View Full Version : Virtumonde Removal
shake48471
2008-09-19, 00:34
It sounds like Virtumonde is a pretty common occurence unfortunately and it seems that the fix can be different for different users. I tried to find a fix in the FAQ area but found a few different ones so decided to send this thread...I would greatly appreciat it if you can help with this. After getting infected with Virtumonde, I ran a scan with Spybot and was able to fix a few other problems it showed, but not Virtumonde. Also, the computer will not load windows except in safe mode. The following is the log from Hijack This. Please let me know if you need anything else. Thank you very much!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:31 PM, on 9/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://sitedirector.symantec.com/932743328/?ssdcat=112&oslang=iso:ENG&oslocale=iso:US&spskum=11309257&plang=EN&linkid=006&osver=5.1&pversionid=1.4
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {d56fa2da-9935-4585-b130-9757ab462371} - (no file)
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 350 Series\ezprint.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lphc3ojj0ejcg] C:\WINDOWS\system32\lphc3ojj0ejcg.exe
O4 - HKLM\..\Run: [\VIE2A2.exe] C:\Windows\System32\VIE2A2.exe
O4 - HKLM\..\Run: [\VIE2A3.exe] C:\Windows\System32\VIE2A3.exe
O4 - HKLM\..\Run: [\VIE2A6.exe] C:\Windows\System32\VIE2A6.exe
O4 - HKLM\..\Run: [20c9e5df] rundll32.exe "C:\WINDOWS\system32\tkkhxjce.dll",b
O4 - HKLM\..\Run: [BM23fad643] Rundll32.exe "C:\WINDOWS\system32\jxdaycsw.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5164] command /c del "C:\Program Files\PCHealthCenter\0.gif"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8595] cmd /c del "C:\Program Files\PCHealthCenter\0.gif"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2053] command /c del "C:\Program Files\PCHealthCenter\1.gif"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6412] cmd /c del "C:\Program Files\PCHealthCenter\1.gif"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5232] command /c del "C:\Program Files\PCHealthCenter\1.ico"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4268] cmd /c del "C:\Program Files\PCHealthCenter\1.ico"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7224] command /c del "C:\Program Files\PCHealthCenter\2.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC297] cmd /c del "C:\Program Files\PCHealthCenter\2.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6739] command /c del "C:\Program Files\PCHealthCenter\2.gif"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2402] cmd /c del "C:\Program Files\PCHealthCenter\2.gif"
O4 - HKLM\..\RunOnce: [SpybotDeletingA229] command /c del "C:\Program Files\PCHealthCenter\2.ico"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8798] cmd /c del "C:\Program Files\PCHealthCenter\2.ico"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9079] command /c del "C:\Program Files\PCHealthCenter\3.gif"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4715] cmd /c del "C:\Program Files\PCHealthCenter\3.gif"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9979] command /c del "C:\Program Files\PCHealthCenter\0.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4000] cmd /c del "C:\Program Files\PCHealthCenter\0.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8509] command /c del "C:\Program Files\PCHealthCenter\1.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC251] cmd /c del "C:\Program Files\PCHealthCenter\1.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6699] command /c del "C:\WINDOWS\system32\jxdaycsw.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5630] cmd /c del "C:\WINDOWS\system32\jxdaycsw.dll_old"
O4 - HKCU\..\Run: [PCPal] "C:\Program Files\PCPal\PalAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1526] command /c del "C:\Program Files\PCHealthCenter\0.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8877] cmd /c del "C:\Program Files\PCHealthCenter\0.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3644] command /c del "C:\Program Files\PCHealthCenter\1.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD963] cmd /c del "C:\Program Files\PCHealthCenter\1.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6967] command /c del "C:\Program Files\PCHealthCenter\1.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1980] cmd /c del "C:\Program Files\PCHealthCenter\1.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1614] command /c del "C:\Program Files\PCHealthCenter\2.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7794] cmd /c del "C:\Program Files\PCHealthCenter\2.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5579] command /c del "C:\Program Files\PCHealthCenter\2.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6407] cmd /c del "C:\Program Files\PCHealthCenter\2.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9105] command /c del "C:\Program Files\PCHealthCenter\2.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9145] cmd /c del "C:\Program Files\PCHealthCenter\2.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1823] command /c del "C:\Program Files\PCHealthCenter\3.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7845] cmd /c del "C:\Program Files\PCHealthCenter\3.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9592] command /c del "C:\Program Files\PCHealthCenter\0.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6932] cmd /c del "C:\Program Files\PCHealthCenter\0.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1518] command /c del "C:\Program Files\PCHealthCenter\1.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7421] cmd /c del "C:\Program Files\PCHealthCenter\1.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8869] command /c del "C:\WINDOWS\system32\jxdaycsw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD557] cmd /c del "C:\WINDOWS\system32\jxdaycsw.dll_old"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203459842953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203459890406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553635000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: wmunem.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcv_device - - C:\WINDOWS\system32\lxcvcoms.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCPalSrvHost - Unknown owner - C:\Program Files\PCPal\PCPalSrvHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 14365 bytes
pskelley
2008-09-20, 17:58
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Also, the computer will not load windows except in safe mode.
