View Full Version : Desktop hijacked
Red13utterfly
2008-08-20, 13:58
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:48 AM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\a.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lphc38lj0evfe] C:\WINDOWS\system32\lphc38lj0evfe.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-21-643571872-3359896355-3042452539-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Others')
O4 - HKUS\S-1-5-21-643571872-3359896355-3042452539-1008\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe (User 'Others')
O4 - HKUS\S-1-5-21-643571872-3359896355-3042452539-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Others')
O4 - HKUS\S-1-5-21-643571872-3359896355-3042452539-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Others')
O4 - HKUS\S-1-5-21-643571872-3359896355-3042452539-1008\..\Run: [MySpaceIM] C:\Documents and Settings\Others\Application Data\MySpace\IM\bin\MySpaceIM.exe (User 'Others')
O4 - HKUS\S-1-5-21-643571872-3359896355-3042452539-1008\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Others')
O4 - HKUS\S-1-5-21-643571872-3359896355-3042452539-1008\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Others')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-643571872-3359896355-3042452539-1008 Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe (User 'Others')
O4 - S-1-5-21-643571872-3359896355-3042452539-1008 User Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe (User 'Others')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187944557906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179022564062
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://cehomenet.coned.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 8201 bytes
My desktop was hijacked and disabled some of the functions to my Display settings. There is an image on the desktop as the new wallpaper that says, "Warning! Spyware detected on your computer. Install Antivirus or Spyware remover to clean your computer."
Any help will be greatly appreciated.
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
I will be back as soon as possible with your first instructions!
Step # 1: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Step # 2: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Be sure to save ComboFix.exe to your Desktop
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleaning the system:
Uninstall List
C:\ComboFix.txt
New HijackThis log.
Use multiple posts if you can't fit everything into one post.
Red13utterfly
2008-08-21, 11:39
Uninstall report:
µTorrent
3GP Video Converter 3
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.1
Adobe Stock Photos 1.0
Adobe® Photoshop® Album Starter Edition 3.0
AOL Instant Messenger
Aspell English Dictionary-0.50-2
AV Voice Changer Software DIAMOND 4.0
AV Voice Changer Software DIAMOND 5.0
Belarc Advisor 7.2
Build Your Own Net Dream (remove only)
Combined Community Codec Pack 2007-07-22
Counter-Strike 1.6
CPUFSB (remove only)
Detto Migration Kit
DivX Codec
Doom Builder
Easy Internet Sign-up
eMule
EZ Macros
ffdshow [rev 610] [2006-12-01]
Fraps (remove only)
GiPo@MoveOnBoot 1.9.5
GNU Aspell 0.50-3
GTK+ Runtime 2.10.13 rev a (remove only)
Gunbound Revolution
Hamachi 1.0.2.1
HijackThis 2.0.2
Homeworld
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB935843)
hp center
HP Instant Support
HP Photo Printing Software
HP RecordNow
Inactive HP Printer Drivers (Remove only)
Inactive HP ScanJet Drivers (Remove only)
InterVideo WinDVD
IrfanView (remove only)
Java(TM) 6 Update 2
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
KBD
K-Lite Codec Pack 3.7.5 Basic
LibUSB-Win32-0.1.10.1
Malwarebytes' Anti-Malware
MediaCoder 0.6.0
Microsoft .NET Framework 2.0
Microsoft Age of Empires II
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MPEG-4 VKI Video Codec V1/V2/V3
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (2.0.0.16)
My Photo Center
NetBattle
NVIDIA Windows 2000/XP Display Drivers
OpenOffice.org 2.4
Opera 9.22
PC-Doctor for Windows
Pidgin
PowerISO
Privoxy 3.0.6
ProSavage and Utilities
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
RPG Maker 2000 1.05
RTP for RM2K (Png, Wav, Midi, Fonts)
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
S3Display
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
SpeedFan (remove only)
Spybot - Search & Destroy 1.4
TabIt version 2.01
Tcl 8.0.5 for Windows
Tor 0.1.2.19
Trillian
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Vidalia 0.0.16
Viewpoint Media Player
VNC Free Edition 4.1.2
Whale Communications' Client Components v3.7.1
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Combofix report
ComboFix 08-08-19.06 - Mobius 2008-08-21 4:05:17.1 - NTFSx86
Running from: C:\Documents and Settings\Mobius\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mobius\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Mobius\Application Data\macromedia\Flash Player\#SharedObjects\6CSECGF2\interclick.com
C:\Documents and Settings\Mobius\Application Data\macromedia\Flash Player\#SharedObjects\6CSECGF2\interclick.com\ud.sol
C:\Documents and Settings\Mobius\Application Data\macromedia\Flash Player\#SharedObjects\6CSECGF2\www.broadcaster.com
C:\Documents and Settings\Mobius\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Mobius\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Mobius\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Mobius\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\a.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.
