2008-05-29 14:51 1,217,024 ----a-w C:\WINDOWS\Internet Logs\xDB2C.tmp
2008-05-26 09:41 47,360 -c--a-w C:\Documents and Settings\acacia\Application Data\pcouffin.sys
2008-05-26 09:41 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-21 23:15 --------- d-----w C:\Program Files\Windows Desktop Search
2008-05-21 13:05 --------- d-----w C:\Documents and Settings\acacia\Application Data\FusionDesk
2008-05-21 13:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 00:10 --------- d-----w C:\Program Files\WinAVI MP4 Converter
2008-05-19 10:52 54,755 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_19_18_14_59_small.dmp.zip
2008-05-19 06:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-05-16 16:30 --------- d-----w C:\Documents and Settings\acacia\Application Data\Nokia
2008-05-15 14:48 210,944 ----a-w C:\WINDOWS\Internet Logs\xDB14B.tmp
2008-05-14 00:32 --------- d-----w C:\Documents and Settings\acacia\Application Data\AdobeUM
2008-05-12 15:38 296,960 ----a-w C:\WINDOWS\Internet Logs\xDB2B.tmp
2008-05-12 13:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-10 05:47 --------- d-----w C:\Documents and Settings\acacia\Application Data\Media Player Classic
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 01:50 287,232 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-04 15:10 766,464 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp
2008-04-30 08:08 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2008-04-30 08:08 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-04-30 08:08 24,608 ----a-w C:\WINDOWS\system32\LMIport.dll
2008-04-30 08:08 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2008-04-30 08:08 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2008-04-24 15:59 169,984 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp
2008-04-24 14:01 --------- d-----w C:\Program Files\ActionOutline
2008-04-23 15:16 1,910,784 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 14:14 --------- d-----w C:\Program Files\MSECache
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-13 19:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-13 19:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2008-04-07 13:02 1,361,920 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2008-03-30 23:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-30 14:07 583,168 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2008-03-27 22:02 614,912 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-03-27 22:02 2,513,408 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-03-27 04:21 43,733 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_27_12_41_32_small.dmp.zip
2008-03-26 22:02 440,320 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2008-03-23 16:35 123,392 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
.
((((((((((((((((((((((((((((( snapshot@2008-06-22_18.52.05.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 08:46:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 10:44:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-22 08:48:44 623,544 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-22 11:43:59 623,656 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-06-22 08:35:00 18,510,848 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-06-22 13:12:42 18,512,384 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MRC"="C:\Program Files\PC Tune-Up\PCTuneUp.exe" [2007-10-12 17:57 2435072]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-04 07:42 401491]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 08:03 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 11:02 79400]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35 20480]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 22:11 919016]
"Cmaudio"="cmicnfg.cpl,CMICtrlWnd" []
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe" [2005-05-18 14:44 905216]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 19:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower"="SiSPower.dll" [2005-10-04 10:56 49152 C:\WINDOWS\system32\SiSPower.dll]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"BM4f9dd23a"="C:\WINDOWS\system32\pnfmfopl.dll" [ ]
C:\Documents and Settings\acacia\Start Menu\Programs\Startup\
1st Clock.lnk - C:\Program Files\1stClock\1stClock.exe [4/17/2000 11:25:50 PM 829440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [6/5/2008 11:57:06 PM 262144]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{4CAEE109-0BB8-3081-0315-05071604003d}"= "C:\Program Files\Common Files\{4CAEE109-0BB8-3081-0315-05071604003d}\Update.exe" mc-110-12-0001411
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2008-04-30 18:08 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.fraunhoferacm"= l3codecp.acm
"MSACM.CEGSM"= mobilev.acm
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
"BM4f9dd23a"=Rundll32.exe "C:\WINDOWS\system32\pnfmfopl.dll",s
"4caee1a6"=rundll32.exe "C:\WINDOWS\system32\uekjmnpu.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12053:TCP"= 12053:TCP:UTorrent - port
"12053:UDP"= 12053:UDP:UTorrent
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 13:53]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 MELCS;MailEnable List Connector;C:\Program Files\Mail Enable\Bin\MELSC.EXE [2005-07-08 12:19]
R2 MEMTAS;MailEnable Mail Transfer Agent;C:\Program Files\Mail Enable\Bin\MEMTA.EXE [2005-07-08 12:19]
R2 MEPOCS;MailEnable Postoffice Connector;C:\Program Files\Mail Enable\Bin\MEPOC.EXE [2005-07-08 12:19]
R2 MEPOPS;MailEnable POP Service;C:\Program Files\Mail Enable\Bin\MEPOPS.EXE [2005-10-24 10:46]
R2 MESMTPCS;MailEnable SMTP Connector;C:\Program Files\Mail Enable\Bin\MESMTPC.EXE [2005-07-14 09:34]
S3 DFE528TX;D-Link DFE-528TX PCI Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTL.SYS [2002-06-24 14:30]
S3 USB_RNDIS;NetComm NB5 USB;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-14 04:56]
S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\W35UND.SYS [2006-09-12 16:18]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d10e5de-1069-11da-8935-000fead611c1}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CF27C812-0CA0-11d4-A672-00605205B0B3}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\1stcllt.inf,ACL.Install.PerUser.NT
.