Now that is a problem I don't know for sure we can overcome with a remote repair like this and I surely do not like you being online with none of your security programs running!
Please be sure TeaTimer is not running.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
Once you get combofix run, you should get so relief.
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
shake48471
2008-09-20, 23:33
I did exactly what you said in the last post and it seems to have fixed it...but I wasn't sure if there is still more to do or not. Just let me know if I need to complete any more tasks or if this is complete. Thank you so much! Here are the logs you requested:
1) The ComboFix Log
ComboFix 08-09-20.02 - Administrator 2008-09-20 15:38:19.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - system32: deleted 0 bytes in 1 streams.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM23fad643.txt
C:\WINDOWS\BM23fad643.xml
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\system32\ampbqvfk.ini
C:\WINDOWS\system32\blphc3ojj0ejcg.scr
C:\WINDOWS\system32\ecjxhkkt.ini
C:\WINDOWS\system32\jkkJDtqq.dll
C:\WINDOWS\system32\lphc3ojj0ejcg.exe
C:\WINDOWS\system32\opnlLeCv.dll
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\vCeLlnpo.ini
C:\WINDOWS\system32\vCeLlnpo.ini2
C:\WINDOWS\system32\VIE2A2.exe
C:\WINDOWS\system32\VIE2A3.exe
C:\WINDOWS\system32\VIE2A6.exe
C:\WINDOWS\system32\xtsqrkor.dll
C:\WINDOWS\winhelp.ini
.
((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
.
2008-09-18 14:49 . 2008-09-18 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-18 09:32 . 2008-09-18 09:32 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-18 05:56 . 2008-09-18 05:56 112,640 --a------ C:\WINDOWS\system32\wmunem.dll
2008-09-18 05:56 . 2008-09-18 05:56 112,640 --a------ C:\WINDOWS\system32\esmrkjoy.dll
2008-09-18 05:53 . 2008-09-18 05:53 89,600 --a------ C:\WINDOWS\system32\tkkhxjce.dll
2008-09-18 00:35 . 2008-09-18 00:35 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-17 23:51 . 2008-09-17 23:51 113,152 --a------ C:\WINDOWS\system32\vahmew.dll
2008-09-17 23:51 . 2008-09-17 23:51 113,152 --a------ C:\WINDOWS\system32\sntyubty.dll
2008-09-17 23:49 . 2008-09-17 23:49 99,328 --a------ C:\WINDOWS\system32\nfaoqvmg.dll
2008-09-17 23:49 . 2008-09-17 23:49 89,088 --a------ C:\WINDOWS\system32\kfvqbpma.dll
2008-09-17 23:48 . 2008-09-17 23:48 113,152 --a------ C:\WINDOWS\system32\hhfeonbs.dll
2008-09-17 23:48 . 2008-09-17 23:48 113,152 --a------ C:\WINDOWS\system32\djucom.dll
2008-09-17 23:48 . 2008-09-17 23:48 99,328 --a------ C:\WINDOWS\system32\ofqdxnhd.dll
2008-09-17 23:41 . 2008-09-17 23:41 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-09-17 21:17 . 2008-09-17 22:56 <DIR> d-------- C:\Documents and Settings\Scott\.limewire
2008-09-17 18:04 . 2008-09-17 18:04 <DIR> d-------- C:\Program Files\gs
2008-09-17 18:04 . 2008-09-17 18:04 43 --a------ C:\WINDOWS\gswin32.ini
2008-09-17 18:00 . 2008-09-17 18:00 <DIR> d-------- C:\Program Files\PlotSoft
2008-09-17 18:00 . 2005-05-07 14:14 90,112 --a------ C:\WINDOWS\system32\custmon2k.dll
2008-09-17 18:00 . 2004-06-06 20:17 53,248 --a------ C:\WINDOWS\system32\uninstpw.exe
2008-09-17 18:00 . 2005-05-07 14:15 24,576 --a------ C:\WINDOWS\system32\custsave.exe
2008-09-10 15:35 . 2008-09-10 15:35 <DIR> d-------- C:\Program Files\iPod
2008-09-10 15:35 . 2008-09-10 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-10 15:32 . 2008-09-10 15:32 <DIR> d-------- C:\Program Files\Bonjour
2008-09-10 15:30 . 2008-09-10 15:31 <DIR> d-------- C:\Program Files\QuickTime
2008-09-08 18:03 . 2008-09-08 18:03 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\CyberLink
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-09-04 12:48 . 2008-09-04 12:48 35 --a------ C:\WINDOWS\iltwain.ini
