View Full Version : trojan.win32.monder.gen is clinging on :(
Bullybeef
2008-06-28, 02:27
Hi folks
Have spent a couple of days trying to work through this as probaly most people do :clown:
I scanned and cleaned with Kaspersky and that removed alot of rubbish and found it trojan.win32.monder.gen which is still clinging on
and have run combofix following instructions. (Bloody great forum by the way) :)
I am pretty sure looking at the logs that i still have files to delete can someone please cast an eye over them please as i am not very familar with these logs :eek:
Thank you very much :angel: :)
ps i have the combo log but i have not posted can do so when requested :fear::fear:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:33 a.m., on 28/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.nz/ig/dell?hl=en&client=dell-row&channel=nz&ibd=0061005
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sys4.exe] C:\Sys4.exe
O4 - HKLM\..\Run: [Sys5.exe] C:\Sys5.exe
O4 - HKLM\..\Run: [04f62db5] rundll32.exe "C:\WINDOWS\system32\bcfdcwxd.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Search - ?p=ZJxdm172YYNZ
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O21 - SSODL: BootRam - {a90243ed-77d9-4b83-8b6d-ac82c51a6e38} - C:\WINDOWS\Resources\BootRam.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 10342 bytes
********************************************************************************
*******
pskelley
2008-06-28, 16:53
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
It looks like you killed most of the Vundo infection but I see other junk. Post the combofix log so I can see what combofix has removed so far. I do not need a new HJT log if the one you posted was run after combofix:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:38:33 a.m., on 28/06/2008
Thanks
Bullybeef
2008-06-29, 00:43
Hi Pskelley and thank you for replying
i have replaced the user name with *user name* as it was the full name of the user :) just so you know ;)
ComboFix 08-06-20.4 - User Name 2008-06-29 10:31:20.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.177 [GMT 12:00]
Running from: C:\Documents and Settings\User Name\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.
2008-06-29 00:25 . 2008-06-29 00:26 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-29 00:19 . 2008-06-29 00:19 0 --a------ C:\WINDOWS\iPlayer.INI
2008-06-26 21:36 . 2008-06-26 21:45 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-26 21:36 . 2008-06-26 21:45 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-26 21:34 . 2008-06-26 21:34 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-26 21:34 . 2008-06-29 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-26 21:34 . 2008-06-29 10:25 3,691,552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-26 21:34 . 2008-06-29 10:25 385,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-26 21:34 . 2008-06-29 10:25 30,968 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-26 21:34 . 2008-06-29 10:25 2,396 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-26 21:26 . 2008-06-26 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-26 19:43 . 2008-06-26 19:43 380 --a------ C:\backed up registry 2.reg
2008-06-25 22:14 . 2008-06-25 22:15 <DIR> d-------- C:\getservice
2008-06-25 20:01 . 2008-06-25 20:01 588 --a------ C:\backed up registry.reg
2008-06-25 15:49 . 2008-06-28 01:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 13:02 . 2008-06-25 13:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 12:59 . 2008-06-25 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-25 12:56 . 2008-06-25 12:56 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-25 12:56 . 2008-06-25 12:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 12:56 . 2008-06-25 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 23:19 . 2008-06-24 23:19 653 --a------ C:\WINDOWS\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
2008-06-24 21:50 . 2006-10-06 03:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-24 21:50 . 2008-06-28 21:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-06-24 21:50 . 2008-06-24 21:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-24 21:27 . 2008-06-25 12:37 <DIR> d-------- C:\Program Files\ESET
2008-06-19 19:23 . 2008-06-19 19:23 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-19 00:34 . 2008-06-25 16:17 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-18 11:47 . 2008-06-21 01:07 <DIR> d-------- C:\Program Files\VAV
2008-06-14 11:52 . 2008-06-14 11:52 <DIR> d-------- C:\Program Files\iPod
2008-06-11 20:56 . 2008-06-14 01:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 20:56 . 2008-06-14 01:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 12:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-28 12:23 --------- d-----w C:\Program Files\Google
2008-06-28 12:21 --------- d-----w C:\Program Files\InterActual
2008-06-28 12:21 --------- d-----w C:\Program Files\Dell
2008-06-28 12:15 --------- d-----w C:\Program Files\Java
2008-06-28 09:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 09:24 --------- d-----w C:\Program Files\Creative
2008-06-28 09:21 --------- d-----w C:\Program Files\LimeWire
2008-06-28 09:19 --------- d--h--w C:\Documents and Settings\User Name\Application Data\Gtek
2008-06-28 09:19 --------- d--h--w C:\Documents and Settings\Guest\Application Data\Gtek
2008-06-28 09:18 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-25 09:00 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-06-25 03:40 --------- d-----w C:\Program Files\McAfee.com
2008-06-25 03:40 --------- d-----w C:\Program Files\McAfee
2008-06-25 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-25 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-25 01:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 18:35 --------- d-----w C:\Program Files\MSN Messenger
2008-06-18 06:53 --------- d-----w C:\Program Files\Apple Software Update
2008-06-13 23:52 --------- d-----w C:\Program Files\iTunes
2008-06-13 23:49 --------- d-----w C:\Program Files\QuickTime
2008-06-10 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-04 06:38 --------- d-----w C:\Documents and Settings\User Name\Application Data\Xfire
2008-05-30 09:30 --------- d-----w C:\Program Files\Xfire
2008-05-24 07:12 --------- d-----w C:\Documents and Settings\User Name\Application Data\Apple Computer
2008-05-24 07:11 --------- d-----w C:\Program Files\Bonjour
2008-05-24 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-24 07:04 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-24 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-16 08:10 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-05-16 08:02 --------- d-----w C:\Program Files\Microsoft Games
2008-05-16 07:45 --------- d-----w C:\Program Files\D-Tools
2008-05-15 16:58 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-15 16:57 --------- d-----w C:\Documents and Settings\User Name\Application Data\DAEMON Tools
2008-05-14 01:28 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-05-13 17:54 --------- d-----w C:\Program Files\Virtual Villagers 2
2008-05-13 16:25 --------- d-----w C:\Program Files\ReflexiveArcade
2008-05-13 10:41 --------- d-----w C:\Program Files\PokerStars
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-25 06:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-23 10:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((( snapshot_2008-06-29_10.11.53.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 22:05:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-28 22:26:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 14:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-10 14:16 53248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 17:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 17:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 17:50 114688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 09:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 09:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 09:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 09:00 455168]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 13:47 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 05:54 1345520 C:\WINDOWS\system32\CTMBHA.DLL]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 03:40 218032]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 03:40 86960]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 10:43 228088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
C:\Documents and Settings\User Name\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Error Expert]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2007-04-26 13:29 220160 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2003-06-26 17:50 212992 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\english\\setup.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58736:TCP"= 58736:TCP:uTorrent
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-05-01 23:16]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-05-01 12:17]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-05-01 12:17]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 11:44:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-14 03:07:11 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2300 series#1160791446.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 2300 series#1160791446
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 10:34:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-29 10:36:46
ComboFix-quarantined-files.txt 2008-06-28 22:36:17
ComboFix2.txt 2008-06-28 22:12:53
ComboFix3.txt 2008-06-27 13:27:21
ComboFix4.txt 2008-06-27 12:59:40
Pre-Run: 70,571,376,640 bytes free
Post-Run: 70,559,166,464 bytes free
199 --- E O F --- 2008-06-27 13:12:02
Bullybeef
2008-06-29, 00:48
Also i could not find the combofix i had previous so i ran it again.
I now see it was c: :oops: but well on the upside you have the very latest.
I hope that does not put a spanner in the works
regards
Beef
pskelley
2008-06-29, 01:01
I would appreciate it if you would post the original combofix log so I can see what was remove by it.
Thanks
Bullybeef
2008-06-29, 01:42
sorry it i think it was iver written by the last scan i did as there is not 2 copies of the combofix.txt
pskelley
2008-06-29, 02:19
1) C:\Program Files\Java\jre1.6.0_03\ <<< Java is out of date, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
(follow these instructions carefully)
4) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\Sys4.exe
C:\Sys5.exe
C:\WINDOWS\system32\bcfdcwxd.dll
C:\WINDOWS\Resources\BootRam.dll
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
(wait until your finish to post the logs)
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Sys4.exe] C:\Sys4.exe
O4 - HKLM\..\Run: [Sys5.exe] C:\Sys5.exe
O4 - HKLM\..\Run: [04f62db5] rundll32.exe "C:\WINDOWS\system32\bcfdcwxd.dll",b
O8 - Extra context menu item: &Search - ?p=ZJxdm172YYNZ
O21 - SSODL: BootRam - {a90243ed-77d9-4b83-8b6d-ac82c51a6e38} - C:\WINDOWS\Resources\BootRam.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Restart and post the combofix log from CFScript, the log from MBAM, a new HJT log and some feedback from you. How is the computer running.
Thanks
Bullybeef
2008-06-29, 04:07
OK, things are looking up
i have followed step by step and have the logs.
MBAM found about 15 entries which from the logs was cleaned, those entries were not anything that kaspersky had found previously so hopefully we have managed to get the actual infection :):santa: :eek:
Thank you for all your help!!! hopefully nothing else is showing up in the logs
Combofix log from when your script was dropped on it
Mbam log is from after it removed the parts it found
Hjt log was run after all fixes had been completed
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:48 p.m., on 29/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\NEILPE~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.nz/ig/dell?hl=en&client=dell-row&channel=nz&ibd=0061005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 9053 bytes
*********************************************************
Malwarebytes' Anti-Malware 1.19
Database version: 901
Windows 5.1.2600 Service Pack 2
1:51:24 p.m. 29/06/2008
mbam-log-6-29-2008 (13-51-24).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|J:\|)
Objects scanned: 123656
Time elapsed: 25 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\VAV\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav0.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav1.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
*********************************************************
ComboFix 08-06-20.4 - Neil Pennington 2008-06-29 13:01:01.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT 12:00]
Running from: C:\Documents and Settings\Neil Pennington\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Neil Pennington\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Sys4.exe
C:\Sys5.exe
C:\WINDOWS\Resources\BootRam.dll
C:\WINDOWS\system32\bcfdcwxd.dll
.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.
2008-06-29 12:56 . 2008-06-29 12:56 <DIR> d-------- C:\Program Files\Sun
2008-06-29 12:56 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-29 12:51 . 2008-06-29 12:51 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-29 00:25 . 2008-06-29 00:26 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-29 00:19 . 2008-06-29 00:19 0 --a------ C:\WINDOWS\iPlayer.INI
2008-06-26 21:36 . 2008-06-26 21:45 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-26 21:36 . 2008-06-26 21:45 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-26 21:34 . 2008-06-26 21:34 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-26 21:34 . 2008-06-29 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-26 21:34 . 2008-06-29 10:25 3,691,552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-26 21:34 . 2008-06-29 12:50 393,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-26 21:34 . 2008-06-29 10:25 30,968 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-26 21:34 . 2008-06-29 12:49 2,424 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-26 21:26 . 2008-06-26 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-26 19:43 . 2008-06-26 19:43 380 --a------ C:\backed up registry 2.reg
2008-06-25 22:14 . 2008-06-25 22:15 <DIR> d-------- C:\getservice
2008-06-25 20:01 . 2008-06-25 20:01 588 --a------ C:\backed up registry.reg
2008-06-25 15:49 . 2008-06-28 01:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 13:02 . 2008-06-25 13:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 12:59 . 2008-06-25 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-25 12:56 . 2008-06-25 12:56 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-25 12:56 . 2008-06-25 12:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 12:56 . 2008-06-25 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 23:19 . 2008-06-24 23:19 653 --a------ C:\WINDOWS\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
2008-06-24 21:50 . 2006-10-06 03:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-24 21:50 . 2008-06-28 21:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-06-24 21:50 . 2008-06-24 21:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-24 21:27 . 2008-06-25 12:37 <DIR> d-------- C:\Program Files\ESET
2008-06-19 19:23 . 2008-06-19 19:23 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-19 00:34 . 2008-06-25 16:17 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-18 11:47 . 2008-06-21 01:07 <DIR> d-------- C:\Program Files\VAV
2008-06-14 11:52 . 2008-06-14 11:52 <DIR> d-------- C:\Program Files\iPod
2008-06-11 20:56 . 2008-06-14 01:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 20:56 . 2008-06-14 01:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 00:56 --------- d-----w C:\Program Files\Java