2008-08-20 07:37 . 2008-08-20 07:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 07:22 . 2008-08-20 07:22 <DIR> d-------- C:\Documents and Settings\Mobius\Application Data\Malwarebytes
2008-08-20 07:21 . 2008-08-20 07:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 07:21 . 2008-08-20 07:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-20 07:21 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\SYSTEM32\drivers\mbamswissarmy.sys
2008-08-20 07:21 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\SYSTEM32\drivers\mbam.sys
2008-08-20 07:01 . 2008-08-20 07:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-19 01:21 . 2008-08-19 01:21 <DIR> d-------- C:\Program Files\LibUSB-Win32-0.1.10.1
2008-08-19 01:21 . 2005-03-09 20:50 19,456 --a------ C:\WINDOWS\SYSTEM32\libusbd-9x.exe
2008-08-19 01:21 . 2005-03-09 20:50 18,944 --a------ C:\WINDOWS\SYSTEM32\libusbd-nt.exe
2008-08-18 09:45 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\SYSTEM32\d3dx9_33.dll
2008-08-18 09:44 . 2008-08-18 09:46 <DIR> d-------- C:\WINDOWS\Logs
2008-08-18 03:40 . 2005-03-09 20:50 46,592 --a------ C:\WINDOWS\SYSTEM32\libusb0.dll
2008-08-18 03:40 . 2005-03-09 20:50 33,792 --a------ C:\WINDOWS\SYSTEM32\drivers\libusb0.sys
2008-08-12 22:32 . 2008-08-12 22:37 <DIR> d-------- C:\Documents and Settings\Others\Revenant
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 01:40 24 ----a-w C:\Documents and Settings\Others\jagex_runescape_preferences.dat
2008-08-20 20:56 --------- d-----w C:\Documents and Settings\Mobius\Application Data\OpenOffice.org2
2008-08-20 12:08 --------- d-----w C:\Program Files\GGPO Client
2008-08-19 22:43 --------- d-----w C:\Documents and Settings\Mobius\Application Data\.purple
2008-08-14 21:12 --------- d-----w C:\Program Files\Java
2008-08-03 00:57 --------- d-----w C:\Program Files\Trillian
2008-07-27 16:59 --------- d-----w C:\Documents and Settings\Mobius\Application Data\gtk-2.0
2008-07-18 11:41 --------- d-----w C:\Documents and Settings\Mobius\Application Data\uTorrent
2008-07-09 22:59 --------- d--h--w C:\Documents and Settings\Mobius\Application Data\ijjigame
2008-07-03 11:42 --------- d-----w C:\Program Files\MyServer
2008-07-03 11:23 --------- d-----w C:\Documents and Settings\Mobius\Application Data\Uniblue
2008-06-28 22:55 --------- d-----w C:\Documents and Settings\Others\Application Data\yoclient
2008-06-24 01:05 --------- d-----w C:\Program Files\Microsoft Works
2008-06-24 01:02 --------- d-----w C:\Program Files\DynDNS Updater
2007-11-13 15:30 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 15:09 157592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 15:52:06 36864]
C:\Documents and Settings\Others\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2008-03-02 00:25:27 108032]
C:\Documents and Settings\Mobius\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Mobius^Start Menu^Programs^Startup^Delta AutoLoad.lnk]
path=C:\Documents and Settings\Mobius\Start Menu\Programs\Startup\Delta AutoLoad.lnk
backup=C:\WINDOWS\pss\Delta AutoLoad.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-09 20:40 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\BYOND\\bin\\byond.exe"=
"C:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Sierra\\Homeworld\\homeworld.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.EXE"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Neo\\BuddyKill\\BuddyKill.exe"=
"C:\\Program Files\\Skulltag\\skulltag.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Znes\\ZSNESW.EXE"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Skulltag\\skulltag.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Skulltag\\IdeSE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\Others\\My Documents\\BYOND\\bin\\byond.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Neo\\argyria\\bin\\byond.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Neo\\argyria\\bin\\dreamseeker.exe"=
"C:\\Program Files\\Pidgin\\pidgin.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Neo\\Xellos\\hl.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\NUR\\bin\\byond.exe"=
"C:\\Program Files\\NetBattle\\PokeBattle.exe"=
"C:\\Documents and Settings\\Mobius\\My Documents\\Download\\i3r0k3nt0y\\AOOE\\aok\\empires2.exe"=
"C:\\Documents and Settings\\Mobius\\My Documents\\Download\\i3r0k3nt0y\\AOOE\\aok\\age2_x1.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"81:TCP"= 81:TCP:IShare
"5800:TCP"= 5800:TCP:5800 Port
"5900:TCP"= 5900:TCP:5900 port
"7845:UDP"= 7845:UDP:Zsnes port
"7845:TCP"= 7845:TCP:Znes TCP
R1 ntiowp;ntiowp;C:\WINDOWS\system32\drivers\ntiowp.sys [2006-10-20 05:57]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 20:50]
S2 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe []
S3 ADM8511;%ADM8511.Service.DispName%;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]
S3 DMService;Whale Component Manager;C:\WINDOWS\DOWNLO~1\DMService.exe [2008-04-11 12:36]
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys []
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-MoneyStartUp - C:\Program Files\Microsoft Money\System\Money Startup.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mobius\Application Data\Mozilla\Firefox\Profiles\g3b1axmb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://z8.invisionfree.com/TheZones/index.php?act=idx
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 04:11:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-21 4:24:30
ComboFix-quarantined-files.txt 2008-08-21 09:24:00
Pre-Run: 2,193,723,392 bytes free
Post-Run: 3,035,500,544 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn /sos
184 --- E O F --- 2007-10-17 07:03:27
[b]Hijackthis report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:08 AM, on 8/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187944557906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179022564062
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://cehomenet.coned.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 5905 bytes
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
µTorrent
eMule
I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.
Also available here (http://forum.malwareremoval.com/viewtopic.php?t=23812&sid=a609c56441d8a2e5dc8d24e3e96420cc).
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Step # 1: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 2: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
Folder::
C:\Documents and Settings\Mobius\Application Data\uTorrent
C:\Program Files\eMule
C:\Program Files\uTorrent
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\eMule\\emule.exe"=-
"C:\\Program Files\\uTorrent\\utorrent.exe"=-
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on Red13utterfly's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 2 has been completed.
2. A fresh HiJackThis Log taken after Step 2 has been completed.
Red13utterfly? Do you still need help?
Red13utterfly
2008-08-25, 17:24
Sorry, I was out for the weekend. I will proceed with your instructions now and reply.
Red13utterfly
2008-08-25, 18:09
ComboFix 08-08-19.06 - Mobius 2008-08-25 11:40:32.2 - NTFSx86
Running from: C:\Documents and Settings\Mobius\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mobius\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Mobius\Application Data\uTorrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\(???5) [?????] [????????] ????? (iso+rr3%).rar.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\?????.avi.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\?UYING.COM???????16?1?20???.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\[aarinfantasy]_Pico_to_Chico_OVA2_[A70265E4].avi.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\[DB]_Bleach_138_[28E3DF2D].avi.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\[Nipponsei] NARUTO Shippuuden Soundtrack Collection.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\[Triad]_Magical_Girl_Lyrical_Nanoha_-_01-13.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\[yesy] Magical Girl Lyrical Nanoha StrikerS.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Adobe Photoshop Pro CS2 v9 0 Full + Working Keygen.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\C73 Doujinshi Collection Pack ONE (230+ Checked, Romanized and Organized).torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Candyman - Soundtrack.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Collection Keep.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\dht.dat
C:\Documents and Settings\Mobius\Application Data\uTorrent\ePSXe.v1.6.0+BIOS+Plugins PS1 EMU.1.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Giga Hentai Encyclopedia 01 - AB.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Guyver TV 2005 OST (320Kbps EAC) TKCA-72936.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Halloween 6 - Curse of Michael Myers - OST.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Homeworld 2.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\I've Sound.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\JAM Project 98 songs.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Kotoko.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Lex.The.Impaler-NtGO.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Microsoft_Office_2007_Complete_Version.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\resume.dat
C:\Documents and Settings\Mobius\Application Data\uTorrent\resume.dat.old
C:\Documents and Settings\Mobius\Application Data\uTorrent\Saigado Collection.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\settings.dat
C:\Documents and Settings\Mobius\Application Data\uTorrent\settings.dat.old
C:\Documents and Settings\Mobius\Application Data\uTorrent\Sha Po Lang.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Space Runaway Ideon Symphonic Suite.zip.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Super Robot Wars Alpha Gaiden CD.rar.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\Terry Riley - A Rainbow in Curved Air (1967).torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\The Self Destruction Of The Ultimate Warrior.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\utorrent.lng
C:\Documents and Settings\Mobius\Application Data\uTorrent\video15.avi.1.torrent
C:\Documents and Settings\Mobius\Application Data\uTorrent\video15.avi.torrent
C:\Program Files\eMule
C:\Program Files\eMule\config\AC_BootstrapIPs.dat
C:\Program Files\eMule\config\AC_SearchStrings.dat
C:\Program Files\eMule\config\AC_ServerMetURLs.dat
C:\Program Files\eMule\config\addresses.dat
C:\Program Files\eMule\config\cancelled.met
C:\Program Files\eMule\config\clients.met
C:\Program Files\eMule\config\clients.met.bak
C:\Program Files\eMule\config\cryptkey.dat
C:\Program Files\eMule\config\emfriends.met
C:\Program Files\eMule\config\key_index.dat
C:\Program Files\eMule\config\known.met
C:\Program Files\eMule\config\known2_64.met
C:\Program Files\eMule\config\load_index.dat
C:\Program Files\eMule\config\nodes.dat
C:\Program Files\eMule\config\preferences.dat
C:\Program Files\eMule\config\preferences.ini
C:\Program Files\eMule\config\preferencesKad.dat
C:\Program Files\eMule\config\server.met
C:\Program Files\eMule\config\server_met.old
C:\Program Files\eMule\config\shareddir.dat
C:\Program Files\eMule\config\src_index.dat
C:\Program Files\eMule\config\statistics.ini
C:\Program Files\eMule\Temp\003.part.met
C:\Program Files\eMule\Temp\003.part.met.bak
C:\Program Files\eMule\Temp\005.part.met
C:\Program Files\eMule\Temp\005.part.met.bak
C:\Program Files\eMule\Temp\007.part.met
C:\Program Files\eMule\Temp\007.part.met.bak
C:\Program Files\eMule\Temp\012.part.met
C:\Program Files\eMule\Temp\012.part.met.bak
C:\Program Files\uTorrent
C:\Program Files\uTorrent\utorrent.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.
2008-08-20 07:37 . 2008-08-20 07:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 07:22 . 2008-08-20 07:22 <DIR> d-------- C:\Documents and Settings\Mobius\Application Data\Malwarebytes
2008-08-20 07:21 . 2008-08-20 07:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 07:21 . 2008-08-20 07:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-20 07:21 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\SYSTEM32\drivers\mbamswissarmy.sys
2008-08-20 07:21 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\SYSTEM32\drivers\mbam.sys
2008-08-20 07:01 . 2008-08-20 07:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-19 01:21 . 2008-08-19 01:21 <DIR> d-------- C:\Program Files\LibUSB-Win32-0.1.10.1
2008-08-19 01:21 . 2005-03-09 20:50 19,456 --a------ C:\WINDOWS\SYSTEM32\libusbd-9x.exe
2008-08-19 01:21 . 2005-03-09 20:50 18,944 --a------ C:\WINDOWS\SYSTEM32\libusbd-nt.exe
2008-08-18 09:45 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\SYSTEM32\d3dx9_33.dll
2008-08-18 09:44 . 2008-08-18 09:46 <DIR> d-------- C:\WINDOWS\Logs
2008-08-18 03:40 . 2005-03-09 20:50 46,592 --a------ C:\WINDOWS\SYSTEM32\libusb0.dll
2008-08-18 03:40 . 2005-03-09 20:50 33,792 --a------ C:\WINDOWS\SYSTEM32\drivers\libusb0.sys
2008-08-12 22:32 . 2008-08-12 22:37 <DIR> d-------- C:\Documents and Settings\Others\Revenant
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 02:49 24 ----a-w C:\Documents and Settings\Others\jagex_runescape_preferences.dat
2008-08-20 20:56 --------- d-----w C:\Documents and Settings\Mobius\Application Data\OpenOffice.org2
2008-08-20 12:08 --------- d-----w C:\Program Files\GGPO Client
2008-08-19 22:43 --------- d-----w C:\Documents and Settings\Mobius\Application Data\.purple
2008-08-14 21:12 --------- d-----w C:\Program Files\Java
2008-08-03 00:57 --------- d-----w C:\Program Files\Trillian
2008-07-27 16:59 --------- d-----w C:\Documents and Settings\Mobius\Application Data\gtk-2.0
2008-07-09 22:59 --------- d--h--w C:\Documents and Settings\Mobius\Application Data\ijjigame
2008-07-03 11:42 --------- d-----w C:\Program Files\MyServer
2008-07-03 11:23 --------- d-----w C:\Documents and Settings\Mobius\Application Data\Uniblue
2008-06-28 22:55 --------- d-----w C:\Documents and Settings\Others\Application Data\yoclient
2007-11-13 15:30 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 15:09 157592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 15:52:06 36864]
