View Full Version : Virtumonde - Notebook first
logotype702
2008-09-17, 17:55
Thank for your help!!!!
S&D has detected the presence of Virtumonde on my notebook (it seems that the desktop at home is also infected, but we'll deal with the notebook first). See below the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:58 AM, on 9/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Advanced System Optimizer\adblock.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: PatentHunter - {BCB2344B-3D5B-46d7-861B-A8F27E4FE602} - C:\Program Files\PatentWizard, LLC\PatentHunter3\PHToolBand.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Fresh Desktop] C:\Program Files\Fresh Desktop\freshdesktop.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [d03245e7] rundll32.exe "C:\WINDOWS\system32\uiqjgimx.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TorCP] E:\TOR\TorCP\torcp.exe
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKCU\..\Run: [Systweak Wallpaper Changer] wallpaper.exe -minimize
O4 - HKCU\..\Run: [Eprc] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" -vt yazb
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [MoneyInsights] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Privoxy.lnk = E:\TOR\Privoxy\privoxy.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D41F3481-15EF-4A01-A6A5-6AA531F9B954}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8FC24E5-34E6-43F2-96FF-C2763B32F6CC}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: lozsuy.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Update Service (gupdate1c8c17b77f3afba) (gupdate1c8c17b77f3afba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 12232 bytes
pskelley
2008-09-18, 19:55
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
You sure have some nasty stuff on this computer, where did you go to get all of this junk?
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) Thanks to LonnyBJones and anyone else who helped with this fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe
Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log.
(wait until you finish combofix to post the logs)
3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the log from Fixwareout, the combofix log and a new HJT log.
Thanks
logotype702
2008-09-19, 05:37
Thank for your help and patience.
I downloaded combofix using your link (from the desktop computer), then copied the file to a usb hard drive and finally copied the file to the notebook desktop; after that I did the double click on the icon and I saw the green progress bar then the blue window with the C:\ openend but the cursor stayed blinking in the window and nothing happened after that. Am I doing something wrong?
I disabled both the Norton AV and the "Spywareguard browser protection" but it did not fix the problem
No problem running fixwareout, see log below. I also produced a fresh HJT log.
FIXWAREOUT REPORT:
Username "Martin" - 09/18/2008 20:33:32 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEPOWER"="C:\\Program Files\\TOSHIBA\\Power Management\\CePMTray.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"EzButton"="C:\\Program Files\\EzButton\\EzButton.EXE"
"CeEKEY"="C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe"
"PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"ZoomingHook"="c:\\WINDOWS\\System32\\ZoomingHook.exe"
"TPNF"="C:\\Program Files\\TOSHIBA\\TouchPad\\TPTray.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Pinger"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe /run"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"Fresh Desktop"="C:\\Program Files\\Fresh Desktop\\freshdesktop.exe"
"LXCCCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCCtime.dll,_RunDLLEntry@16"
"lxccmon.exe"="\"C:\\Program Files\\Lexmark 3300 Series\\lxccmon.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"d03245e7"="rundll32.exe \"C:\\WINDOWS\\system32\\uiqjgimx.dll\",b"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Sonic RecordNow!"=""
"TorCP"="E:\\TOR\\TorCP\\torcp.exe"
"Systweak Ad and Popup Blocker"="\"C:\\Program Files\\Advanced System Optimizer\\adblock.exe\""
"Systweak Wallpaper Changer"="wallpaper.exe -minimize"
"Eprc"="\"C:\\Program Files\\Outerinfo\\OuterinfoUpdate.exe\" -vt yazb"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9"
"MoneyInsights"="\"C:\\Program Files\\Microsoft Money Plus\\MNYCoreFiles\\mnyinsit.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:52 PM, on 9/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Advanced System Optimizer\adblock.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cmd.cfexe
C:\WINDOWS\system32\find.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: PatentHunter - {BCB2344B-3D5B-46d7-861B-A8F27E4FE602} - C:\Program Files\PatentWizard, LLC\PatentHunter3\PHToolBand.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Fresh Desktop] C:\Program Files\Fresh Desktop\freshdesktop.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [d03245e7] rundll32.exe "C:\WINDOWS\system32\uiqjgimx.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TorCP] E:\TOR\TorCP\torcp.exe
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKCU\..\Run: [Systweak Wallpaper Changer] wallpaper.exe -minimize
O4 - HKCU\..\Run: [Eprc] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" -vt yazb
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [MoneyInsights] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Privoxy.lnk = E:\TOR\Privoxy\privoxy.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D41F3481-15EF-4A01-A6A5-6AA531F9B954}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8FC24E5-34E6-43F2-96FF-C2763B32F6CC}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Update Service (gupdate1c8c17b77f3afba) (gupdate1c8c17b77f3afba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9584 bytes
pskelley
2008-09-19, 15:54
I am not sure, but I see this: C:\WINDOWS\system32\cmd.cfexe
seems to indicate you may be running combofix from someplace other that where you were instructed. (Desktop?) I would like you to delete combofix from your computer if you have not done so. We may need to come back to it?
You may also delete fixwareout from your computer.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) SpywareGuard <<< Exit SG
4) Start > Control Panel > Add Remove Programs and uninstall Outerinfo, OIN, PurityScan, and any other item you know does not belong there.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
(next two items are damaged, if you use them, download them again once we finish)
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [d03245e7] rundll32.exe "C:\WINDOWS\system32\uiqjgimx.dll",b
O4 - HKCU\..\Run: [Eprc] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" -vt yazb
O17 - HKLM\System\CCS\Services\Tcpip\..\{D41F3481-15EF-4A01-A6A5-6AA531F9B954}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8FC24E5-34E6-43F2-96FF-C2763B32F6CC}: NameServer = 208.67.222.222,208.67.220.220
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\system32\uiqjgimx.dll <<< delete that file
C:\Program Files\Outerinfo\ <<< delete that folder and contents
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
I would also like to see an Uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
Thanks
logotype702
2008-09-19, 18:29
Thank for your help. See below the logs/reports requested.
I just noted that I can't active Windows Automatic Update (it is currently disabled).
\\\\\Malwarebytes report----->
Malwarebytes' Anti-Malware 1.28
Database version: 1175
Windows 5.1.2600 Service Pack 2
9/19/2008 10:57:35 AM
mbam-log-2008-09-19 (10-57-35).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 109144
Time elapsed: 1 hour(s), 23 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\System Volume Information\_restore{0C1D1238-A1EF-43EA-9ACF-9240DDBA7386}\RP3\A0004308.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
\\\\\HJT report ----->
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:17 AM, on 9/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Advanced System Optimizer\adblock.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: PatentHunter - {BCB2344B-3D5B-46d7-861B-A8F27E4FE602} - C:\Program Files\PatentWizard, LLC\PatentHunter3\PHToolBand.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Fresh Desktop] C:\Program Files\Fresh Desktop\freshdesktop.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TorCP] E:\TOR\TorCP\torcp.exe
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKCU\..\Run: [Systweak Wallpaper Changer] wallpaper.exe -minimize
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [MoneyInsights] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Privoxy.lnk = E:\TOR\Privoxy\privoxy.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O20 - Winlogon Notify: opnmLETn - opnmLETn.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Update Service (gupdate1c8c17b77f3afba) (gupdate1c8c17b77f3afba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9395 bytes
\\\\\\Uninstall list (shortened as instructed) ---->
Addit
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Advanced System Optimizer 2
ALPS Touch Pad Driver
Apple Software Update
Atheros Wireless LAN MiniPCI card Driver
Audit Support Center 1.0
CD/DVD Drive Acoustic Silencer
Cda Product Service - shared component
Chinese Traditional Fonts Support For Adobe Reader 8
Citrix Presentation Server Client
Cogniview PDF2XL OCR
Connection Manager
Cypress USB Mass Storage Driver Installation
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Documents To Go
DVD-RAM Driver
Easy Button
Extranet Access Client
FinePixViewer Ver.4.3
FUJIFILM USB Driver
Google Earth
Google Earth Plugin
Google Update
HijackThis 2.0.2
InfoMaker 6.5
Intel(R) Extreme Graphics 2 Driver
InterVideo WinDVD for Toshiba
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2_05
Lexmark 3300 Series
Lexmark Fax Solutions
Lexmark Skin: Blockhead
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Merriam-Webster Online Toolbar
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Baseline Security Analyzer 2.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft WorldWide Telescope
Mozilla Firefox (3.0)
MSAC-USM1
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Napster
Napster Burn Engine
Norton WMI Update
palmOne
QuickTime
RAW FILE CONVERTER LE
RealPlayer
Realtek AC'97 Audio
Realtek Fast Ethernet Adapter Driver
Recursos de Windows Mobile
Roxio Burn Engine
SMSC IrCC V5.1.3600.5
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
SRS WOW XT Plug-In for Windows Media Player for Toshiba version 1.0.2
Symantec AntiVirus
System Requirements Lab
Tor Control Panel
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Fax Extension
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Management Utility
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA Zooming Utility
Touch and Launch
TouchPad On/Off Utility
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
USB Storage Adapter FX (SM1)
Viewpoint Media Player
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Media Player Firefox Plugin
WinRAR archiver
\\\\\\ END \\\\\\\
pskelley
2008-09-19, 19:58
I just noted that I can't active Windows Automatic Update (it is currently disabled).Your inability to run a needed tool (combofix) is slowing the cleanup and might make it impossible to do?
Uninstall list <<< i am looking for security issues and malware only.
Adobe Reader 8.1.2 <<< out of date and being exploited by hackers.
Adobe Reader 9.0
http://www.filehippo.com/download_adobe_reader/
Java 2 Runtime Environment, SE v1.4.2_05
VERY BADLY out of date and likely the reason you are infected, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
please get that updated before you post another HJT log. This tool will help
with removal of this very old item:
http://raproducts.org/
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
I am not sure what you are running here, please make sure you have the newest version installed and uninstall all old versions:
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
SpywareBlaster v3.5.1 <<< this version is VERY old, please note the old version must be uninstalled before the new version is installed. Disable all protection before uninstalling.
http://www.javacoolsoftware.com/
If this is your computer, you need to know you are not maintaining it well at all, especially when it comes to your security:sad:
______________________________________
This is a new infection:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
C:\WINDOWS\system32\twext.exe,
My Original instructions:
I suggest you keep this computer offline except when troubleshooting, the junk may download more
Let's give combofix another try, this time read through the instruction several times before you start. There is no good reason why you should not be able to follow these directions, and run combofix.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
logotype702
2008-09-20, 00:13
- Adobe Reader: Updated to Version 9. Success!!!