Contents of the 'Scheduled Tasks' folder
"2008-06-16 07:54:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 23:18:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-22 23:20:28
ComboFix-quarantined-files.txt 2008-06-22 13:20:17
ComboFix2.txt 2008-06-22 08:52:30
Pre-Run: 10,639,032,320 bytes free
Post-Run: 10,638,651,392 bytes free
297 --- E O F --- 2008-06-21 04:18:48
pskelley
2008-06-22, 18:06
This item is still showing in the HJT log:
O4 - HKLM\..\Run: [BM4f9dd23a] Rundll32.exe "C:\WINDOWS\system32\pnfmfopl.dll",s
and it should have been removed here:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\geBtTMCu.dll.vir
C:\WINDOWS\system32\pnfmfopl.dll
Post a new HJT log so I can see if it is gone now. Tell me about any malware issues.
Thanks
This is the error that pops up when i reboot, i click ok & then it disappears from the screen.
Here is the new log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:58 AM, on 23/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\sistray.exe
C:\Program Files\1stClock\1stClock.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BM4f9dd23a] Rundll32.exe "C:\WINDOWS\system32\pnfmfopl.dll",s
O4 - HKCU\..\Run: [MRC] "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1stClock.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164707470031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Documents and Settings\acacia\Desktop\Nick\Alcohol 52\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9463 bytes
pskelley
2008-06-22, 18:17
OK, for some reason the CFScript did not work? We will give MBAM a try first.
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Thanks
Here are the requested logs for your review:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:01 AM, on 23/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\sistray.exe
C:\Program Files\1stClock\1stClock.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MRC] "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1stClock.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164707470031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Documents and Settings\acacia\Desktop\Nick\Alcohol 52\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9381 bytes
Malwarebytes' Anti-Malware 1.18
Database version: 878
4:41:25 AM 23/06/2008
mbam-log-6-23-2008 (04-41-25).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 157078
Time elapsed: 1 hour(s), 4 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f30b1b0b-c305-414e-a4ff-ac93a08de0ac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM4f9dd23a (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\PC Tune-Up\RdvChk.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\geBtTMCu.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68E59FA-045B-4EE5-8F44-186433CA3007}\RP1193\A0247268.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68E59FA-045B-4EE5-8F44-186433CA3007}\RP1194\A0247394.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68E59FA-045B-4EE5-8F44-186433CA3007}\RP1197\A0247873.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
pskelley
2008-06-22, 21:06
OK, MBAM killed the junk, we still have more to do so follow the directions caresully and stick with me while we wrap up.
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
(don't lose that log)
Thanks
pskelley, you have been a tremendous help throughout this ordeal & I sincerely thank you.
Before I continue onto the final stages, do you suggest I install the Recovery Console?
If so, I will do so immediately.
Btw, went to Microsoft site & reviewed procedure.
Two problems:
1. I don't have spare blank cd's
2. Site does not have SP3 download
It is absolutely necessary to install this program?
pskelley
2008-06-22, 21:58
It is absolutely necessary to install this program?
No it is not, this is your decision. There may come a day when you will wish you had RC installed if you do not had Windows XP CD's
You get to mnake the call, if you do not want to install it, just let me know.
You are not reading the directions:
If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:
read them all several times before starting again.
I am informed that you can use the one for SP2, if this turns out to be not the case, we will have to move on without installing Recovery Console. For your computer:
Microsoft Windows XP Professional
Platform: Windows XP SP3 (WinNT 5.01.2600)
I am told this download will work:
http://support.microsoft.com/kb/310994
http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124&displaylang=en
Thanks
Sorry for the delay, here is the log:
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
pskelley
2008-06-23, 02:44
Recovery Console was installed correctly, let's remove combofix.
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Any malware issues?
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley, I cannot thank you enough for your extreme patience, knowledgeable advice & commitment :present::present::present::present:
You truly are an :angel:
Internet working @ lightning speed & confident my computer is now on track to being secured.
:bighug: