View Full Version : Virtumonde virus
misszee37
2008-07-15, 14:07
I do not know how but I have recently been infected with the above virus. I ran Spybot which identified the problem, but even after removing it and disconnecting from the internet and restarting as instructed it still keeps coming back (as well as antivirus 2008 no matter how many times i uninstall it!).
I can see by your forum that this is a particularly common virus and you have lots of help requests, but I would really appreciate any help or advise as it is driving me round the bend!
Incidentally, I'm not sure if this is relevant to the virtumonde virus or not but I generally cannot access my usually visited sites like yahoo, ask.com and msn.co.uk and the automatic updates has switched itself off!
Thanking you in advance.
HJT log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:12, on 15/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Documents and Settings\user\winlogon.exe
C:\WINDOWS\system32\tcntaxdm.exe
C:\WINDOWS\system32\lphcpg7j0et71.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\rhctg7j0et71\rhctg7j0et71.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\system32\pphcpg7j0et71.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [{E4-4D-D0-0D-DW}] c:\windows\system32\rwwnw64d.exe DWrvg
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\user\winlogon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\tcntaxdm.exe DWrvg
O4 - HKLM\..\Run: [lphcpg7j0et71] C:\WINDOWS\system32\lphcpg7j0et71.exe
O4 - HKLM\..\Run: [c06e4da2] rundll32.exe "C:\WINDOWS\system32\yvbisqrn.dll",b
O4 - HKLM\..\Run: [SMrhctg7j0et71] C:\Program Files\rhctg7j0et71\rhctg7j0et71.exe
O4 - HKLM\..\Run: [BMc35d7e3e] Rundll32.exe "C:\WINDOWS\system32\lgoajroo.dll",s
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200847527921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200847473234
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 10848 bytes
pskelley
2008-07-17, 22:47
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. This can be a tough infection to remove so do not expect fast or easy.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
misszee37
2008-07-18, 09:29
Hi pskelly.
Thank you so much for getting back to me. I followed your instructions and produced new logs as requested, however I had problems logging into the forum last night using my infected PC and (very stupidly) closed down the combofix window and couldnt find the log again. :oops:
So i ran combo fix again and saved both the logs to cd in order for me to use a friends non-infected PC to send the logs. I hope that by running combofix a second time has not affect the results and made things more difficult for you to analyse; i'm a bit of a rookie with this whole virus killing lark!
Again, thanks for your help, it is really appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:59:20, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\user\winlogon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\user\winlogon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BMc35d7e3e] Rundll32.exe "C:\WINDOWS\system32\abveilbo.dll",s
O4 - HKLM\..\Run: [c06e4da2] rundll32.exe "C:\WINDOWS\system32\xwfshyxb.dll",b
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\QooBox\Quarantine\C\WINDOWS\system32\mcntqtdm.exe.vir
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200847527921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200847473234
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O21 - SSODL: NjgSbzX - {C06E4D0E-6AC4-E7A4-DB49-517CA9CD2959} - C:\WINDOWS\system32\pyad.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 9930 bytes
ComboFix 08-07-15.4 - user 2008-07-18 0:17:10.2 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMc35d7e3e.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abveilbo.dll
C:\WINDOWS\system32\bxyhsfwx.ini
C:\WINDOWS\system32\cbXNdCsp.dll
C:\WINDOWS\system32\clgaqndl.dll
C:\WINDOWS\system32\DMWHkUvw.ini
C:\WINDOWS\system32\DMWHkUvw.ini2
C:\WINDOWS\system32\mrjohkur.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\tuvSmkkK.dll
C:\WINDOWS\system32\wvUkHWMD.dll
C:\WINDOWS\system32\xrdpde.dll
C:\WINDOWS\system32\xwfshyxb.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.
2008-07-18 00:28 . 0 C:\87.bat
2008-07-18 00:27 . 2008-07-18 00:27 145,408 ---hs---- C:\Documents and Settings\user\service.exe
2008-07-18 00:27 . 145,408 C:\ctfmon.exe
2008-07-18 00:27 . 111,835 C:\smss.exe
2008-07-18 00:27 . 8,784 C:\csrss.exe
2008-07-17 23:55 . 2008-07-17 23:55 <DIR> d-------- C:\Documents and Settings\user\Phone Browser
2008-07-17 23:26 . 2008-07-17 23:26 24,573 --a------ C:\WINDOWS\17PHolmes1188.exe
2008-07-17 06:51 . 2008-07-17 06:51 <DIR> d-------- C:\WINDOWS\system32\aumsDK18
2008-07-17 06:51 . 2008-07-17 06:51 <DIR> d-------- C:\Temp\zpv201
2008-07-16 11:21 . 2008-07-16 17:21 90,922 --a------ C:\WINDOWS\system32\ebkhobguvbpgl.dll-uninst.exe
2008-07-16 06:54 . 2008-07-16 06:54 41,984 --a------ C:\WINDOWS\mrofinu1188.exe
2008-07-16 06:53 . 2008-07-16 06:53 64,332 --a------ C:\WINDOWS\system32\gtndvolgtgyouog.exe
2008-07-16 06:53 . 2008-07-16 06:53 355 --a------ C:\245.bat
2008-07-16 03:49 . 2008-07-16 03:49 32,768 --a------ C:\WINDOWS\system32\aumsDK18\aumsDK182328.exe
2008-07-15 09:46 . 2008-07-15 09:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 09:32 . 2008-07-15 09:32 93 --a------ C:\WINDOWS\wininit.ini
2008-07-13 09:32 . 2008-07-13 09:32 355 --a------ C:\517.bat
2008-07-12 22:00 . 2008-07-17 23:42 110,437 --a------ C:\WINDOWS\BMc35d7e3e.xml
2008-07-12 10:08 . 2008-07-12 10:08 49,171 --a------ C:\WINDOWS\system32\rrwnw64l.exe
2008-07-12 09:51 . 2008-07-13 18:27 <DIR> d-------- C:\WINDOWS\system32\inif3
2008-07-12 09:51 . 2008-07-13 18:27 <DIR> d--hs---- C:\WINDOWS\dXNlcg
2008-07-12 09:51 . 2008-07-12 09:51 152,184 --a------ C:\WINDOWS\system32\g77.exe
2008-07-11 16:18 . 2008-07-11 16:18 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-11 16:18 . 2008-07-12 09:51 <DIR> d-------- C:\Temp\stmpv4
2008-07-11 16:18 . 2008-07-17 23:10 <DIR> d-------- C:\Temp
2008-07-11 16:18 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\user\winlogon.exe
2008-07-11 16:08 . 2008-07-11 16:10 223,076 --a------ C:\WINDOWS\ism611.exe
2008-07-11 16:08 . 2008-07-11 16:10 178,616 --a------ C:\WINDOWS\plate611.exe
2008-07-11 16:08 . 2008-07-11 16:10 49,152 --a------ C:\WINDOWS\dw611.exe
2008-07-11 11:58 . 2008-07-13 20:49 <DIR> d-------- C:\Program Files\iWin.com
2008-07-11 11:56 . 2008-07-11 11:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\iWinArcade
2008-07-11 11:56 . 2008-07-11 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-07-11 11:55 . 2008-07-13 20:38 <DIR> d-------- C:\Program Files\iWin Games
2008-07-11 08:47 . 2008-07-11 08:47 <DIR> d-------- C:\Documents and Settings\user\Application Data\Eyeblaster
2008-07-11 08:42 . 2008-07-11 10:47 <DIR> d-------- C:\Documents and Settings\user\Application Data\Zylom
2008-07-11 08:41 . 2008-07-11 16:16 <DIR> d-------- C:\Program Files\Zylom Games
2008-07-11 08:41 . 2008-07-11 09:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-07-10 20:13 . 2008-07-10 20:13 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-07-10 20:11 . 2008-07-11 08:02 <DIR> d-------- C:\Program Files\Shockwave.com
2008-07-10 11:19 . 2008-07-13 19:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\Gamelab
2008-07-05 06:15 . 2008-07-05 06:15 32,768 --a------ C:\WINDOWS\system32\olixds18\olixds182328.exe
2008-07-03 15:45 . 2008-07-03 15:45 364,544 --a------ C:\WINDOWS\system32\ebkhobguvbpgl.dll
2008-07-01 23:08 . 2008-07-01 23:08 244 --ah----- C:\sqmnoopt05.sqm
2008-07-01 23:08 . 2008-07-01 23:08 232 --ah----- C:\sqmdata05.sqm
2008-07-01 21:27 . 2008-07-01 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-07-01 21:26 . 2008-07-01 21:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\Nokia
2008-07-01 21:25 . 2008-07-01 21:25 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-01 21:25 . 2008-07-01 21:25 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-07-01 21:23 . 2008-07-01 21:23 <DIR> d-------- C:\Program Files\DIFX
2008-07-01 21:23 . 2008-07-01 21:27 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Suite
2008-07-01 21:22 . 2008-07-01 21:22 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-01 21:22 . 2007-02-22 11:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-07-01 21:22 . 2007-02-22 11:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-01 21:22 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-07-01 21:22 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-07-01 21:22 . 2007-02-22 11:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-07-01 21:21 . 2008-07-01 21:24 <DIR> d-------- C:\Program Files\Nokia
2008-07-01 21:21 . 2007-02-22 11:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-07-01 21:20 . 2008-07-01 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-06-28 19:46 . 2008-06-28 19:46 244 --ah----- C:\sqmnoopt04.sqm
2008-06-28 19:46 . 2008-06-28 19:46 232 --ah----- C:\sqmdata04.sqm
2008-06-28 19:45 . 2008-06-28 19:45 244 --ah----- C:\sqmnoopt03.sqm
2008-06-28 19:45 . 2008-06-28 19:45 232 --ah----- C:\sqmdata03.sqm
2008-06-28 19:42 . 2008-06-28 19:42 244 --ah----- C:\sqmnoopt02.sqm
2008-06-28 19:42 . 2008-06-28 19:42 232 --ah----- C:\sqmdata02.sqm
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-06-21 13:36 . 2006-11-13 15:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-06-21 13:36 . 2007-10-10 17:41 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-06-21 13:36 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-06-21 13:36 . 2007-11-02 15:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-06-21 13:36 . 2007-01-22 19:33 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-06-21 13:36 . 2007-11-02 15:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-06-21 13:35 . 2008-06-21 13:35 <DIR> d-------- C:\Program Files\Motorola
2008-06-21 13:35 . 2008-06-21 13:35 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-06-20 18:41 . 2008-06-20 18:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 11:44 . 2008-06-20 11:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-17 16:10 . 2008-06-17 16:10 <DIR> d-------- C:\Documents and Settings\user\Application Data\Yahoo!
2008-06-17 16:10 . 2008-06-17 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-17 16:05 . 2008-06-17 16:05 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-17 16:03 . 2008-06-19 07:58 <DIR> d-------- C:\WINDOWS\Downloaded Installations
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 23:27 32,256 ----a-w C:\WINDOWS\system32\yayWNEtu.dll
2008-07-17 23:27 32,256 ----a-w C:\WINDOWS\system32\xxywWoNE.dll
2008-07-17 23:27 --------- d-----w C:\Documents and Settings\user\Application Data\OpenOffice.org2
2008-07-17 23:27 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-07-14 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-14 23:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-14 21:13 --------- d-----w C:\Program Files\LimeWire
2008-07-14 20:28 --------- d-----w C:\Program Files\ZipCentral
2008-07-13 19:55 --------- d-----w C:\Program Files\Google
2008-07-13 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-13 10:43 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-10 06:46 --------- d-----w C:\Program Files\Java
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 15:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 11:06 --------- d-----w C:\Program Files\Electronic Arts
2008-06-06 11:04 --------- d-----w C:\Program Files\Maxis
2008-06-04 21:49 --------- d-----w C:\Documents and Settings\user\Application Data\Jasc
2008-06-04 15:26 --------- d-----w C:\Program Files\Jasc Software Inc
2008-05-26 23:58 --------- d-----w C:\Program Files\EA GAMES
2008-05-20 15:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
------- Sigcheck -------
2003-03-31 13:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied
2003-03-31 13:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied
md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
2007-06-13 12:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2003-03-31 13:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2003-03-31 13:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied
2003-03-31 13:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied
2005-06-11 00:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
2005-06-11 01:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 00:55 53248 6b4bf97957a0b8795811975d4bf1acfe C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2003-03-31 13:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtUninstallKB896423_0$\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2B7C123-DE23-43DB-A09F-7874B5D0BBD3}]
2008-07-18 00:32 283136 --a------ C:\WINDOWS\system32\iifgEwtt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1b3cc0e-1585-7ad7-58ff-41f95d96c0a0}]
2008-07-03 15:45 364544 --a------ C:\WINDOWS\system32\ebkhobguvbpgl.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 14:26 484904]
"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 15:01 155648]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 12:00 200767]
"Windows Service"="C:\Documents and Settings\user\service.exe" [2008-07-18 00:27 145408]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"="C:\Documents and Settings\user\winlogon.exe" [2008-06-27 18:38 53248]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 19:49 2061552]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 15:10 310000]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 15:10 13552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"V0350Mon.exe"="C:\WINDOWS\V0350Mon.exe" [2007-08-23 02:03 28672]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-01 19:06 185896]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 08:20 28672]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"c06e4da2"="C:\WINDOWS\system32\xwfshyxb.dll" [BU]
"BMc35d7e3e"="C:\WINDOWS\system32\tyvqisia.dll" [2008-07-18 00:35 93696]
"SoundMan"="SOUNDMAN.EXE" [2003-01-07 11:09 46592 C:\WINDOWS\SOUNDMAN.EXE]
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 73728 C:\WINDOWS\system32\PROMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
C:\Documents and Settings\user\Start Menu\Programs\Startup\
Deewoo.lnk - C:\QooBox\Quarantine\C\WINDOWS\system32\mcntqtdm.exe.vir [2008-07-12 09:51:24 192576]
DW_Start.lnk - C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir [2008-07-17 23:22:38 49187]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 22:32:57 147456]
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 17:01:20 61440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{04F27F39-1C1B-4A4F-8B5A-A531E364B7A6}"= "C:\WINDOWS\system32\xxywWoNE.dll" [2008-07-18 00:27 32256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"NjgSbzX"= {C06E4D0E-6AC4-E7A4-DB49-517CA9CD2959} - C:\WINDOWS\system32\pyad.dll [2007-04-16 16:52 32768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywWoNE]
2008-07-18 00:27 32256 C:\WINDOWS\system32\xxywWoNE.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\iifgEwtt
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\java.exe"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 06:29]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 15:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 17:41]
*Newly Created Service* - HTTPFILTER
*Newly Created Service* - NMSCFG
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 22:59:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 00:25:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\MSINET.oca 29184 bytes executable
C:\WINDOWS\system32\pac.txt 279600 bytes
C:\WINDOWS\system32\xxywWoNE.dll 32256 bytes executable
C:\WINDOWS\system32\yayWNEtu.dll 32256 bytes executable
scan completed successfully
hidden files: 4
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xxywWoNE.dll
-> C:\Documents and Settings\user\winlogon.exe
-> C:\WINDOWS\system32\iifgEwtt.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\tyvqisia.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\NMSSvc.Exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-18 0:38:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-17 23:37:45
ComboFix2.txt 2008-07-17 22:35:32
Pre-Run: 23,786,713,088 bytes free
Post-Run: 23,773,609,984 bytes free
290 --- E O F --- 2008-07-09 19:11:33
pskelley
2008-07-18, 15:34
Thanks for returning your information, I believe we will be ok since I know the HJT log was created after the first run of combofix. You should know combofix logs are always on the C:\
We still have our work cut out for us, this was a very infected computer. Please read and follow the directions carefully and in the numbered order.
Take the time to read this information for your own security.
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453088059
http://forums.spybot.info/showthread.php?t=282
http://www.nutnworks.com/SafeHex/file_sharing.htm
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\87.bat
C:\ctfmon.exe
C:\smss.exe
C:\csrss.exe
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\system32\abveilbo.dll
C:\WINDOWS\system32\xwfshyxb.dll
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\yayWNEtu.dll
C:\WINDOWS\system32\xxywWoNE.dll
C:\WINDOWS\system32\iifgEwtt.dll
C:\WINDOWS\system32\tyvqisia.dll
C:\Documents and Settings\user\winlogon.exe
C:\Documents and Settings\user\service.exe
C:\WINDOWS\system32\ebkhobguvbpgl.dll
C\WINDOWS\system32\mcntqtdm.exe.vir
C:\WINDOWS\system32\pyad.dll
C:\WINDOWS\BMc35d7e3e.xml
C:\WINDOWS\system32\rrwnw64l.exe
C:\WINDOWS\system32\inif3
C:\WINDOWS\dXNlcg
C:\WINDOWS\system32\g77.exe
C:\WINDOWS\system32\olixds18
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2B7C123-DE23-43DB-A09F-7874B5D0BBD3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1b3cc0e-1585-7ad7-58ff-41f95d96c0a0}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywWoNE]
Folder::
C:\Temp
C:\WINDOWS\system32\aumsDK18
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some may be gone, removed by CFScript)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\user\winlogon.exe
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\abveilbo.dll",s
O4 - HKLM\..\Run: [c06e4da2] rundll32.exe "C:\WINDOWS\system32\xwfshyxb.dll",b
O4 - Startup: Deewoo.lnk = C:\QooBox\Quarantine\C\WINDOWS\system32\mcntqtdm.exe.vir
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O21 - SSODL: NjgSbzX - {C06E4D0E-6AC4-E7A4-DB49-517CA9CD2959} - C:\WINDOWS\system32\pyad.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the combofix log from CFScript and a new HJT log.
[B]Tell me how the computer is running now.
Thanks
misszee37
2008-07-18, 18:17
Hiya!
Okay, read and learned a very valuable lesson from the links you provided - thankyou!
My PC is running MUCH better already. I'm able to get to previous unaccessible websites, its back to its usual speed, I was able to log in to the forum using my own PC, the antivirus 2008 has disappeared, automatic updates are no longer turned off and so far as I type I havent been bombarded any pop ups!! :)
Once I'd restarted for the final time i got a couple of rundll dialogue boxes saying that it was unable to run the following:
"Error loading C:\Windows\System32\tyvqisia.dll and C:\Windows\System32\wymusaas"
and another box saying "Windows cannot open this file: rwwnw64d.exe.vir" it gave me the option to look for the program online or to manually search for the relevant program but i just cancelled it.
I fixed the specified items on the hijack scan, only 4 in total as the rest had already been deleted. The only item I wasnt sure about was the following:
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
I couldnt see this but there was the following that showed up on the scan:
O4 - Startup: DWL_Start.Ink = C:\Qoobox\Quarantine\C:\WINDOWS\system32\rwwnw64d.exe
But as it didnt match your description 100% I didnt select to fix it!
Here are the new logs are requested. Thanks so much for your help so far!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56:32, on 18/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [c06e4da2] rundll32.exe "C:\WINDOWS\system32\wymusaas.dll",b
O4 - HKLM\..\Run: [BMc35d7e3e] Rundll32.exe "C:\WINDOWS\system32\tyvqisia.dll",s
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200847527921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200847473234
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O21 - SSODL: NjgSbzX - {C06E4D0E-6AC4-E7A4-DB49-517CA9CD2959} - C:\WINDOWS\system32\pyad.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 10599 bytes
ComboFix 08-07-15.4 - user 2008-07-18 15:37:05.3 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\87.bat
C:\csrss.exe
C:\ctfmon.exe
C:\Documents and Settings\user\service.exe
C:\Documents and Settings\user\winlogon.exe
C:\smss.exe
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\system32\abveilbo.dll
C:\WINDOWS\system32\ebkhobguvbpgl.dll
C:\WINDOWS\system32\iifgEwtt.dll
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\tyvqisia.dll
C:\WINDOWS\system32\xwfshyxb.dll
C:\WINDOWS\system32\xxywWoNE.dll
C:\WINDOWS\system32\yayWNEtu.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\user\service.exe
C:\Documents and Settings\user\winlogon.exe
C:\Temp
C:\Temp\stmpv4\bnwe7.log
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ccqxbi.dll
C:\WINDOWS\system32\ddcAqOhh.dll
C:\WINDOWS\system32\ebkhobguvbpgl.dll
C:\WINDOWS\system32\hswgnicg.dll
C:\WINDOWS\system32\iifgEwtt.dll
C:\WINDOWS\system32\kwyanptr.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\saasumyw.ini
C:\WINDOWS\system32\ttwEgfii.ini
C:\WINDOWS\system32\ttwEgfii.ini2
C:\WINDOWS\system32\tyvqisia.dll
C:\WINDOWS\system32\wymusaas.dll
C:\WINDOWS\system32\xxywWoNE.dll
C:\WINDOWS\system32\yayWNEtu.dll
C:\WINDOWS\system32\yaywtRIa.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.
2008-07-18 15:04 . 2008-07-18 15:04 73 --a------ C:\WINDOWS\3325.bat
2008-07-18 08:09 . 2008-07-18 08:09 73 --a------ C:\WINDOWS\2321.bat
2008-07-18 00:29 . 2008-07-18 00:29 73 --a------ C:\WINDOWS\3502.bat
2008-07-18 00:28 . 2008-07-18 15:04 121,344 --a------ C:\WINDOWS\task32.exe
2008-07-17 23:55 . 2008-07-17 23:55 <DIR> d-------- C:\Documents and Settings\user\Phone Browser
2008-07-17 06:51 . 2008-07-17 06:51 <DIR> d-------- C:\WINDOWS\system32\aumsDK18
2008-07-16 11:21 . 2008-07-16 17:21 90,922 --a------ C:\WINDOWS\system32\ebkhobguvbpgl.dll-uninst.exe
2008-07-16 06:54 . 2008-07-16 06:54 41,984 --a------ C:\WINDOWS\mrofinu1188.exe.tmp
2008-07-16 06:54 . 2008-07-18 08:10 41,984 --a------ C:\WINDOWS\mrofinu1188.exe
2008-07-16 06:53 . 2008-07-16 06:53 64,332 --a------ C:\WINDOWS\system32\gtndvolgtgyouog.exe
2008-07-16 06:53 . 2008-07-16 06:53 355 --a------ C:\245.bat
2008-07-16 03:49 . 2008-07-16 03:49 32,768 --a------ C:\WINDOWS\system32\aumsDK18\aumsDK182328.exe
2008-07-15 09:46 . 2008-07-15 09:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 09:32 . 2008-07-15 09:32 93 --a------ C:\WINDOWS\wininit.ini
2008-07-13 09:32 . 2008-07-13 09:32 355 --a------ C:\517.bat
2008-07-12 22:00 . 2008-07-18 00:39 110,419 --a------ C:\WINDOWS\BMc35d7e3e.xml
2008-07-12 10:08 . 2008-07-12 10:08 49,171 --a------ C:\WINDOWS\system32\rrwnw64l.exe
2008-07-12 09:51 . 2008-07-13 18:27 <DIR> d-------- C:\WINDOWS\system32\inif3
2008-07-12 09:51 . 2008-07-13 18:27 <DIR> d--hs---- C:\WINDOWS\dXNlcg
2008-07-12 09:51 . 2008-07-12 09:51 152,184 --a------ C:\WINDOWS\system32\g77.exe
2008-07-11 16:18 . 2008-07-11 16:18 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-11 16:08 . 2008-07-11 16:10 223,076 --a------ C:\WINDOWS\ism611.exe
2008-07-11 16:08 . 2008-07-11 16:10 178,616 --a------ C:\WINDOWS\plate611.exe
2008-07-11 16:08 . 2008-07-11 16:10 49,152 --a------ C:\WINDOWS\dw611.exe
2008-07-11 11:58 . 2008-07-13 20:49 <DIR> d-------- C:\Program Files\iWin.com
2008-07-11 11:56 . 2008-07-11 11:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\iWinArcade
2008-07-11 11:56 . 2008-07-11 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-07-11 11:55 . 2008-07-13 20:38 <DIR> d-------- C:\Program Files\iWin Games
2008-07-11 08:47 . 2008-07-11 08:47 <DIR> d-------- C:\Documents and Settings\user\Application Data\Eyeblaster
2008-07-11 08:42 . 2008-07-11 10:47 <DIR> d-------- C:\Documents and Settings\user\Application Data\Zylom
2008-07-11 08:41 . 2008-07-11 16:16 <DIR> d-------- C:\Program Files\Zylom Games
2008-07-11 08:41 . 2008-07-11 09:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-07-10 20:13 . 2008-07-10 20:13 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-07-10 20:11 . 2008-07-11 08:02 <DIR> d-------- C:\Program Files\Shockwave.com
2008-07-10 11:19 . 2008-07-13 19:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\Gamelab
2008-07-05 06:15 . 2008-07-05 06:15 32,768 --a------ C:\WINDOWS\system32\olixds18\olixds182328.exe
2008-07-01 23:08 . 2008-07-01 23:08 244 --ah----- C:\sqmnoopt05.sqm
2008-07-01 23:08 . 2008-07-01 23:08 232 --ah----- C:\sqmdata05.sqm
2008-07-01 21:27 . 2008-07-01 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-07-01 21:26 . 2008-07-01 21:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\Nokia
2008-07-01 21:25 . 2008-07-01 21:25 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-01 21:25 . 2008-07-01 21:25 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-07-01 21:23 . 2008-07-01 21:23 <DIR> d-------- C:\Program Files\DIFX
2008-07-01 21:23 . 2008-07-01 21:27 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Suite
2008-07-01 21:22 . 2008-07-01 21:22 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-01 21:22 . 2007-02-22 11:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-07-01 21:22 . 2007-02-22 11:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-01 21:22 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-07-01 21:22 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-07-01 21:22 . 2007-02-22 11:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-07-01 21:21 . 2008-07-01 21:24 <DIR> d-------- C:\Program Files\Nokia
2008-07-01 21:21 . 2007-02-22 11:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-07-01 21:20 . 2008-07-01 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-06-28 19:46 . 2008-06-28 19:46 244 --ah----- C:\sqmnoopt04.sqm
2008-06-28 19:46 . 2008-06-28 19:46 232 --ah----- C:\sqmdata04.sqm
2008-06-28 19:45 . 2008-06-28 19:45 244 --ah----- C:\sqmnoopt03.sqm
2008-06-28 19:45 . 2008-06-28 19:45 232 --ah----- C:\sqmdata03.sqm
2008-06-28 19:42 . 2008-06-28 19:42 244 --ah----- C:\sqmnoopt02.sqm
2008-06-28 19:42 . 2008-06-28 19:42 232 --ah----- C:\sqmdata02.sqm
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-06-21 13:36 . 2006-11-13 15:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-06-21 13:36 . 2007-10-10 17:41 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-06-21 13:36 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-06-21 13:36 . 2007-11-02 15:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-06-21 13:36 . 2007-01-22 19:33 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-06-21 13:36 . 2007-11-02 15:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-06-21 13:35 . 2008-06-21 13:35 <DIR> d-------- C:\Program Files\Motorola
2008-06-21 13:35 . 2008-06-21 13:35 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-06-20 18:41 . 2008-06-20 18:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 11:44 . 2008-06-20 11:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 15:13 --------- d-----w C:\Documents and Settings\user\Application Data\OpenOffice.org2
2008-07-18 15:13 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-07-14 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-14 23:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-14 21:13 --------- d-----w C:\Program Files\LimeWire
2008-07-14 20:28 --------- d-----w C:\Program Files\ZipCentral
2008-07-13 19:55 --------- d-----w C:\Program Files\Google
2008-07-13 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-13 10:43 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-10 06:46 --------- d-----w C:\Program Files\Java
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 15:10 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-06-17 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-17 15:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 15:05 --------- d-----w C:\Program Files\Yahoo!
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 11:06 --------- d-----w C:\Program Files\Electronic Arts
2008-06-06 11:04 --------- d-----w C:\Program Files\Maxis
2008-06-04 21:49 --------- d-----w C:\Documents and Settings\user\Application Data\Jasc
2008-06-04 15:26 --------- d-----w C:\Program Files\Jasc Software Inc
2008-05-26 23:58 --------- d-----w C:\Program Files\EA GAMES
2008-05-20 15:11 --------- d-----w C:\Program Files\Common Files\Adobe
.
------- Sigcheck -------
2003-03-31 13:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied
2003-03-31 13:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied
md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
2007-06-13 12:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2003-03-31 13:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2003-03-31 13:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied
2003-03-31 13:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied
2005-06-11 00:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
2005-06-11 01:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 00:55 53248 6b4bf97957a0b8795811975d4bf1acfe C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2003-03-31 13:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtUninstallKB896423_0$\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
.
((((((((((((((((((((((((((((( snapshot@2008-07-17_23.33.23.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-17 05:42:25 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-18 07:05:40 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-17 05:42:25 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-18 07:05:40 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-17 05:42:25 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-18 07:05:40 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 14:26 484904]
"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 15:01 155648]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 12:00 200767]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 19:49 2061552]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 15:10 310000]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 15:10 13552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"V0350Mon.exe"="C:\WINDOWS\V0350Mon.exe" [2007-08-23 02:03 28672]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-01 19:06 185896]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 08:20 28672]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"c06e4da2"="C:\WINDOWS\system32\wymusaas.dll" [BU]
"BMc35d7e3e"="C:\WINDOWS\system32\tyvqisia.dll" [BU]
"SoundMan"="SOUNDMAN.EXE" [2003-01-07 11:09 46592 C:\WINDOWS\SOUNDMAN.EXE]
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 73728 C:\WINDOWS\system32\PROMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
C:\Documents and Settings\user\Start Menu\Programs\Startup\
Deewoo.lnk - C:\QooBox\Quarantine\C\WINDOWS\system32\mcntqtdm.exe.vir [2008-07-12 09:51:24 192576]
DW_Start.lnk - C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir [2008-07-17 23:22:38 49187]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 22:32:57 147456]
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 17:01:20 61440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"NjgSbzX"= {C06E4D0E-6AC4-E7A4-DB49-517CA9CD2959} - C:\WINDOWS\system32\pyad.dll [2007-04-16 16:52 32768]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\java.exe"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=
R2 NinjaVideo Helper.exe;NinjaVideo Helper;C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 21:01]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 06:29]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 15:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 17:41]
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-04 08:56]
S3 VF0350Afx;VF0350 Audio FX;C:\WINDOWS\system32\Drivers\V0350Afx.sys [2007-06-11 02:01]
S3 VF0350Vfx;VF0350 Video FX;C:\WINDOWS\system32\DRIVERS\V0350VFx.sys [2007-03-05 19:45]
S3 VF0350Vid;Live! Cam Video IM (VF0350);C:\WINDOWS\system32\DRIVERS\V0350Vid.sys [2007-08-29 02:03]
S3 X-Micro WLAN 11g USB Adapter(X-Micro);X-Micro WLAN 11g USB Adapter Driver(X-Micro);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 14:59:23 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Windows Service - C:\Documents and Settings\user\service.exe
HKLM-Run-Windows Logon Applicationedc - C:\Documents and Settings\user\winlogon.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 16:11:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\NMSSvc.Exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterr.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-18 16:22:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-18 15:21:45
ComboFix2.txt 2008-07-17 23:38:19
ComboFix3.txt 2008-07-17 22:35:32
Pre-Run: 23,742,742,528 bytes free
Post-Run: 23,732,912,128 bytes free
293 --- E O F --- 2008-07-09 19:11:33
pskelley
2008-07-18, 19:31
Thanks for returning your information, appears we did not get it all, follow the directions carefully please.
Delete with HJT either one of these you see, I have no idea how you got it in the combofix quarantine like that?
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
I couldnt see this but there was the following that showed up on the scan:O4 - Startup: DWL_Start.Ink = C:\Qoobox\Quarantine\C:\WINDOWS\system32\rwwnw64d.exe
But as it didnt match your description 100% I didnt select to fix it!
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\wymusaas.dll
C:\WINDOWS\system32\tyvqisia.dll
C:\WINDOWS\system32\pyad.dll
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [c06e4da2] rundll32.exe "C:\WINDOWS\system32\wymusaas.dll",b
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\tyvqisia.dll",s
O4 - Startup: DW_Start.lnk = C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir
O21 - SSODL: NjgSbzX - {C06E4D0E-6AC4-E7A4-DB49-517CA9CD2959} - C:\WINDOWS\system32\pyad.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Download Malwarebytes' Anti-Malware to your [B]Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file, the combofix log from CFScript and a new HJT log in your next reply.
Thanks
misszee37
2008-07-18, 22:09
Hiya Phil.
I have no idea how that file ended up there to be honest, do you think its because i ran combofix twice?
New logs as requested.
Many thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:03:12, on 18/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200847527921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200847473234
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 10354 bytes
Malwarebytes' Anti-Malware 1.20
Database version: 964
Windows 5.1.2600 Service Pack 2
20:49:27 18/07/2008
mbam-log-7-18-2008 (20-49-27).txt
Scan type: Full Scan (C:\|)
Objects scanned: 91524
Time elapsed: 47 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 40
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhctg7j0et71 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhctg7j0et71 (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\84.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iifgEwtt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\khfDTJYO.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe.vir (Adware.BHO) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vgbnjmqt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUlKawv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUkHWMD.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wymusaas.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xwfshyxb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyxXnmj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ywrjaaex.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\n32\keysrve.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP300\A0040640.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP300\A0040644.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP300\A0040658.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP300\A0040678.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP300\A0040680.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP300\A0040684.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP300\A0040686.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP300\A0040696.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP301\A0040770.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP303\A0040838.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP304\A0040871.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AC2BD82-1FFD-4583-B99C-D3200DC4F8A8}\RP304\A0040879.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\dw611.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\ism611.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1188.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1188.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\plate611.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\BMc35d7e3e.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMc35d7e3e.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
ComboFix 08-07-15.4 - user 2008-07-18 19:30:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.185 [GMT 1:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point
[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\pyad.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\tyvqisia.dll
C:\WINDOWS\system32\wymusaas.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\pyad.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.
2008-07-18 15:04 . 2008-07-18 15:04 73 --a------ C:\WINDOWS\3325.bat
2008-07-18 08:09 . 2008-07-18 08:09 73 --a------ C:\WINDOWS\2321.bat
2008-07-18 00:29 . 2008-07-18 00:29 73 --a------ C:\WINDOWS\3502.bat
2008-07-18 00:28 . 2008-07-18 15:04 121,344 --a------ C:\WINDOWS\task32.exe
2008-07-17 23:55 . 2008-07-17 23:55 <DIR> d-------- C:\Documents and Settings\user\Phone Browser
2008-07-17 06:51 . 2008-07-17 06:51 <DIR> d-------- C:\WINDOWS\system32\aumsDK18
2008-07-16 11:21 . 2008-07-16 17:21 90,922 --a------ C:\WINDOWS\system32\ebkhobguvbpgl.dll-uninst.exe
2008-07-16 06:54 . 2008-07-16 06:54 41,984 --a------ C:\WINDOWS\mrofinu1188.exe.tmp
2008-07-16 06:54 . 2008-07-18 08:10 41,984 --a------ C:\WINDOWS\mrofinu1188.exe
2008-07-16 06:53 . 2008-07-16 06:53 64,332 --a------ C:\WINDOWS\system32\gtndvolgtgyouog.exe
2008-07-16 06:53 . 2008-07-16 06:53 355 --a------ C:\245.bat
2008-07-16 03:49 . 2008-07-16 03:49 32,768 --a------ C:\WINDOWS\system32\aumsDK18\aumsDK182328.exe
2008-07-15 09:46 . 2008-07-15 09:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 09:32 . 2008-07-15 09:32 93 --a------ C:\WINDOWS\wininit.ini
2008-07-13 09:32 . 2008-07-13 09:32 355 --a------ C:\517.bat
2008-07-12 22:00 . 2008-07-18 00:39 110,419 --a------ C:\WINDOWS\BMc35d7e3e.xml
2008-07-12 10:08 . 2008-07-12 10:08 49,171 --a------ C:\WINDOWS\system32\rrwnw64l.exe
2008-07-12 09:51 . 2008-07-13 18:27 <DIR> d-------- C:\WINDOWS\system32\inif3
2008-07-12 09:51 . 2008-07-13 18:27 <DIR> d--hs---- C:\WINDOWS\dXNlcg
2008-07-12 09:51 . 2008-07-12 09:51 152,184 --a------ C:\WINDOWS\system32\g77.exe
2008-07-11 16:18 . 2008-07-11 16:18 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-11 16:08 . 2008-07-11 16:10 223,076 --a------ C:\WINDOWS\ism611.exe
2008-07-11 16:08 . 2008-07-11 16:10 178,616 --a------ C:\WINDOWS\plate611.exe
2008-07-11 16:08 . 2008-07-11 16:10 49,152 --a------ C:\WINDOWS\dw611.exe
2008-07-11 11:58 . 2008-07-13 20:49 <DIR> d-------- C:\Program Files\iWin.com
2008-07-11 11:56 . 2008-07-11 11:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\iWinArcade
2008-07-11 11:56 . 2008-07-11 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-07-11 11:55 . 2008-07-13 20:38 <DIR> d-------- C:\Program Files\iWin Games
2008-07-11 08:47 . 2008-07-11 08:47 <DIR> d-------- C:\Documents and Settings\user\Application Data\Eyeblaster
2008-07-11 08:42 . 2008-07-11 10:47 <DIR> d-------- C:\Documents and Settings\user\Application Data\Zylom
2008-07-11 08:41 . 2008-07-11 16:16 <DIR> d-------- C:\Program Files\Zylom Games
2008-07-11 08:41 . 2008-07-11 09:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-07-10 20:13 . 2008-07-10 20:13 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-07-10 20:11 . 2008-07-11 08:02 <DIR> d-------- C:\Program Files\Shockwave.com
2008-07-10 11:19 . 2008-07-13 19:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\Gamelab
2008-07-05 06:15 . 2008-07-05 06:15 32,768 --a------ C:\WINDOWS\system32\olixds18\olixds182328.exe
2008-07-01 23:08 . 2008-07-01 23:08 244 --ah----- C:\sqmnoopt05.sqm
2008-07-01 23:08 . 2008-07-01 23:08 232 --ah----- C:\sqmdata05.sqm
2008-07-01 21:27 . 2008-07-01 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-07-01 21:26 . 2008-07-01 21:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\Nokia
2008-07-01 21:25 . 2008-07-01 21:25 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-01 21:25 . 2008-07-01 21:25 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-07-01 21:23 . 2008-07-01 21:23 <DIR> d-------- C:\Program Files\DIFX
2008-07-01 21:23 . 2008-07-01 21:27 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Suite
2008-07-01 21:22 . 2008-07-01 21:22 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-01 21:22 . 2007-02-22 11:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-07-01 21:22 . 2007-02-22 11:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-01 21:22 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-07-01 21:22 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-07-01 21:22 . 2007-02-22 11:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-07-01 21:21 . 2008-07-01 21:24 <DIR> d-------- C:\Program Files\Nokia
2008-07-01 21:21 . 2007-02-22 11:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-07-01 21:20 . 2008-07-01 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-06-28 19:46 . 2008-06-28 19:46 244 --ah----- C:\sqmnoopt04.sqm
2008-06-28 19:46 . 2008-06-28 19:46 232 --ah----- C:\sqmdata04.sqm
2008-06-28 19:45 . 2008-06-28 19:45 244 --ah----- C:\sqmnoopt03.sqm
2008-06-28 19:45 . 2008-06-28 19:45 232 --ah----- C:\sqmdata03.sqm
2008-06-28 19:42 . 2008-06-28 19:42 244 --ah----- C:\sqmnoopt02.sqm
2008-06-28 19:42 . 2008-06-28 19:42 232 --ah----- C:\sqmdata02.sqm
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-06-21 13:37 . 2008-06-21 13:37 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-06-21 13:36 . 2006-11-13 15:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-06-21 13:36 . 2007-10-10 17:41 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-06-21 13:36 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-06-21 13:36 . 2007-11-02 15:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-06-21 13:36 . 2007-01-22 19:33 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-06-21 13:36 . 2007-11-02 15:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-06-21 13:35 . 2008-06-21 13:35 <DIR> d-------- C:\Program Files\Motorola
2008-06-21 13:35 . 2008-06-21 13:35 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-06-20 18:41 . 2008-06-20 18:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 11:44 . 2008-06-20 11:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 15:53 --------- d-----w C:\Documents and Settings\user\Application Data\OpenOffice.org2
2008-07-18 15:17 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-07-14 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-14 23:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-14 21:13 --------- d-----w C:\Program Files\LimeWire
2008-07-14 20:28 --------- d-----w C:\Program Files\ZipCentral
2008-07-13 19:55 --------- d-----w C:\Program Files\Google
2008-07-13 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-13 10:43 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-10 06:46 --------- d-----w C:\Program Files\Java
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 15:10 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-06-17 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-17 15:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 15:05 --------- d-----w C:\Program Files\Yahoo!
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 11:06 --------- d-----w C:\Program Files\Electronic Arts
2008-06-06 11:04 --------- d-----w C:\Program Files\Maxis
2008-06-04 21:49 --------- d-----w C:\Documents and Settings\user\Application Data\Jasc
2008-06-04 15:26 --------- d-----w C:\Program Files\Jasc Software Inc
2008-05-26 23:58 --------- d-----w C:\Program Files\EA GAMES
2008-05-20 15:11 --------- d-----w C:\Program Files\Common Files\Adobe
.
------- Sigcheck -------
2003-03-31 13:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 08:56 17408 d76d2aae9726fb9254c7957c6e5da8cc C:\WINDOWS\system32\svchost.exe
2003-03-31 13:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 08:56 506368 cf4c48a98167ae7d899acae234d4b2a4 C:\WINDOWS\system32\winlogon.exe
2007-06-13 11:23 1035776 5f04b74b07f327a7d2d5e94c711bbdaa C:\WINDOWS\explorer.exe
2007-06-13 12:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2003-03-31 13:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2003-03-31 13:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 08:56 110592 c78883897a901a495f24f14df980c4ef C:\WINDOWS\system32\services.exe
2003-03-31 13:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 08:56 14848 748709cfff4ab56e879c12f315faf8fc C:\WINDOWS\system32\lsass.exe
2005-06-11 00:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
2005-06-11 01:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 00:55 53248 6b4bf97957a0b8795811975d4bf1acfe C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2003-03-31 13:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtUninstallKB896423_0$\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-11 00:53 58880 5a1a40407dd1d6ffbd5a379b82452314 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-17_23.33.23.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-17 05:42:25 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-18 07:05:40 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-17 05:42:25 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-18 07:05:40 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-17 05:42:25 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-18 07:05:40 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 14:26 484904]
"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 15:01 155648]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 12:00 200767]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 19:49 2061552]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 15:10 310000]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 15:10 13552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"V0350Mon.exe"="C:\WINDOWS\V0350Mon.exe" [2007-08-23 02:03 28672]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-01 19:06 185896]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 08:20 28672]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"c06e4da2"="C:\WINDOWS\system32\wymusaas.dll" [BU]
"BMc35d7e3e"="C:\WINDOWS\system32\tyvqisia.dll" [BU]
"SoundMan"="SOUNDMAN.EXE" [2003-01-07 11:09 46592 C:\WINDOWS\SOUNDMAN.EXE]
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 73728 C:\WINDOWS\system32\PROMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
C:\Documents and Settings\user\Start Menu\Programs\Startup\
DW_Start.lnk - C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir [2008-07-17 23:22:38 49187]
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 17:01:20 61440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\java.exe"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=
R2 NinjaVideo Helper.exe;NinjaVideo Helper;C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 21:01]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 06:29]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 15:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 17:41]
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-04 08:56]
S3 VF0350Afx;VF0350 Audio FX;C:\WINDOWS\system32\Drivers\V0350Afx.sys [2007-06-11 02:01]
S3 VF0350Vfx;VF0350 Video FX;C:\WINDOWS\system32\DRIVERS\V0350VFx.sys [2007-03-05 19:45]
S3 VF0350Vid;Live! Cam Video IM (VF0350);C:\WINDOWS\system32\DRIVERS\V0350Vid.sys [2007-08-29 02:03]
S3 X-Micro WLAN 11g USB Adapter(X-Micro);X-Micro WLAN 11g USB Adapter Driver(X-Micro);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys []
*Newly Created Service* - NMSCFG
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 17:59:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
- - - - ORPHANS REMOVED - - - -
SSODL-NjgSbzX-{C06E4D0E-6AC4-E7A4-DB49-517CA9CD2959} - C:\WINDOWS\system32\pyad.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 19:35:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\NMSSvc.Exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterr.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-18 19:45:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-18 18:44:43
ComboFix2.txt 2008-07-18 15:22:04
ComboFix3.txt 2008-07-17 23:38:19
ComboFix4.txt 2008-07-17 22:35:32
Pre-Run: 23,727,579,136 bytes free
Post-Run: 23,724,068,864 bytes free
256 --- E O F --- 2008-07-09 19:11:33
pskelley
2008-07-18, 22:31
We seem to be making some progress, looks like you are 5 hours past my time, are you in the UK?
I want to spend more time on the computer, but first let's take care of this:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
misszee37
2008-07-18, 23:09
Hiya
Yes I'm in the lovely sunny UK (said with heavy sarcasm as its been raining non stop - as per bloody usual!) :) Whereabouts are you located?
I installed the RC via Microsofts site to my desktop, dragged it over as instructed, said no to a scan and here is the log. I hope I did it right!
Thanx again!
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
pskelley
2008-07-18, 23:28
Well cheers and Ta and all that. I have many good friends in malware removal in the UK, in fact my mentor who got me started around ten years ago, this is his forum:
http://www.malwareremoval.com/forum/
Let's remove combofix from the computer, we can always get it again if needed:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Let's clean the System Restore to be sure there are no infected files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Run a new scan with MBAM, post the results and a fresh HJT log and give me some feedback about performance.
Cheers...Phil
misszee37
2008-07-19, 00:26
Just realised i asked an incredibly stupid question by asking where you are located, I bet the weather in Florida is gorgeous!
New logs as requested. System performance is excellent; no problems, pop ups, error messages or anything! :)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22:48, on 18/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200847527921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200847473234
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 10431 bytes
Malwarebytes' Anti-Malware 1.20
Database version: 964
Windows 5.1.2600 Service Pack 2
23:20:37 18/07/2008
mbam-log-7-18-2008 (23-20-37).txt
Scan type: Full Scan (C:\|)
Objects scanned: 91815
Time elapsed: 38 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
pskelley
2008-07-19, 00:54
Yeah, weather is nice now but you have to like the heat. I moved from Maryland in 1970 so I must.
Sounds good, the HJT log is clean of malware. Why don't you update your resident antivirus program and run a system scan. If there are no issues, I will post closing information to help you stay clean.
I have one question, it is important that one one AV program be running, is Authentium AV part of the CA which I assume comes from your ISP?
Thanks...Phil
misszee37
2008-07-19, 01:14
Oh yes, i LOVE the heat! Oh well!
I currently use my ISP's antivirus (Virgin Broadband) on my PC which is regularly scanned for updates although I've heard and read that AVG is a really good anti-virus tool, in fact I did try to install it recently but it didnt work at the time as this was when my PC was infected. What would you recommend?
I have to admit, I didnt really understand your last question! Sorry, I'm a bit of a rookie. I dont know what Authentium AV is, is there a way I can find out what program it links to?
pskelley
2008-07-19, 01:28
First I will show you what can happen if two antivirus programs are running at once:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp
I am assuming this is the one free from Virgin Broadband:
C:\Program Files\Virgin Broadband\PCguard\Fws.exe and that this is part of this...but CA might be a third AV???
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe <<< Computer Associates is usually free with ISP's.
Here is the other one:
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common
My suggestion would be to contact your ISP technical support and ask them these questions. If any of that is not what they supply you, then uninstall those in Add Remove programs.
AVG 8 Free <<< I run this on all of my computers, for freeware it is a very good program. No one program can protect you, protection needs to be layered, which you will read about in those links I posted.
Good programs are worthless if they are not maintained properly, and good safe internet habits plays a hugh part.
Hope that helps.
Phil
pskelley
2008-07-19, 01:30
Oops...not posted yet, sorry:sad:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
misszee37
2008-07-20, 18:58
Hello Phil
Okay, I uninstalled my ISPs AV as well as the Authentium AV. I have since installed a new AVP and firewall protection using some of the recommendations quoted on the links that you sent to me. I had a few problems with AVG 8, it wouldnt update and then my PC had problems loading up but I've since uninstalled it and am using AntiVir PE which hasnt affected the systems performance. I've also installed Spyware Blaster and updated via windows update.
I've done a couple of virus scans, the odd infected file pops up; but the anti virus program has quarantined or deleted them and when i rescan after rebooting they seem to have gone.
Internet connection and browsing is still good with no problems, system performance is good, no pop ups whatsoever!
So...i guess we are good to go! Am I ok now to renable the tea-timer? Plus is it ok for me to now unistall the ATF cleaner and remove the windows RC from my desktop?
Thanks so much for all your help, you have been a life saver! :)
pskelley
2008-07-20, 19:50
the odd infected file pops upI may have said this...If this happens when you are online at websites, then a good popup blocker should stop it, I personally do not revisit a site that creates popups while there and usually take the time to send email with choice thoughts to the website that does this. If this is occuring offline, then there may be something on the computer that should not be and a scanner like KOS (Kaspersky Online Scan) usually will locate what is causing this so it can be removed manually. Let me know if you think something needs to be pursued. As far as the installer for RC, you may remove that from your computer. ATF-Cleaner is yours to keep or delete as you wish, but you will not find a small, free, program that does the job it does better.
http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25
Thanks...Phil
misszee37
2008-07-20, 20:06
In that case I'll keep the ATF cleaner!! I dont think there is any other matter that needs to be pursued; my PC is running excellently!
This last week has definately been a learning curve for me and your help in ridding the viruses plus the guidance in protecting myself in the future has been invaluable AND the icing on the cake is that it has been a lovely sunny and warm day in the UK today! :2thumb:
Thank you so much Phil! All the best to you!
Misszee