- Java: Removed old versions with tool. Downloaded from the Sun web site a file named "jre-6u7-windows-i586-p.exe" CAN'T INSTALL THE UPDATE!!!. I am received an error code 1722. Am I the first one with this problem? [did not run a new HJT log]
- Spybot: Uninstalled all old versions. Installed version 1.6. Success!!
- SpywareBlaster: Uninstalled old version. Installed version 4.1. Success!!
- Combofix: re-downloaded file. THIS TIME IT DID RUN..!!! (see log below).
After Combofix finished the yellow shield with an exclamation mark on the tray and the message "Updates ready to install" (windows update?) but when I click on it the shield disappears and nothing happens, then the shield reappears.
At this moment I have not checked the Windows update on the Control Panel.
No HJT log because I still need to install new Java. Help!!!
\\\\\\Combofix report ----->
ComboFix 08-09-19.04 - Martin 2008-09-19 16:17:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.192 [GMT -5:00]Running from: C:\Documents and Settings\Martin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Martin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\temp\iee
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\dwave.sys
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\wnscpit.exe
C:\WINDOWS\system32\xmigjqiu.ini
C:\WINDOWS\winhelp.ini
.
((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.
2008-09-19 16:05 . 2008-09-19 16:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-19 16:04 . 2008-09-19 16:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-19 15:37 . 2008-09-19 15:38 <DIR> d-------- C:\Program Files\Java
2008-09-19 15:14 . 2008-09-19 15:15 <DIR> d-------- C:\Java
2008-09-19 13:57 . 2008-09-19 13:57 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-19 08:31 . 2008-09-19 08:31 <DIR> d--hs---- C:\Documents and Settings\LocalService\Application Data\twain_32
2008-09-18 23:40 . 2008-09-19 16:29 <DIR> d--hs---- C:\WINDOWS\system32\twain_32
2008-09-18 23:40 . 2008-09-19 16:27 35,301 --a------ C:\WINDOWS\system32\twain_32\local.ds
2008-09-18 23:40 . 2008-09-19 16:29 0 --a------ C:\WINDOWS\system32\twain_32\user.ds
2008-09-18 23:14 . 2008-09-18 23:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 23:14 . 2008-09-18 23:14 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Malwarebytes
2008-09-18 23:14 . 2008-09-18 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-18 23:14 . 2008-09-10 00:07 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-18 23:14 . 2008-09-10 00:07 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-18 22:42 . 2008-09-18 22:42 199,168 --a------ C:\WINDOWS\system32\64.tmp
2008-09-18 22:42 . 2008-09-18 22:42 51,200 --a------ C:\WINDOWS\system32\61.tmp
2008-09-18 22:42 . 2008-09-18 22:42 136 --a------ C:\WINDOWS\system32\60.tmp
2008-09-18 22:42 . 2008-09-18 22:42 0 --a------ C:\WINDOWS\system32\65.tmp
2008-09-18 22:38 . 2008-09-18 22:38 199,168 --a------ C:\WINDOWS\system32\59.tmp
2008-09-18 22:38 . 2008-09-18 22:38 51,200 --a------ C:\WINDOWS\system32\57.tmp
2008-09-18 22:38 . 2008-09-18 22:38 136 --a------ C:\WINDOWS\system32\55.tmp
2008-09-18 22:38 . 2008-09-18 22:38 0 --a------ C:\WINDOWS\system32\5A.tmp
2008-09-18 22:27 . 2008-09-18 22:27 199,168 --a------ C:\WINDOWS\system32\4E.tmp
2008-09-18 22:27 . 2008-09-18 22:27 51,200 --a------ C:\WINDOWS\system32\4C.tmp
2008-09-18 22:27 . 2008-09-18 22:27 136 --a------ C:\WINDOWS\system32\4A.tmp
2008-09-18 22:27 . 2008-09-18 22:27 0 --a------ C:\WINDOWS\system32\4F.tmp
2008-09-18 22:21 . 2008-09-18 22:21 199,168 --a------ C:\WINDOWS\system32\3D.tmp
2008-09-18 22:21 . 2008-09-18 22:21 51,200 --a------ C:\WINDOWS\system32\3B.tmp
2008-09-18 22:21 . 2008-09-18 22:21 136 --a------ C:\WINDOWS\system32\39.tmp
2008-09-18 22:21 . 2008-09-18 22:21 0 --a------ C:\WINDOWS\system32\3E.tmp
2008-09-18 20:32 . 2008-09-18 20:58 <DIR> d-------- C:\fixwareout
2008-09-17 23:42 . 2008-09-17 23:42 199,168 --a------ C:\WINDOWS\system32\37.tmp
2008-09-17 23:42 . 2008-09-17 23:42 128 --a------ C:\WINDOWS\system32\5.tmp
2008-09-17 23:42 . 2008-09-17 23:42 0 --a------ C:\WINDOWS\system32\38.tmp
2008-09-17 23:38 . 2008-09-17 23:39 199,168 --a------ C:\WINDOWS\system32\34.tmp
2008-09-17 23:38 . 2008-09-17 23:38 128 --a------ C:\WINDOWS\system32\2F.tmp
2008-09-17 23:38 . 2008-09-17 23:38 0 --a------ C:\WINDOWS\system32\31.tmp
2008-09-17 23:35 . 2008-09-17 23:35 199,168 --a------ C:\WINDOWS\system32\30.tmp
2008-09-17 23:35 . 2008-09-17 23:35 0 --a------ C:\WINDOWS\system32\2C.tmp
2008-09-17 23:34 . 2008-09-17 23:35 128 --a------ C:\WINDOWS\system32\29.tmp
2008-09-17 23:32 . 2008-09-17 23:32 199,168 --a------ C:\WINDOWS\system32\2D.tmp
2008-09-17 23:32 . 2008-09-17 23:32 128 --a------ C:\WINDOWS\system32\26.tmp
2008-09-17 23:32 . 2008-09-17 23:32 0 --a------ C:\WINDOWS\system32\2E.tmp
2008-09-17 21:54 . 2008-09-17 21:54 199,168 --a------ C:\WINDOWS\system32\2A.tmp
2008-09-17 21:54 . 2008-09-17 21:54 128 --a------ C:\WINDOWS\system32\23.tmp
2008-09-17 21:54 . 2008-09-17 21:54 0 --a------ C:\WINDOWS\system32\2B.tmp
2008-09-17 21:42 . 2008-09-17 21:42 199,168 --a------ C:\WINDOWS\system32\27.tmp
2008-09-17 21:42 . 2008-09-18 23:29 7 --a------ C:\WINDOWS\system32\nxg.bin
2008-09-17 21:42 . 2008-09-17 21:42 0 --a------ C:\WINDOWS\system32\28.tmp
2008-09-17 21:41 . 2008-09-17 21:42 128 --a------ C:\WINDOWS\system32\22.tmp
2008-09-17 21:39 . 2008-09-17 21:39 199,168 --a------ C:\WINDOWS\system32\24.tmp
2008-09-17 21:39 . 2008-09-17 21:39 18,432 --a------ C:\WINDOWS\system32\00setup.exe
2008-09-17 21:39 . 2008-09-17 21:39 128 --a------ C:\WINDOWS\system32\21.tmp
2008-09-17 21:39 . 2008-09-17 21:39 0 --a------ C:\WINDOWS\system32\25.tmp
2008-09-17 19:49 . 2008-09-17 19:49 199,168 --a------ C:\WINDOWS\system32\35.tmp
2008-09-17 19:49 . 2008-09-17 19:49 128 --a------ C:\WINDOWS\system32\32.tmp
2008-09-17 19:49 . 2008-09-17 19:49 0 --a------ C:\WINDOWS\system32\36.tmp
2008-09-17 19:43 . 2008-09-17 19:43 0 --a------ C:\WINDOWS\system32\20.tmp
2008-09-17 19:43 . 2008-09-17 19:43 0 --a------ C:\WINDOWS\system32\1C.tmp
2008-09-17 19:42 . 2008-09-17 19:42 128 --a------ C:\WINDOWS\system32\17.tmp
2008-09-17 19:42 . 2008-09-17 19:42 0 --a------ C:\WINDOWS\system32\18.tmp
2008-09-17 19:39 . 2008-09-17 19:39 199,168 --a------ C:\WINDOWS\system32\19.tmp
2008-09-17 19:39 . 2008-09-17 19:39 128 --a------ C:\WINDOWS\system32\14.tmp
2008-09-17 19:39 . 2008-09-17 19:39 0 --a------ C:\WINDOWS\system32\1A.tmp
2008-09-17 18:46 . 2008-09-17 18:46 0 --a------ C:\WINDOWS\system32\11.tmp
2008-09-17 18:40 . 2008-09-17 18:40 199,168 --a------ C:\WINDOWS\system32\15.tmp
2008-09-17 18:40 . 2008-09-17 18:40 0 --a------ C:\WINDOWS\system32\16.tmp
2008-09-17 18:38 . 2008-09-17 18:38 199,168 --a------ C:\WINDOWS\system32\12.tmp
2008-09-17 18:38 . 2008-09-17 18:38 0 --a------ C:\WINDOWS\system32\13.tmp
2008-09-17 18:37 . 2008-09-17 18:38 128 --a------ C:\WINDOWS\system32\A.tmp
2008-09-17 18:34 . 2008-09-17 18:34 128 --a------ C:\WINDOWS\system32\9.tmp
2008-09-17 18:34 . 2008-09-17 18:34 0 --a------ C:\WINDOWS\system32\10.tmp
2008-09-17 18:31 . 2008-09-17 18:31 128 --a------ C:\WINDOWS\system32\8.tmp
2008-09-17 18:31 . 2008-09-17 18:31 0 --a------ C:\WINDOWS\system32\D.tmp
2008-09-17 18:28 . 2008-09-17 18:28 199,168 --a------ C:\WINDOWS\system32\1E.tmp
2008-09-17 18:28 . 2008-09-17 18:28 36,452 --a------ C:\WINDOWS\system32\1D.tmp
2008-09-17 18:28 . 2008-09-17 18:28 128 --a------ C:\WINDOWS\system32\1B.tmp
2008-09-17 18:28 . 2008-09-17 18:28 0 --a------ C:\WINDOWS\system32\1F.tmp
2008-09-17 18:25 . 2008-09-17 18:25 0 --a------ C:\WINDOWS\CePMTray.INI
2008-09-17 18:23 . 2008-09-17 18:23 8,592 --a------ C:\WINDOWS\system32\drivers\LHidUsbK.Sys
2008-09-17 18:23 . 2008-09-17 18:23 8,592 --a------ C:\WINDOWS\system32\dplx.sys
2008-09-17 18:23 . 2008-09-17 23:42 2,921 --a------ C:\WINDOWS\system32\rtc.dat
2008-09-17 18:23 . 2008-09-17 18:23 128 --a------ C:\WINDOWS\system32\7.tmp
2008-09-17 18:23 . 2008-09-17 18:23 0 --a------ C:\WINDOWS\system32\B.tmp
2008-09-17 17:52 . 2008-09-17 17:53 <DIR> d-------- C:\Temp\PendMoves
2008-09-17 16:46 . 2008-09-17 17:22 <DIR> d-------- C:\Temp\ListDLL
2008-09-17 14:15 . 2008-09-17 14:15 <DIR> d-------- C:\Documents and Settings\Martin\SecurityScans
2008-09-17 14:13 . 2008-09-17 14:13 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-09-16 12:28 . 2008-09-16 12:28 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-16 11:25 . 2008-09-17 17:28 8,613 --ahs---- C:\WINDOWS\system32\KTEhRXyb.ini2
2008-09-16 11:25 . 2008-09-17 17:30 8,613 --ahs---- C:\WINDOWS\system32\KTEhRXyb.ini
2008-09-16 09:35 . 2008-09-16 09:35 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-09-16 08:28 . 2008-09-16 09:21 792 --ahs---- C:\WINDOWS\system32\AKjmoUtv.ini2
2008-09-16 08:28 . 2008-09-16 09:23 792 --ahs---- C:\WINDOWS\system32\AKjmoUtv.ini
2008-09-16 08:27 . 2008-09-16 08:27 <DIR> d-------- C:\Temp\dax41
2008-09-14 21:38 . 2008-09-14 21:38 0 --a------ C:\WINDOWS\VPC32.INI
2008-09-10 04:16 . 2008-09-10 04:20 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-09-10 04:16 . 2008-09-10 04:16 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\SystemRequirementsLab
2008-08-28 21:47 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-28 21:08 . 2008-08-28 21:08 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\DivX
2008-08-26 19:42 . 2008-07-23 11:50 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-08-26 19:35 . 2008-08-26 19:47 <DIR> d-------- C:\Program Files\DivX
2008-08-26 17:39 . 2008-08-26 20:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 21:21 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-19 21:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-19 21:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 20:21 --------- d-----w C:\Program Files\Google
2008-09-19 18:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-19 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-19 14:11 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-19 04:57 1,686 ----a-w C:\Program Files\venlpaz.txt
2008-09-17 14:15 --------- d-----w C:\Program Files\Trend Micro
2008-09-16 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-16 16:17 --------- d-----w C:\Program Files\QuickTime
2008-09-16 14:00 --------- d-----w C:\Program Files\IE7Pro
2008-09-15 02:40 --------- d-----w C:\Program Files\SpywareGuard
2008-09-02 21:40 --------- d-----w C:\Program Files\Nortel Networks
2008-08-29 04:10 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-29 02:03 --------- d-----w C:\Program Files\Lx_cats
2008-07-23 16:50 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-07-21 00:15 --------- d-----w C:\Program Files\palmOne
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
------- Sigcheck -------
2004-08-04 07:00 22016 289cefa53da768d4c0be394aba1868bd C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\svchost.exe
2004-08-04 07:00 22016 2cafc3e04d2402e1f2c3d4123a25a348 C:\WINDOWS\system32\svchost.exe
2007-06-13 05:23 1040896 ac433444375678e374a578113bef7414 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1040896 d320f8ee706de3882c384bc7f89b3ff6 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1039872 ab90064021f4774ebf331bf03cec7d1c C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 07:00 1039872 ea97e5fa067b686b1fe25114fa5852eb C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\explorer.exe
2007-06-13 05:23 1040896 17697d1d68ea8261dc9e8865cf7e11a5 C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 07:00 23040 27677e315fbe34d332574a5bcd54fa67 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ctfmon.exe
2004-08-04 07:00 23040 5570b54d7d3de6592d28150c42a20cc7 C:\WINDOWS\system32\ctfmon.exe
2005-06-10 19:17 65536 2dcbb6edf5dbc1f9647f9fa46cb48073 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 65536 36e3237d492376c1c0736f8142d93d96 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 18:53 65536 5fe3bb770eb4b9832d8231d89750d034 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\spoolsv.exe
2005-06-10 18:53 65536 6045b45edf6402438e240b3d5921ed14 C:\WINDOWS\system32\spoolsv.exe
2004-08-04 07:00 32256 c9dcbbc589cece8ee816d2f581248203 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\userinit.exe
2004-08-04 07:00 32256 0cb895614a0a8612d8ad8374d137d988 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23040]
"Systweak Ad and Popup Blocker"="C:\Program Files\Advanced System Optimizer\adblock.exe" [2004-10-29 417280]
"MoneyInsights"="C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe" [2008-02-19 502800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 143360]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-07-14 131131]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 200704]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-07-07 720896]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 651264]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1097781]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 143360]
"ZoomingHook"="c:\WINDOWS\System32\ZoomingHook.exe" [2004-07-14 32768]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 61440]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-11-18 163840]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 126976]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 348160]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 159744]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 180224]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 200704]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-01-19 307200]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 61440]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 C:\WINDOWS\agrsmmsg.exe]
C:\Documents and Settings\Martin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-10-29 36864]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 479232]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2007-06-14 12390]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-19 163840]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\twext.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lozsuy.dll htaent.dll pkdbuh.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LHidUsbK.Sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\PatentWizard, LLC\\PatentHunter3\\PatentHunter.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\ItsDeductible2006\\ItsDeductible10.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"500:UDP"= 500:UDP:ISAKMP
"10001:UDP"= 10001:UDP:NAT
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-05-13 9817]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-05-13 117760]
S2 gupdate1c8c17b77f3afba;Google Update Service (gupdate1c8c17b77f3afba);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-08-29 133104]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-05-13 117760]
S3 pnicml;pnicml;C:\DOCUME~1\Martin\LOCALS~1\Temp\pnicml.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
2008-09-19 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 17:32]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-TorCP - E:\TOR\TorCP\torcp.exe
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-Sonic RecordNow! - (no file)
HKCU-Run-Systweak Wallpaper Changer - wallpaper.exe
HKLM-Run-Fresh Desktop - C:\Program Files\Fresh Desktop\freshdesktop.exe
HKLM-Run-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
Notify-opnmLETn - opnmLETn.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\z6dlkga1.default\
FF -: plugin - C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\z6dlkga1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - C:\Program Files\Google\Google Earth Plugin\npgeplugin.dll
FF -: plugin - C:\Program Files\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 16:27:47
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-09-19 16:43:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-19 21:42:09
Pre-Run: 36,262,436,864 bytes free
Post-Run: 36,118,437,888 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
301 --- E O F --- 2008-09-10 11:43:59
pskelley
2008-09-20, 01:16
I said this in the beginning:
You sure have some nasty stuff on this computer, where did you go to get all of this junk?
This computer has a load of problems and I don't know if I can help with them all. You have allowed the computer to get very infected and might want to think about a reformat:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
Follow these instructions to fix the issue and help you install the newest version of Java:
http://www.java.com/en/download/help/error_1722.xml
Read and follow these directions carefully:
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\64.tmp
C:\WINDOWS\system32\61.tmp
C:\WINDOWS\system32\60.tmp
C:\WINDOWS\system32\65.tmp
C:\WINDOWS\system32\59.tmp
C:\WINDOWS\system32\57.tmp
C:\WINDOWS\system32\55.tmp
C:\WINDOWS\system32\5A.tmp
C:\WINDOWS\system32\4E.tmp
C:\WINDOWS\system32\4C.tmp
C:\WINDOWS\system32\4A.tmp
C:\WINDOWS\system32\4F.tmp
C:\WINDOWS\system32\3D.tmp
C:\WINDOWS\system32\3B.tmp
C:\WINDOWS\system32\39.tmp
C:\WINDOWS\system32\3E.tmp
C:\WINDOWS\system32\37.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\38.tmp
C:\WINDOWS\system32\34.tmp
C:\WINDOWS\system32\2F.tmp
C:\WINDOWS\system32\31.tmp
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\system32\2C.tmp
C:\WINDOWS\system32\29.tmp
C:\WINDOWS\system32\2D.tmp
C:\WINDOWS\system32\26.tmp
C:\WINDOWS\system32\2E.tmp
C:\WINDOWS\system32\2A.tmp
C:\WINDOWS\system32\23.tmp
C:\WINDOWS\system32\2B.tmp
C:\WINDOWS\system32\27.tmp
C:\WINDOWS\system32\28.tmp
C:\WINDOWS\system32\22.tmp
C:\WINDOWS\system32\24.tmp
C:\WINDOWS\system32\00setup.exe
C:\WINDOWS\system32\21.tmp
C:\WINDOWS\system32\25.tmp
C:\WINDOWS\system32\35.tmp
C:\WINDOWS\system32\32.tmp
C:\WINDOWS\system32\36.tmp
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\system32\1C.tmp
C:\WINDOWS\system32\17.tmp
C:\WINDOWS\system32\18.tmp
C:\WINDOWS\system32\19.tmp
C:\WINDOWS\system32\14.tmp
C:\WINDOWS\system32\1A.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\16.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\1E.tmp
C:\WINDOWS\system32\1D.tmp
C:\WINDOWS\system32\1B.tmp
C:\WINDOWS\system32\1F.tmp
C:\WINDOWS\CePMTray.INI
C:\WINDOWS\system32\dplx.sys
C:\WINDOWS\system32\rtc.dat
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\KTEhRXyb.ini2
C:\WINDOWS\system32\KTEhRXyb.ini
C:\WINDOWS\system32\spupdsvc.inf
C:\WINDOWS\system32\AKjmoUtv.ini2
C:\WINDOWS\system32\AKjmoUtv.ini
Folder::
C:\fixwareout
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of CFScript.txt in your next reply together with a new HijackThis log.
logotype702
2008-09-20, 01:57
- I was able to install Java following the instructions in the page linked.
- See below the contents of CFScript.txt and HJT log as requested.
File::
C:\WINDOWS\system32\64.tmp
C:\WINDOWS\system32\61.tmp
C:\WINDOWS\system32\60.tmp
C:\WINDOWS\system32\65.tmp
C:\WINDOWS\system32\59.tmp
C:\WINDOWS\system32\57.tmp
C:\WINDOWS\system32\55.tmp
C:\WINDOWS\system32\5A.tmp
C:\WINDOWS\system32\4E.tmp
C:\WINDOWS\system32\4C.tmp
C:\WINDOWS\system32\4A.tmp
C:\WINDOWS\system32\4F.tmp
C:\WINDOWS\system32\3D.tmp
C:\WINDOWS\system32\3B.tmp
C:\WINDOWS\system32\39.tmp
C:\WINDOWS\system32\3E.tmp
C:\WINDOWS\system32\37.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\38.tmp
C:\WINDOWS\system32\34.tmp
C:\WINDOWS\system32\2F.tmp
C:\WINDOWS\system32\31.tmp
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\system32\2C.tmp
C:\WINDOWS\system32\29.tmp
C:\WINDOWS\system32\2D.tmp
C:\WINDOWS\system32\26.tmp
C:\WINDOWS\system32\2E.tmp
C:\WINDOWS\system32\2A.tmp
C:\WINDOWS\system32\23.tmp
C:\WINDOWS\system32\2B.tmp
C:\WINDOWS\system32\27.tmp
C:\WINDOWS\system32\28.tmp
C:\WINDOWS\system32\22.tmp
C:\WINDOWS\system32\24.tmp
C:\WINDOWS\system32\00setup.exe
C:\WINDOWS\system32\21.tmp
C:\WINDOWS\system32\25.tmp
C:\WINDOWS\system32\35.tmp
C:\WINDOWS\system32\32.tmp
C:\WINDOWS\system32\36.tmp
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\system32\1C.tmp
C:\WINDOWS\system32\17.tmp
C:\WINDOWS\system32\18.tmp
C:\WINDOWS\system32\19.tmp
C:\WINDOWS\system32\14.tmp
C:\WINDOWS\system32\1A.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\16.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\1E.tmp
C:\WINDOWS\system32\1D.tmp
C:\WINDOWS\system32\1B.tmp
C:\WINDOWS\system32\1F.tmp
C:\WINDOWS\CePMTray.INI
C:\WINDOWS\system32\dplx.sys
C:\WINDOWS\system32\rtc.dat
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\KTEhRXyb.ini2
C:\WINDOWS\system32\KTEhRXyb.ini
C:\WINDOWS\system32\spupdsvc.inf
C:\WINDOWS\system32\AKjmoUtv.ini2
C:\WINDOWS\system32\AKjmoUtv.ini
Folder::
C:\fixwareout
\\\\\\HJT log ------>
removed...pskelley
Member instructed to post the correct CFScript.txt and a new HJT log with Word Wrap turned off in Notepad.
pskelley
2008-09-20, 02:11
I want to see the report from CFScript posted, not information you copy/paste.
I believe you are playing games with me and I have had just about enough of it.
I am also removing this HJT log via an edit, after you post the CFScript.txt, POST a new HJT log with "Word Wrap" turned off in NOTEPAD, as per "Before you Post" instructions I asked you to read:
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Any more of these games and I will close this topic.
pskelley
logotype702
2008-09-20, 15:04
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of CFScript.txt in your next reply together with a new HijackThis log.
I am definitely not playing games. I read as quoted above to "post the contents" of the file CFScript.txt. Now you have clarified on your last post that you need the output report from Combofix. The Word Wrap issue in Notebook was totally my fault and I sincerely apologize for that.
Here's the report from Combofix:
ComboFix 08-09-19.06 - Martin 2008-09-19 21:34:23.3 - NTFSx86
Running from: C:\Documents and Settings\Martin\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\at.dll
C:\WINDOWS\system32\atl7.dll
C:\WINDOWS\system32\atl7j.dll
C:\WINDOWS\system32\blphcjl3j0e549.scr
C:\WINDOWS\system32\btpanu.dll
C:\WINDOWS\system32\byXOfcDS.dll
C:\WINDOWS\system32\byXRigEx.dll
C:\WINDOWS\system32\cdosy.dll
C:\WINDOWS\system32\ddcYqroO.dll
C:\WINDOWS\system32\efcCtsPJ.dll
C:\WINDOWS\system32\efcYOfDt.dll
C:\WINDOWS\system32\efcYppNH.dll
C:\WINDOWS\system32\iifddaXN.dll
C:\WINDOWS\system32\iiffDSIy.dll
C:\WINDOWS\system32\iifgEwxw.dll
C:\WINDOWS\system32\khfGxVnL.dll
C:\WINDOWS\system32\ljJATJdE.dll
C:\WINDOWS\system32\lphcjl3j0e549.exe
C:\WINDOWS\system32\nnnkLdCr.dll
C:\WINDOWS\system32\nnnmjgGx.dll
C:\WINDOWS\system32\opnNgHBU.dll
C:\WINDOWS\system32\phcjl3j0e549.bmp
C:\WINDOWS\system32\pmnnOGYs.dll
C:\WINDOWS\system32\qoMfcBUN.dll
C:\WINDOWS\system32\rqRhHxwX.dll
C:\WINDOWS\system32\ssqPihGV.dll
C:\WINDOWS\system32\wvUkHBQk.dll
C:\WINDOWS\system32\wvUoNHxx.dll
C:\WINDOWS\system32\xxyaawuU.dll
C:\WINDOWS\system32\yayaAsRL.dll
C:\WINDOWS\system32\yaywtSMg.dll
C:\WINDOWS\system32\yayyXNDU.dll
.
---- Previous Run -------
.
C:\fixwareout\dnsbak.reg
C:\fixwareout\FindT\clsid.bak
C:\fixwareout\FindT\dumphive.exe
C:\fixwareout\FindT\FixWareOut.reg
C:\fixwareout\FindT\nircmd.exe
C:\fixwareout\FindT\patterns.txt
C:\fixwareout\FindT\rbot.bat
C:\fixwareout\FindT\RestartIt.exe
C:\fixwareout\FindT\runback.txt
C:\fixwareout\FindT\runs.vbs
C:\fixwareout\FindT\swreg.exe
C:\fixwareout\FindT\vfind.exe
C:\fixwareout\FindT\XP-2K2.cmd
C:\fixwareout\FixIt.BAT
C:\fixwareout\report.txt
C:\WINDOWS\CePMTray.INI
C:\WINDOWS\system32\00setup.exe
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\system32\14.tmp
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\16.tmp
C:\WINDOWS\system32\17.tmp
C:\WINDOWS\system32\18.tmp
C:\WINDOWS\system32\19.tmp
C:\WINDOWS\system32\1A.tmp
C:\WINDOWS\system32\1B.tmp
C:\WINDOWS\system32\1C.tmp
C:\WINDOWS\system32\1D.tmp
C:\WINDOWS\system32\1E.tmp
C:\WINDOWS\system32\1F.tmp
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\system32\21.tmp
C:\WINDOWS\system32\22.tmp
C:\WINDOWS\system32\23.tmp
C:\WINDOWS\system32\24.tmp
C:\WINDOWS\system32\25.tmp
C:\WINDOWS\system32\26.tmp
C:\WINDOWS\system32\27.tmp
C:\WINDOWS\system32\28.tmp
C:\WINDOWS\system32\29.tmp
C:\WINDOWS\system32\2A.tmp
C:\WINDOWS\system32\2B.tmp
C:\WINDOWS\system32\2C.tmp
C:\WINDOWS\system32\2D.tmp
C:\WINDOWS\system32\2E.tmp
C:\WINDOWS\system32\2F.tmp
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\system32\31.tmp
C:\WINDOWS\system32\32.tmp
C:\WINDOWS\system32\34.tmp
C:\WINDOWS\system32\35.tmp
C:\WINDOWS\system32\36.tmp
C:\WINDOWS\system32\37.tmp
C:\WINDOWS\system32\38.tmp
C:\WINDOWS\system32\39.tmp
C:\WINDOWS\system32\3B.tmp
C:\WINDOWS\system32\3D.tmp
C:\WINDOWS\system32\3E.tmp
C:\WINDOWS\system32\4A.tmp
C:\WINDOWS\system32\4C.tmp
C:\WINDOWS\system32\4E.tmp
C:\WINDOWS\system32\4F.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\55.tmp
C:\WINDOWS\system32\57.tmp
C:\WINDOWS\system32\59.tmp
C:\WINDOWS\system32\5A.tmp
C:\WINDOWS\system32\60.tmp
C:\WINDOWS\system32\61.tmp
C:\WINDOWS\system32\64.tmp
C:\WINDOWS\system32\65.tmp
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\AKjmoUtv.ini
C:\WINDOWS\system32\AKjmoUtv.ini2
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\dplx.sys
C:\WINDOWS\system32\KTEhRXyb.ini
C:\WINDOWS\system32\KTEhRXyb.ini2
C:\WINDOWS\system32\rtc.dat
C:\WINDOWS\system32\spupdsvc.inf
.
((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
.
2008-09-19 21:31 . 2008-09-19 21:31 61,440 --a------ C:\WINDOWS\system32\drivers\wnbegn.sys
2008-09-19 21:05 . 2008-09-19 21:05 <DIR> d-------- C:\WINDOWS\LastGood
2008-09-19 20:24 . 2008-09-19 20:24 199,168 --a------ C:\WINDOWS\system32\2CA.tmp
2008-09-19 20:24 . 2008-09-19 20:24 92 --a------ C:\WINDOWS\system32\2C9.tmp
2008-09-19 20:24 . 2008-09-19 20:24 18 --a------ C:\WINDOWS\system32\2CC.tmp
2008-09-19 20:20 . 2008-09-19 20:20 199,168 --a------ C:\WINDOWS\system32\2C0.tmp
2008-09-19 20:20 . 2008-09-19 20:20 92 --a------ C:\WINDOWS\system32\2BF.tmp
2008-09-19 20:20 . 2008-09-19 20:20 18 --a------ C:\WINDOWS\system32\2C3.tmp
2008-09-19 20:00 . 2008-09-19 20:00 199,168 --a------ C:\WINDOWS\system32\2B5.tmp
2008-09-19 20:00 . 2008-09-19 20:00 92 --a------ C:\WINDOWS\system32\2B3.tmp
2008-09-19 20:00 . 2008-09-19 20:00 18 --a------ C:\WINDOWS\system32\2B7.tmp
2008-09-19 19:26 . 2008-09-19 19:26 199,168 --a------ C:\WINDOWS\system32\2A7.tmp
2008-09-19 19:26 . 2008-09-19 19:26 92 --a------ C:\WINDOWS\system32\2A5.tmp
2008-09-19 19:26 . 2008-09-19 19:26 18 --a------ C:\WINDOWS\system32\2A9.tmp
2008-09-19 18:45 . 2008-09-19 18:45 199,168 --a------ C:\WINDOWS\system32\1C8.tmp
2008-09-19 18:45 . 2008-09-19 18:45 92 --a------ C:\WINDOWS\system32\1C7.tmp
2008-09-19 18:45 . 2008-09-19 18:45 18 --a------ C:\WINDOWS\system32\1CA.tmp
2008-09-19 18:30 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-19 18:20 . 2008-09-19 18:20 199,168 --a------ C:\WINDOWS\system32\17C.tmp
2008-09-19 18:20 . 2008-09-19 18:20 92 --a------ C:\WINDOWS\system32\17A.tmp
2008-09-19 18:20 . 2008-09-19 18:20 18 --a------ C:\WINDOWS\system32\17E.tmp
2008-09-19 17:53 . 2008-09-19 17:53 199,168 --a------ C:\WINDOWS\system32\108.tmp
2008-09-19 17:53 . 2008-09-19 17:53 18 --a------ C:\WINDOWS\system32\10A.tmp
2008-09-19 17:52 . 2008-09-19 17:53 92 --a------ C:\WINDOWS\system32\107.tmp
2008-09-19 17:41 . 2008-09-19 17:41 199,168 --a------ C:\WINDOWS\system32\F3.tmp
2008-09-19 17:41 . 2008-09-19 17:41 92 --a------ C:\WINDOWS\system32\F1.tmp
2008-09-19 17:41 . 2008-09-19 17:41 18 --a------ C:\WINDOWS\system32\F5.tmp
2008-09-19 17:31 . 2008-09-19 17:31 199,168 --a------ C:\WINDOWS\system32\5E.tmp
2008-09-19 17:31 . 2008-09-19 17:31 92 --a------ C:\WINDOWS\system32\5D.tmp
2008-09-19 17:31 . 2008-09-19 17:31 18 --a------ C:\WINDOWS\system32\62.tmp
2008-09-19 17:08 . 2008-09-19 17:08 199,168 --a------ C:\WINDOWS\system32\50.tmp
2008-09-19 17:08 . 2008-09-19 17:08 92 --a------ C:\WINDOWS\system32\4D.tmp
2008-09-19 17:08 . 2008-09-19 17:08 18 --a------ C:\WINDOWS\system32\53.tmp
2008-09-19 16:55 . 2008-09-19 16:55 92 --a------ C:\WINDOWS\system32\33.tmp
2008-09-19 16:55 . 2008-09-19 16:55 18 --a------ C:\WINDOWS\system32\3F.tmp
2008-09-19 16:05 . 2008-09-19 17:09 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-19 16:04 . 2008-09-19 16:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-19 15:37 . 2008-09-19 18:30 <DIR> d-------- C:\Program Files\Java
2008-09-19 15:14 . 2008-09-19 15:15 <DIR> d-------- C:\Java
2008-09-19 13:57 . 2008-09-19 13:57 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-19 08:31 . 2008-09-19 08:31 <DIR> d--hs---- C:\Documents and Settings\LocalService\Application Data\twain_32
2008-09-18 23:14 . 2008-09-18 23:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 23:14 . 2008-09-18 23:14 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Malwarebytes
2008-09-18 23:14 . 2008-09-18 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-18 23:14 . 2008-09-10 00:07 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-18 23:14 . 2008-09-10 00:07 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-18 20:32 . 2008-09-19 19:34 <DIR> d-------- C:\fixwareout
2008-09-17 21:42 . 2008-09-18 23:29 7 --a------ C:\WINDOWS\system32\nxg.bin
2008-09-17 17:52 . 2008-09-17 17:53 <DIR> d-------- C:\Temp\PendMoves
2008-09-17 16:46 . 2008-09-17 17:22 <DIR> d-------- C:\Temp\ListDLL
2008-09-17 14:15 . 2008-09-17 14:15 <DIR> d-------- C:\Documents and Settings\Martin\SecurityScans
2008-09-17 14:13 . 2008-09-17 14:13 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-09-16 12:28 . 2008-09-16 12:28 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-16 08:27 . 2008-09-16 08:27 <DIR> d-------- C:\Temp\dax41
2008-09-14 21:38 . 2008-09-14 21:38 0 --a------ C:\WINDOWS\VPC32.INI
2008-09-10 04:16 . 2008-09-10 04:20 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-09-10 04:16 . 2008-09-10 04:16 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\SystemRequirementsLab
2008-08-28 21:47 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-28 21:08 . 2008-08-28 21:08 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\DivX
2008-08-26 19:42 . 2008-07-23 11:50 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-08-26 19:35 . 2008-08-26 19:47 <DIR> d-------- C:\Program Files\DivX
2008-08-26 17:39 . 2008-09-19 21:07 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 02:31 0 ----a-w C:\Program Files\kxpebnj.txt
2008-09-20 02:15 --------- d-----w C:\Program Files\SpywareGuard
2008-09-19 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 21:21 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-19 21:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-19 20:21 --------- d-----w C:\Program Files\Google
2008-09-19 18:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-19 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-19 14:11 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-19 04:57 1,686 ----a-w C:\Program Files\venlpaz.txt
2008-09-17 14:15 --------- d-----w C:\Program Files\Trend Micro
2008-09-16 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-16 16:17 --------- d-----w C:\Program Files\QuickTime
2008-09-16 14:00 --------- d-----w C:\Program Files\IE7Pro
2008-09-02 21:40 --------- d-----w C:\Program Files\Nortel Networks
2008-08-29 04:10 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-29 02:03 --------- d-----w C:\Program Files\Lx_cats
2008-07-23 16:50 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-07-21 00:15 --------- d-----w C:\Program Files\palmOne
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
------- Sigcheck -------
2004-08-04 07:00 22016 2cafc3e04d2402e1f2c3d4123a25a348 C:\WINDOWS\system32\svchost.exe
2007-06-13 05:23 1040896 ac433444375678e374a578113bef7414 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1040896 d320f8ee706de3882c384bc7f89b3ff6 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1039872 ab90064021f4774ebf331bf03cec7d1c C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 05:23 1040896 17697d1d68ea8261dc9e8865cf7e11a5 C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 07:00 23040 5570b54d7d3de6592d28150c42a20cc7 C:\WINDOWS\system32\ctfmon.exe
2005-06-10 19:17 65536 2dcbb6edf5dbc1f9647f9fa46cb48073 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 65536 36e3237d492376c1c0736f8142d93d96 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 18:53 65536 6045b45edf6402438e240b3d5921ed14 C:\WINDOWS\system32\spoolsv.exe
2004-08-04 07:00 32256 0cb895614a0a8612d8ad8374d137d988 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-19_16.40.50.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 174,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2003-03-24 21:52:04 24,631 ------w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\admin.exe
- 2003-03-24 21:52:04 24,631 ------w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\author.exe
- 2003-03-24 21:52:04 196,672 ------w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\cfgwiz.exe
- 2004-08-04 12:00:00 1,294,336 ------w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\dsound3d.dll
- 2004-08-04 03:31:56 487,936 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\cintsetp.exe
- 2004-08-04 03:31:40 65,591 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\cplexe.exe
- 2004-08-04 03:31:54 315,449 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\imjpdct.exe
- 2004-08-04 03:31:56 163,897 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\imjpdsvr.exe
- 2004-08-04 03:31:58 213,381 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\imjpinst.exe
- 2004-08-04 03:32:00 217,144 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\imjpmig.exe
- 2004-08-04 03:32:12 241,719 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\imjprw.exe
- 2004-08-04 03:32:16 270,392 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\imjputy.exe
- 2004-08-04 03:31:50 74,680 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\imscinst.exe
- 2004-08-04 03:32:16 51,712 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\tintlphr.exe
- 2004-08-04 03:32:16 462,848 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\lang\tintsetp.exe
- 2008-04-14 10:42:22 15,872 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\update\fixccs.exe
- 2008-04-14 10:42:32 14,336 ----a-w C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\update\nv4prep.exe
- 2007-07-31 00:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2008-07-19 03:10:48 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
- 2008-09-19 21:26:51 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-20 01:59:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-19 21:26:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-20 01:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-19 21:26:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-20 01:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-19 22:59:28 53,353 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-08-19 22:59:28 53,355 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-07-31 00:19:04 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2008-07-19 03:07:54 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2008-07-19 03:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-19 03:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
- 2007-07-31 00:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2008-07-19 03:09:44 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2007-07-31 00:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2008-07-19 03:10:42 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2007-07-31 00:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2008-07-19 03:09:42 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2007-07-31 00:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2008-07-19 03:09:46 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2007-07-31 00:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2008-07-19 03:10:20 36,552 ----a-w C:\WINDOWS\system32\wups.dll
- 2007-07-31 00:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2008-07-19 03:10:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
- 2007-07-31 00:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2008-07-19 03:09:44 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23040]
"Systweak Ad and Popup Blocker"="C:\Program Files\Advanced System Optimizer\adblock.exe" [2004-10-29 417280]
"MoneyInsights"="C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe" [2008-02-19 502800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 143360]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-07-14 131131]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 200704]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-07-07 720896]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 651264]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1097781]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 143360]
"ZoomingHook"="c:\WINDOWS\System32\ZoomingHook.exe" [2004-07-14 32768]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 61440]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-11-18 163840]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 126976]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 348160]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 159744]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 180224]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 200704]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-01-19 307200]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 61440]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\Save\bin\jusched.exe" [2008-06-10 144784]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-09-10 1261232]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 C:\WINDOWS\agrsmmsg.exe]
C:\Documents and Settings\Martin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-10-29 36864]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 479232]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2007-06-14 12390]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-19 163840]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\twext.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lozsuy.dll htaent.dll pkdbuh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\PatentWizard, LLC\\PatentHunter3\\PatentHunter.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\ItsDeductible2006\\ItsDeductible10.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"500:UDP"= 500:UDP:ISAKMP
"10001:UDP"= 10001:UDP:NAT
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-05-13 9817]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-05-13 117760]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-05-13 117760]
.
Contents of the 'Scheduled Tasks' folder
2008-09-20 C:\WINDOWS\Tasks\GoogleUpdateTaskMachine.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2008-08-29 22:09]
2008-09-19 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 17:32]
.
- - - - ORPHANS REMOVED - - - -
BHO-{7EB6BE02-5D48-4EE9-A849-453DADBBDEB8} - C:\WINDOWS\system32\cdosy.dll
HKLM-Run-lphcjl3j0e549 - C:\WINDOWS\system32\lphcjl3j0e549.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\z6dlkga1.default\
FF -: plugin - C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\z6dlkga1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - C:\Program Files\Google\Google Earth Plugin\npgeplugin.dll
FF -: plugin - C:\Program Files\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjpi160_07.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npoji610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 21:47:20
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\twain_32
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-09-19 22:00:51
ComboFix-quarantined-files.txt 2008-09-20 03:00:42
ComboFix2.txt 2008-09-19 21:43:12
Pre-Run: 41,259,757,568 bytes free
Post-Run: 40,811,126,784 bytes free
401 --- E O F --- 2008-09-10 11:43:59
\\\\HJT log ----->
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:10 AM, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\Save\bin\jusched.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\Save\bin\ssv.dll
O2 - BHO: (no name) - {7EB6BE02-5D48-4EE9-A849-453DADBBDEB8} - (no file)
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: PatentHunter - {BCB2344B-3D5B-46d7-861B-A8F27E4FE602} - C:\Program Files\PatentWizard, LLC\PatentHunter3\PHToolBand.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\Save\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKCU\..\Run: [MoneyInsights] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Privoxy.lnk = E:\TOR\Privoxy\privoxy.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\Save\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\Save\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221862988875
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O20 - AppInit_DLLs: lozsuy.dll htaent.dll pkdbuh.dll
O20 - Winlogon Notify: yayaWMfF - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Update Service (gupdate1c8c17b77f3afba) (gupdate1c8c17b77f3afba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9761 bytes
pskelley
2008-09-20, 15:39
If you will take the time to read the directions, you will find they are clear.
If any direction I post is not clear to you, STOP and ask for clarification, DO NOT PROCEED.
I want you to totally delete combofix from your computer. Make sure to also delete the C:\Qoobox\Quarantine folder.
Now I want you to download the newest version: Ver_08-09-19.01
and follow these directions:
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log
logotype702
2008-09-20, 16:25
\\\\\Combofix Log ---->
ComboFix 08-09-19.09 - Martin 2008-09-20 9:02:57.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.197 [GMT -5:00]Running from: C:\Documents and Settings\Martin\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
.
2008-09-20 08:30 . 2008-09-20 08:53 <DIR> d-------- C:\b78893e75ae558951f7a496f45251926
2008-09-19 20:24 . 2008-09-19 20:24 199,168 --a------ C:\WINDOWS\system32\2CA.tmp
2008-09-19 20:24 . 2008-09-19 20:24 92 --a------ C:\WINDOWS\system32\2C9.tmp
2008-09-19 20:24 . 2008-09-19 20:24 18 --a------ C:\WINDOWS\system32\2CC.tmp
2008-09-19 20:20 . 2008-09-19 20:20 199,168 --a------ C:\WINDOWS\system32\2C0.tmp
2008-09-19 20:20 . 2008-09-19 20:20 92 --a------ C:\WINDOWS\system32\2BF.tmp
2008-09-19 20:20 . 2008-09-19 20:20 18 --a------ C:\WINDOWS\system32\2C3.tmp
2008-09-19 20:00 . 2008-09-19 20:00 199,168 --a------ C:\WINDOWS\system32\2B5.tmp
2008-09-19 20:00 . 2008-09-19 20:00 92 --a------ C:\WINDOWS\system32\2B3.tmp
2008-09-19 20:00 . 2008-09-19 20:00 18 --a------ C:\WINDOWS\system32\2B7.tmp
2008-09-19 19:26 . 2008-09-19 19:26 199,168 --a------ C:\WINDOWS\system32\2A7.tmp
2008-09-19 19:26 . 2008-09-19 19:26 92 --a------ C:\WINDOWS\system32\2A5.tmp
2008-09-19 19:26 . 2008-09-19 19:26 18 --a------ C:\WINDOWS\system32\2A9.tmp
2008-09-19 18:45 . 2008-09-19 18:45 199,168 --a------ C:\WINDOWS\system32\1C8.tmp
2008-09-19 18:45 . 2008-09-19 18:45 92 --a------ C:\WINDOWS\system32\1C7.tmp
2008-09-19 18:45 . 2008-09-19 18:45 18 --a------ C:\WINDOWS\system32\1CA.tmp
2008-09-19 18:30 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-19 18:20 . 2008-09-19 18:20 199,168 --a------ C:\WINDOWS\system32\17C.tmp
2008-09-19 18:20 . 2008-09-19 18:20 92 --a------ C:\WINDOWS\system32\17A.tmp
2008-09-19 18:20 . 2008-09-19 18:20 18 --a------ C:\WINDOWS\system32\17E.tmp
2008-09-19 17:53 . 2008-09-19 17:53 199,168 --a------ C:\WINDOWS\system32\108.tmp
2008-09-19 17:53 . 2008-09-19 17:53 18 --a------ C:\WINDOWS\system32\10A.tmp
2008-09-19 17:52 . 2008-09-19 17:53 92 --a------ C:\WINDOWS\system32\107.tmp
2008-09-19 17:41 . 2008-09-19 17:41 199,168 --a------ C:\WINDOWS\system32\F3.tmp
2008-09-19 17:41 . 2008-09-19 17:41 92 --a------ C:\WINDOWS\system32\F1.tmp
2008-09-19 17:41 . 2008-09-19 17:41 18 --a------ C:\WINDOWS\system32\F5.tmp
2008-09-19 17:31 . 2008-09-19 17:31 199,168 --a------ C:\WINDOWS\system32\5E.tmp
2008-09-19 17:31 . 2008-09-19 17:31 92 --a------ C:\WINDOWS\system32\5D.tmp
2008-09-19 17:31 . 2008-09-19 17:31 18 --a------ C:\WINDOWS\system32\62.tmp
2008-09-19 17:08 . 2008-09-19 17:08 199,168 --a------ C:\WINDOWS\system32\50.tmp
2008-09-19 17:08 . 2008-09-19 17:08 92 --a------ C:\WINDOWS\system32\4D.tmp
2008-09-19 17:08 . 2008-09-19 17:08 18 --a------ C:\WINDOWS\system32\53.tmp
2008-09-19 16:55 . 2008-09-19 16:55 92 --a------ C:\WINDOWS\system32\33.tmp
2008-09-19 16:55 . 2008-09-19 16:55 18 --a------ C:\WINDOWS\system32\3F.tmp
2008-09-19 16:05 . 2008-09-19 17:09 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-19 16:04 . 2008-09-19 16:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-19 15:37 . 2008-09-19 18:30 <DIR> d-------- C:\Program Files\Java
2008-09-19 15:14 . 2008-09-19 15:15 <DIR> d-------- C:\Java
2008-09-19 13:57 . 2008-09-19 13:57 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-19 08:31 . 2008-09-19 08:31 <DIR> d--hs---- C:\Documents and Settings\LocalService\Application Data\twain_32
2008-09-18 23:14 . 2008-09-18 23:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 23:14 . 2008-09-18 23:14 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Malwarebytes
2008-09-18 23:14 . 2008-09-18 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-18 23:14 . 2008-09-10 00:07 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-18 23:14 . 2008-09-10 00:07 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-18 20:32 . 2008-09-19 19:34 <DIR> d-------- C:\fixwareout
2008-09-17 21:42 . 2008-09-18 23:29 7 --a------ C:\WINDOWS\system32\nxg.bin
2008-09-17 17:52 . 2008-09-17 17:53 <DIR> d-------- C:\Temp\PendMoves
2008-09-17 16:46 . 2008-09-17 17:22 <DIR> d-------- C:\Temp\ListDLL
2008-09-17 14:15 . 2008-09-17 14:15 <DIR> d-------- C:\Documents and Settings\Martin\SecurityScans
2008-09-17 14:13 . 2008-09-17 14:13 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-09-16 12:28 . 2008-09-16 12:28 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-16 08:27 . 2008-09-16 08:27 <DIR> d-------- C:\Temp\dax41
2008-09-14 21:38 . 2008-09-14 21:38 0 --a------ C:\WINDOWS\VPC32.INI
2008-09-10 04:16 . 2008-09-10 04:20 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-09-10 04:16 . 2008-09-10 04:16 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\SystemRequirementsLab
2008-08-28 21:47 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-28 21:08 . 2008-08-28 21:08 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\DivX
2008-08-26 19:42 . 2008-07-23 11:50 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-08-26 19:35 . 2008-08-26 19:47 <DIR> d-------- C:\Program Files\DivX
2008-08-26 17:39 . 2008-09-19 23:06 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 13:07 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-09-20 05:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-20 02:15 --------- d-----w C:\Program Files\SpywareGuard
2008-09-19 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 21:21 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-19 20:21 --------- d-----w C:\Program Files\Google
2008-09-19 18:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-19 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-19 14:11 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-19 04:57 1,686 ----a-w C:\Program Files\venlpaz.txt
2008-09-17 14:15 --------- d-----w C:\Program Files\Trend Micro
2008-09-16 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-16 16:17 --------- d-----w C:\Program Files\QuickTime
2008-09-16 14:00 --------- d-----w C:\Program Files\IE7Pro
2008-09-02 21:40 --------- d-----w C:\Program Files\Nortel Networks
2008-08-29 04:10 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-29 02:03 --------- d-----w C:\Program Files\Lx_cats
2008-07-25 08:36 532,480 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:50 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-07-23 16:50 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-21 00:15 --------- d-----w C:\Program Files\palmOne
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
------- Sigcheck -------
2008-04-13 19:12 22016 6f9926aa2fca329ae75cd044ca4b86f0 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 07:00 22016 2cafc3e04d2402e1f2c3d4123a25a348 C:\WINDOWS\system32\svchost.exe
2007-06-13 05:23 1040896 ac433444375678e374a578113bef7414 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1040896 d320f8ee706de3882c384bc7f89b3ff6 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1039872 ab90064021f4774ebf331bf03cec7d1c C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1041408 cb8ac2522e476f57da9b1a52526f2491 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2007-06-13 05:23 1040896 17697d1d68ea8261dc9e8865cf7e11a5 C:\WINDOWS\system32\dllcache\explorer.exe
2008-04-13 19:12 23040 cd3c88786b74ce7c350c5099674f698c C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-04 07:00 23040 5570b54d7d3de6592d28150c42a20cc7 C:\WINDOWS\system32\ctfmon.exe
2005-06-10 19:17 65536 2dcbb6edf5dbc1f9647f9fa46cb48073 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 65536 36e3237d492376c1c0736f8142d93d96 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 65536 4c91566984442417e47214188c485223 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2005-06-10 18:53 65536 6045b45edf6402438e240b3d5921ed14 C:\WINDOWS\system32\spoolsv.exe
2008-04-13 19:12 33792 94a5232c849518fcbe9949cb418e96ad C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2004-08-04 07:00 32256 0cb895614a0a8612d8ad8374d137d988 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-19_21.57.28.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\6to4svc.dll
+ 2008-06-20 10:44:08 138,368 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\dnsapi.dll
+ 2008-06-20 17:36:11 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
+ 2008-06-20 10:44:42 360,960 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
+ 2008-06-20 09:32:39 225,920 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip6.sys
+ 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
+ 2008-06-20 17:46:57 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\dnsapi.dll
+ 2008-06-20 17:46:57 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
+ 2008-06-20 11:51:12 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
+ 2008-06-20 11:08:27 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip6.sys
+ 2008-06-20 11:48:03 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\updspapi.dll
- 2000-08-31 13:00:00 38,400 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 13:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2000-08-31 13:00:00 169,984 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
- 2008-09-20 01:59:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-20 13:22:38 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-20 01:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-20 13:22:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-20 01:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-20 13:22:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-20 10:44:38 138,368 -c----w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-02-20 05:32:43 148,992 -c----w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 245,248 -c----w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 12:00:00 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2008-06-20 10:44:38 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
- 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2008-06-20 10:45:13 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2006-08-16 09:37:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
- 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 06:21:01 143,360 ----a-w C:\WINDOWS\system32\java.exe
- 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:21:04 143,360 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 07:32:34 147,456 ----a-w C:\WINDOWS\system32\javaws.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23040]
"Systweak Ad and Popup Blocker"="C:\Program Files\Advanced System Optimizer\adblock.exe" [2004-10-29 417280]
"MoneyInsights"="C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe" [2008-02-19 502800]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 143360]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-07-14 131131]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 200704]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-07-07 720896]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 651264]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1097781]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 143360]
"ZoomingHook"="c:\WINDOWS\System32\ZoomingHook.exe" [2004-07-14 32768]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 61440]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-11-18 163840]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 126976]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 348160]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 159744]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 180224]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 200704]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-01-19 307200]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 61440]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\Save\bin\jusched.exe" [2008-06-10 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 C:\WINDOWS\agrsmmsg.exe]
C:\Documents and Settings\Martin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-10-29 36864]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 479232]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2007-06-14 12390]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-19 163840]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\twext.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lozsuy.dll htaent.dll pkdbuh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\PatentWizard, LLC\\PatentHunter3\\PatentHunter.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\ItsDeductible2006\\ItsDeductible10.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"500:UDP"= 500:UDP:ISAKMP
"10001:UDP"= 10001:UDP:NAT
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-05-13 9817]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-05-13 117760]
S2 gupdate1c8c17b77f3afba;Google Update Service (gupdate1c8c17b77f3afba);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-08-29 133104]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-05-13 117760]
S3 pnicml;pnicml;C:\DOCUME~1\Martin\LOCALS~1\Temp\pnicml.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{7EB6BE02-5D48-4EE9-A849-453DADBBDEB8} - (no file)
Notify-yayaWMfF - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\z6dlkga1.default\
FF -: plugin - C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\z6dlkga1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - C:\Program Files\Google\Google Earth Plugin\npgeplugin.dll
FF -: plugin - C:\Program Files\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npjpi160_07.dll
FF -: plugin - C:\Program Files\Java\Save\bin\npoji610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 09:10:30
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-20 9:15:50
ComboFix-quarantined-files.txt 2008-09-20 14:15:16
ComboFix2.txt 2008-09-20 03:00:56
ComboFix3.txt 2008-09-19 21:43:12
Pre-Run: 38,913,978,368 bytes free
Post-Run: 38,917,976,064 bytes free
302 --- E O F --- 2008-09-20 13:03:38
\\\HJT Log ------>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:25 AM, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\Save\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\mrt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\Save\bin\ssv.dll
O2 - BHO: (no name) - {7EB6BE02-5D48-4EE9-A849-453DADBBDEB8} - (no file)
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: PatentHunter - {BCB2344B-3D5B-46d7-861B-A8F27E4FE602} - C:\Program Files\PatentWizard, LLC\PatentHunter3\PHToolBand.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\Save\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKCU\..\Run: [MoneyInsights] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Privoxy.lnk = E:\TOR\Privoxy\privoxy.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\Save\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\Save\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221862988875
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O20 - AppInit_DLLs: lozsuy.dll htaent.dll pkdbuh.dll
O20 - Winlogon Notify: yayaWMfF - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Update Service (gupdate1c8c17b77f3afba) (gupdate1c8c17b77f3afba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9097 bytes
pskelley
2008-09-20, 16:39
All of the .tmp files we removed have returned, you can see when they were installed:
2008-09-19 20:24 . 2008-09-19 20:24 199,168 --a------ C:\WINDOWS\system32\2CA.tmp
2008-09-19 20:24 . 2008-09-19 20:24 92 --a------ C:\WINDOWS\system32\2C9.tmp
2008-09-19 20:24 . 2008-09-19 20:24 18 --a------ C:\WINDOWS\system32\2CC.tmp
2008-09-19 20:20 . 2008-09-19 20:20 199,168 --a------ C:\WINDOWS\system32\2C0.tmp
2008-09-19 20:20 . 2008-09-19 20:20 92 --a------ C:\WINDOWS\system32\2BF.tmp
2008-09-19 20:20 . 2008-09-19 20:20 18 --a------ C:\WINDOWS\system32\2C3.tmp
2008-09-19 20:00 . 2008-09-19 20:00 199,168 --a------ C:\WINDOWS\system32\2B5.tmp
there are more, do you know anything about this junk. If not then make sure you can see all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
use one or more of these free online scans to find out what they are and post the information:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
scan three at least and because they may be duplicates, scan these three:
C:\WINDOWS\system32\2CA.tmp
C:\WINDOWS\system32\2BF.tmp
C:\WINDOWS\system32\2C3.tmp
After you have that information then run this scan according to the instructions:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here, along with the information about those .tmp files
I will say once again, because of my feelings about this infection, you would be wise to consider a reformat.
logotype702
2008-09-21, 00:36
Scanned the following .tmp files with Jotti's on-line scanner.
2CA.tmp--> size=195kb.
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found Win32:Frauder-E
AVG Antivirus Found nothing
BitDefender Found Trojan.Tibs.NN
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Packed.636
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.Frauder.fk
Ikarus Found Backdoor.Win32.Frauder.fk
Kaspersky Anti-Virus Found Backdoor.Win32.Frauder.fk
NOD32 Found Win32/TrojanDownloader.FakeAlert.JP
Norman Virus Control Found W32/Tibs.gen242
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-EU
VirusBuster Found nothing
VBA32 Found nothing
2BF.tmp ---> size=1 kb.
Clean.
2C3.tmp ----> size = 1 kb.
Clean.
One more file of 195kb: 50.tmp-->
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found Win32:Frauder-E
AVG Antivirus Found nothing
BitDefender Found Trojan.Tibs.NN
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Packed.636
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.Frauder.fk
Ikarus Found Backdoor.Win32.Frauder.fk
Kaspersky Anti-Virus Found Backdoor.Win32.Frauder.fk
NOD32 Found Win32/TrojanDownloader.FakeAlert.JP
Norman Virus Control Found W32/Tibs.gen242
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-EU
VirusBuster Found nothing
VBA32 Found nothing
All these tmp files are either 1 or 195 kb in size, I bet that all the 195kb have viruses. were these files crated by combofix?
Then I ran the on-line scan, here's half of the report. I hope something is not right, I can't believe that the Java files that I just installed yesterday are already infected (see the few last lines), is that possible? If you need the full report let me know and I'll post it, but the report is a big txt file (124 kb)
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 20, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 20, 2008 16:35:54
Records in database: 1246751
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 64221
Threat name: 5
Infected objects: 1396
Suspicious objects: 0
Duration of the scan: 03:10:21
File name / Threat name / Threats count
C:\WINDOWS\system32\svchost.exe/C:\WINDOWS\system32\svchost.exe Infected: Virus.Win32.Virut.bq 5
C:\WINDOWS\System32\svchost.exe/C:\WINDOWS\System32\svchost.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\system32\spoolsv.exe/C:\WINDOWS\system32\spoolsv.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\system32\drivers\CDAC11BA.EXE/C:\WINDOWS\system32\drivers\CDAC11BA.EXE Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe/C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe/C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\system32\DVDRAMSV.exe/C:\WINDOWS\system32\DVDRAMSV.exe Infected: Virus.Win32.Virut.bq 1
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe/c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\System32\alg.exe/C:\WINDOWS\System32\alg.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe/C:\Program Files\TOSHIBA\Power Management\CePMTray.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\system32\dla\tfswctrl.exe/C:\WINDOWS\system32\dla\tfswctrl.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\EzButton\EzButton.EXE/C:\Program Files\EzButton\EzButton.EXE Infected: Virus.Win32.Virut.bq 1
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe/C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe/C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe/C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\System32\ZoomingHook.exe/C:\WINDOWS\System32\ZoomingHook.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe/C:\Program Files\TOSHIBA\TouchPad\TPTray.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\system32\igfxtray.exe/C:\WINDOWS\system32\igfxtray.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\system32\hkcmd.exe/C:\WINDOWS\system32\hkcmd.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Microsoft IntelliType Pro\type32.exe/C:\Program Files\Microsoft IntelliType Pro\type32.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\system32\ctfmon.exe/C:\WINDOWS\system32\ctfmon.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\system32\lxcccoms.exe/C:\WINDOWS\system32\lxcccoms.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe/C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\pnagent.exe/C:\Program Files\Citrix\ICA Client\pnagent.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\system32\RAMASST.exe/C:\WINDOWS\system32\RAMASST.exe Infected: Virus.Win32.Virut.bq 1
C:\WINDOWS\explorer.exe/C:\WINDOWS\explorer.exe Infected: Virus.Win32.Virut.bq 1
C:\ARCSOFT\DirectX\dxsetup.exe Infected: Virus.Win32.Virut.bq 1
C:\ARCSOFT\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01280000.VBN Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\040C0006.VBN Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\040C0007.VBN Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05140000.VBN Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0000.VBN Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06580000.VBN Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540000.VBN Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08AC0000\48EFB3E0.VBN Infected: Trojan-Downloader.Win32.VB.awj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09EC0000.VBN Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09EC0002.VBN Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600000.VBN Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EC40000.VBN Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\Documents and Settings\Martin\Application Data\Microsoft\Installer\{6744FF41-012F-4CC9-8B01-242D9CF83ED8}\BOINCMGRStartupLink_80F0D10B734F409F8FF15D5E21A32263.exe Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\Martin\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\Martin\Application Data\Microsoft\Installer\{FF8157AA-F640-45BD-B7C2-BAA1016B267A}\ARPPRODUCTICON.exe Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\Martin\Application Data\Microsoft\Installer\{FF8157AA-F640-45BD-B7C2-BAA1016B267A}\PalmDesktopShortcut.exe Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\Martin\Desktop\ATF-Cleaner.exe Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\Martin\Desktop\Convert.exe Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\Martin\Desktop\cwshredder.exe Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\Martin\Desktop\JavaRa.exe Infected: Virus.Win32.Virut.bq 1
C:\Documents and Settings\Martin\Desktop\udc.exe Infected: Virus.Win32.Virut.bq 1
C:\gstools\gs4.03\gswin32c.exe Infected: Virus.Win32.Virut.bq 1
C:\gstools\gsview\gsview32.exe Infected: Virus.Win32.Virut.bq 1
C:\gstools\gsview\gvwgs32.exe Infected: Virus.Win32.Virut.bq 1
C:\hssvss\hssvss.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\java-rmi.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\java.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\javacpl.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\javaw.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\javaws.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\jusched.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\keytool.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\kinit.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\klist.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\ktab.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\orbd.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\pack200.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\policytool.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\rmid.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\rmiregistry.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\servertool.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\tnameserv.exe Infected: Virus.Win32.Virut.bq 1
C:\Java\bin\unpack200.exe Infected: Virus.Win32.Virut.bq 1
C:\mepolack\gsview\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\mepolack\hssvss.exe Infected: Virus.Win32.Virut.bq 1
C:\mepolack\protect\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\mepolack\UTILS\convert.exe Infected: Virus.Win32.Virut.bq 1
C:\P3WIN\P3PROGS\BCHECK.EXE Infected: Virus.Win32.Virut.bq 1
C:\P3WIN\P3PROGS\BTREGSET.EXE Infected: Virus.Win32.Virut.bq 1
C:\Program Files\A43\A43.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU_\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU__\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU___\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU____\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU_____\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU______\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU_______\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU________\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU_________\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Adobe Reader for Palm OS\AdobeDesk.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Adobe Reader for Palm OS\AdobeDeskCmd.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\adblock.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\aptplaner.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\aso.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\BackupManager.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\BlockPrg.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\FastMail.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\ffInfo.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\FileEncrypt.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\FileSplitandJoin.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\finddupe.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\Icon Manager.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\LogonSettings.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\MailNotify.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\MediaFilesOrganizer.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\memtuneup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\privprot.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\regclean.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\regopt.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\SecureDelete.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\Spyware Detective.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\startUp manager.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\StickyNotes.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\sysbackup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\sysclean.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\sysinfo.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\System Optimizer.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\SystemRescue.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\Taskbar Manager.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\Uninstall Manager.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\wallpaper.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\Windows Optimizer.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Advanced System Optimizer\zipfix.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Apoint2K\ApntEx.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Apoint2K\Apoint.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Apoint2K\Ezcapt.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Apoint2K\EzPopup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Apoint2K\Uninstap.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ATI Technologies\ATI Control Panel\atiadaxx.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ATI Technologies\ATI Control Panel\atiiprxx.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ATI Technologies\ATI Control Panel\atiphexx.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ATI Technologies\ATI Control Panel\atiprbxx.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\albert_4.37_windows_intelx86.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\BOINC\projects\lhcathome.cern.ch\sixtrack_4.67_windows_intelx86.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_4.18_windows_intelx86.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\cpviewer.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\CtxTwnPA.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\icaconf.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\migrateN.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\pcl2bmp.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\pn.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\pnagent.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\pnstub.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\ssoncom.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\ssonsvr.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\wfcrun32.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Citrix\ICA Client\wfica32.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Cogniview\PDF2XL\PDF2XL.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Adobe AIR\Versions\1.0\template.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver2.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IDriver.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver2.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver2.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\DotNetInstaller.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Intuit\Internet Client\Assist.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Java\Update\Base Images\j2re1.4.2_05-b04\patch-j2re1.4.2_05-b04\patchjre.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_07.b06\launcher.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_07.b06\zipper.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Nullsoft\ActiveX\AOLMediaPlaybackControl.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Real\Update_OB\rnxproc.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ConnectionManager\ConnectionManager.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Creative\Product Registration\English\InetReg.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Creative\Shared Files\CTRegSvr.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\DivX\DivX Codec\config.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\DivX\DivX Codec\DivX EKG.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\DivX\DivX Converter\Converter.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\DivX\DivX Player\DivX Player.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Documents To Go\DocsToGo.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Documents To Go\HandheldInstall.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Documents To Go\OfficeAddinInstaller.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Documents To Go\OfficeAddinUninstaller.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Documents To Go\ptgxlat.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Documents To Go\ZipUtil.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\DVD-RAM\WinXP\DVD-RAM Driver\DVDForm.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\DVD-RAM\WinXP\DVD-RAM Driver\WPTool.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\EzButton\EzButton.EXE Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\APInit.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\download.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\DPEditor.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\EXTENSIONS\HELPERS\Exifcrsw.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\EXTENSIONS\HELPERS\FxMovieEffectHelper.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\EXTENSIONS\HELPERS\MotionPrint.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\EXTENSIONS\HELPERS\RAFCNVLE.EXE Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\FinePixViewer.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\fpv4print.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\FPVCheckTool.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\IMXBridge.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\INSTALLGUIDE\DXInstaller.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\INSTALLGUIDE\InstallGuide42.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\OrderSoft\FFnetDSC2.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\terminate.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\updater.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\FinePixViewer\Upload.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\glGo\gnugo.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\glGo\python\w9xpopen.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Google\Google Earth\earthflashsol.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Google\Google Earth\googleearth.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Google\Google Earth\gpsbabel.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Google\Google Earth Plugin\geplugin.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\gs\uninstgs.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{3ECB19D2-9090-4EB7-BE01-B622E9D9271B}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{43801800-CFEE-11D2-A41B-006097B55AD3}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{7C21EEE0-E6FD-11D4-BD19-00D0B702AEC0}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{880424A6-A592-11D7-8466-00D0B726B56E}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{8A708DD8-A5E6-11D4-A706-000629E95E20}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{9AC200C3-A4C8-401C-A5A8-202BE888B165}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{9B94BE6F-7CA3-4C40-A266-62667FF746CC}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{B4BF87C8-3EEC-4774-82A2-584F109187B1}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{D14E3D40-2004-11D3-BFBF-00A0248F3321}\setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{D680C913-5955-469D-9D88-C1940F7506D6}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{E2D27B84-6365-11D6-9BAF-0090271AF8A4}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{EF964A78-078C-11D1-B7A7-0000C0134CE6}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{F69B66A8-61C9-424C-AFA1-7EC6093AC5AD}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\Setup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Internet Explorer\Connection Wizard\isignup.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Internet Explorer\iedw.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Internet Explorer\iexplore.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\InterVideo\WinDVD\WinDVD.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\IrfanView\iv_uninstall.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\IrfanView\i_view32.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\IrfanView\Plugins\IV_Player.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\IrfanView\Plugins\Slideshow.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ItsDeductible2006\ItsD10.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ItsDeductible2006\ItsDeductible10.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\ItsDeductible2006\TXFCreate2006.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\java-rmi.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\java.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\javacpl.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\javaws.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\keytool.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\kinit.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\klist.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\ktab.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\orbd.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\pack200.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\policytool.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\rmid.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\rmiregistry.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\servertool.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\tnameserv.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\jre1.6.0_07\bin\unpack200.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\java-rmi.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\java.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\javacpl.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\javaw.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\javaws.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\keytool.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\kinit.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\klist.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\ktab.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\orbd.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\pack200.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\policytool.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\rmid.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\rmiregistry.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\servertool.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\ssvagent.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\tnameserv.exe Infected: Virus.Win32.Virut.bq 1
C:\Program Files\Java\Save\bin\unpack200.exe Infected: Virus.Win32.Virut.bq 1
pskelley
2008-09-21, 00:56
This was what I was afraid of, especially when the junk came back after we removed it. That is why I ran KOS, because it identifies the virus:
Win32.Virut.bq <<< this is the file infector
http://www.threatexpert.com/report.aspx?uid=a0a06df1-4e5d-4fb9-9517-beee0bbb25b3
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
Virut/Virtob is contracted and spread by visiting remote, crack and keygen sites. Those who attempt to get software for free may end up with a computer system so badly damaged that recovery is not possible and a Repair Install will NOT help! Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install removes everything.
You can remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Thanks
logotype702
2008-09-21, 02:14
Combofix has been removed.
I guess the next step is to re-format the drive and re-install the system. I may choose to install Ubuntu (or other Lunix distro) this time, I am done with windows.
One last question:
If I had to buy an internet security suit which one would you recommend? Kaspersky, Norton, McAfee...?
and thanks for your help and time Phil.
Regards
Martin
pskelley
2008-09-21, 02:34
I am sorry, I only personally suggest freeware products. Here are links where suggestions are made:
http://www.google.com/search?hl=en&q=review+antivirus+programs&btnG=Google+Search&aq=f&oq=
http://www.google.com/search?hl=en&q=rate+antivirus+programs&btnG=Search
Here is the closing information I post, freeware products are in the last link:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html