2008-06-28 12:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-28 12:23 --------- d-----w C:\Program Files\Google
2008-06-28 12:21 --------- d-----w C:\Program Files\InterActual
2008-06-28 12:21 --------- d-----w C:\Program Files\Dell
2008-06-28 09:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 09:24 --------- d-----w C:\Program Files\Creative
2008-06-28 09:21 --------- d-----w C:\Program Files\LimeWire
2008-06-28 09:19 --------- d--h--w C:\Documents and Settings\Neil Pennington\Application Data\Gtek
2008-06-28 09:19 --------- d--h--w C:\Documents and Settings\Guest\Application Data\Gtek
2008-06-28 09:18 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-25 09:00 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-06-25 03:40 --------- d-----w C:\Program Files\McAfee.com
2008-06-25 03:40 --------- d-----w C:\Program Files\McAfee
2008-06-25 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-25 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-25 01:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 18:35 --------- d-----w C:\Program Files\MSN Messenger
2008-06-18 06:53 --------- d-----w C:\Program Files\Apple Software Update
2008-06-13 23:52 --------- d-----w C:\Program Files\iTunes
2008-06-13 23:49 --------- d-----w C:\Program Files\QuickTime
2008-06-10 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-04 06:38 --------- d-----w C:\Documents and Settings\Neil Pennington\Application Data\Xfire
2008-05-30 09:30 --------- d-----w C:\Program Files\Xfire
2008-05-24 07:12 --------- d-----w C:\Documents and Settings\Neil Pennington\Application Data\Apple Computer
2008-05-24 07:11 --------- d-----w C:\Program Files\Bonjour
2008-05-24 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-24 07:04 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-24 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-16 08:10 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-05-16 08:02 --------- d-----w C:\Program Files\Microsoft Games
2008-05-16 07:45 --------- d-----w C:\Program Files\D-Tools
2008-05-15 16:58 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-15 16:57 --------- d-----w C:\Documents and Settings\Neil Pennington\Application Data\DAEMON Tools
2008-05-14 01:28 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-05-13 17:54 --------- d-----w C:\Program Files\Virtual Villagers 2
2008-05-13 16:25 --------- d-----w C:\Program Files\ReflexiveArcade
2008-05-13 10:41 --------- d-----w C:\Program Files\PokerStars
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-25 06:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-23 10:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((( snapshot_2008-06-29_10.11.53.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 22:05:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-28 22:26:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-24 13:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-24 13:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-24 14:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 14:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-10 14:16 53248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 17:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 17:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 17:50 114688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 09:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 09:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 09:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 09:00 455168]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 13:47 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 05:54 1345520 C:\WINDOWS\system32\CTMBHA.DLL]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 03:40 218032]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 03:40 86960]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 10:43 228088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
C:\Documents and Settings\Neil Pennington\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Error Expert]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2007-04-26 13:29 220160 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2003-06-26 17:50 212992 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\english\\setup.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58736:TCP"= 58736:TCP:uTorrent
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-05-01 23:16]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-05-01 12:17]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-05-01 12:17]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 11:44:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-14 03:07:11 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2300 series#1160791446.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 2300 series#1160791446
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 13:04:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-29 13:06:26
ComboFix-quarantined-files.txt 2008-06-29 01:06:00
ComboFix2.txt 2008-06-28 22:36:47
ComboFix3.txt 2008-06-28 22:12:53
ComboFix4.txt 2008-06-27 13:27:21
ComboFix5.txt 2008-06-27 12:59:40
Pre-Run: 69,907,595,264 bytes free
Post-Run: 69,894,320,128 bytes free
214 --- E O F --- 2008-06-27 13:12:02
pskelley
2008-06-29, 12:09
Thanks for returning your information and the feedback. Your HJT log looks clean of malware. We can run the Kaspersky Online Scan but you are running Kaspersky as your resident Antivirus. Why don't you keep an eye open for malware while you update Kaspersky and run a system scan. Let me know at that point if we need to do more.
Phil