C:\Documents and Settings\Others\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2008-03-02 00:25:27 108032]
C:\Documents and Settings\Mobius\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Mobius^Start Menu^Programs^Startup^Delta AutoLoad.lnk]
path=C:\Documents and Settings\Mobius\Start Menu\Programs\Startup\Delta AutoLoad.lnk
backup=C:\WINDOWS\pss\Delta AutoLoad.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-09 20:40 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\BYOND\\bin\\byond.exe"=
"C:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Sierra\\Homeworld\\homeworld.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.EXE"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Neo\\BuddyKill\\BuddyKill.exe"=
"C:\\Program Files\\Skulltag\\skulltag.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Znes\\ZSNESW.EXE"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Skulltag\\skulltag.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Skulltag\\IdeSE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\Others\\My Documents\\BYOND\\bin\\byond.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Neo\\argyria\\bin\\byond.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Neo\\argyria\\bin\\dreamseeker.exe"=
"C:\\Program Files\\Pidgin\\pidgin.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\Neo\\Xellos\\hl.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\Documents and Settings\\Mobius\\Desktop\\NUR\\bin\\byond.exe"=
"C:\\Program Files\\NetBattle\\PokeBattle.exe"=
"C:\\Documents and Settings\\Mobius\\My Documents\\Download\\i3r0k3nt0y\\AOOE\\aok\\empires2.exe"=
"C:\\Documents and Settings\\Mobius\\My Documents\\Download\\i3r0k3nt0y\\AOOE\\aok\\age2_x1.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"81:TCP"= 81:TCP:IShare
"5800:TCP"= 5800:TCP:5800 Port
"5900:TCP"= 5900:TCP:5900 port
"7845:UDP"= 7845:UDP:Zsnes port
"7845:TCP"= 7845:TCP:Znes TCP
R1 ntiowp;ntiowp;C:\WINDOWS\system32\drivers\ntiowp.sys [2006-10-20 05:57]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 20:50]
S2 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe []
S3 ADM8511;%ADM8511.Service.DispName%;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]
S3 DMService;Whale Component Manager;C:\WINDOWS\DOWNLO~1\DMService.exe [2008-04-11 12:36]
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 11:47:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\libusbd-nt.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-08-25 12:00:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 17:00:46
ComboFix2.txt 2008-08-21 09:24:31
Pre-Run: 2,962,214,912 bytes free
Post-Run: 3,695,443,968 bytes free
231 --- E O F --- 2007-10-17 07:03:27
[hr]
Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:01 PM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187944557906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179022564062
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://cehomenet.coned.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 5765 bytes
Step # 1 Remove old versions of Java
While you have the latest version of Java installed, older Java versions have vulnerabilities and need to be removed.
Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.
Java(TM) 6 Update 2
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Reboot your Computer.
Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 3 Run Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
In your next post/reply, I need to see the following:
1. MalwareBytes' Log
2. A fresh HiJackThis Log
Red13utterfly
2008-08-26, 16:24
Malwarebytes' Anti-Malware 1.25
Database version: 1087
Windows 5.1.2600 Service Pack 2
10:21:58 AM 8/26/2008
mbam-log-08-26-2008 (10-21-58).txt
Scan type: Quick Scan
Objects scanned: 48017
Time elapsed: 9 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:01 AM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187944557906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179022564062
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://cehomenet.coned.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 5858 bytes
Step # 1 Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available. (See Note below)
First, go to Add/Remove Programs and uninstall all previous versions.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Note: Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 2.3 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
Step # 2: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
This topic has been archived due to inactivity.
As it has been five days or more since your last post, and I have posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.