2008-09-04 12:39 . 2008-09-04 14:02 <DIR> d-------- C:\Program Files\Qimage
2008-08-30 14:50 . 2008-08-30 14:50 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Electronic Arts
2008-08-29 20:34 . 2008-08-29 20:36 <DIR> d-------- C:\Program Files\Xfire
2008-08-29 20:34 . 2008-08-29 20:35 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Xfire
2008-08-29 14:54 . 2008-08-30 01:12 <DIR> d-------- C:\Mythic
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll
2008-08-29 00:51 . 2008-08-29 00:51 <DIR> d-------- C:\Program Files\Disney
2008-08-27 23:59 . 2008-08-27 23:59 20 --a------ C:\WINDOWS\LANG.INI
2008-08-27 20:25 . 2008-08-27 20:25 <DIR> d-------- C:\Program Files\PowerISO
2008-08-27 11:08 . 2008-08-27 11:08 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-25 23:13 . 2008-08-25 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CinemaNow
2008-08-25 19:15 . 2008-08-25 19:16 <DIR> d-------- C:\Program Files\Common Files\mpDRM
2008-08-25 19:15 . 2008-08-25 23:12 <DIR> d-------- C:\Program Files\Common Files\fluxDVD
2008-08-25 19:15 . 2008-08-25 19:15 <DIR> d-------- C:\Program Files\CinemaNow
2008-08-25 19:15 . 2008-08-25 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mpDRM
2008-08-25 19:15 . 2008-08-25 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fluxDVD
2008-08-25 17:56 . 2008-08-25 19:44 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-25 17:55 . 2008-08-25 19:44 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-25 17:55 . 2008-08-25 19:44 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-25 17:38 . 2008-03-19 05:47 1,845,248 --a------ C:\WINDOWS\system32\win32k.sys
2008-08-25 15:51 . 2007-02-28 05:10 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-25 15:40 . 2004-08-04 03:56 96,768 --a------ C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-08-25 15:40 . 2005-09-08 01:03 86,728 --a------ C:\WINDOWS\system32\msxml6r.dll
2008-08-25 15:40 . 2004-08-04 03:56 24,064 --a------ C:\WINDOWS\system32\dllcache\pidgen.dll
2008-08-25 15:40 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\005936_.tmp
2008-08-25 14:51 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-25 03:57 . 2008-08-25 03:57 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-23 03:44 . 2008-08-23 03:44 <DIR> d-------- C:\Program Files\GetData
2008-08-20 19:11 . 2008-08-20 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-20 16:40 . 2008-08-20 16:40 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-08-20 16:39 . 2004-08-04 03:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-08-20 16:37 . 2007-08-21 04:12 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-08-20 16:37 . 2007-08-31 14:58 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-08-20 16:36 . 2008-08-20 16:37 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 13:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-18 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-18 04:54 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2008-09-18 04:51 --------- d-----w C:\Program Files\Norton Security Scan
2008-09-18 03:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-17 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-16 00:49 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2008-09-11 02:22 --------- d-----w C:\Program Files\BookCAT
2008-09-10 19:36 --------- d-----w C:\Program Files\iTunes
2008-09-10 19:30 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-08 22:10 --------- d-----w C:\Documents and Settings\Scott\Application Data\U3
2008-09-08 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2008-09-06 20:51 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-05 17:21 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-04 01:21 --------- d-----w C:\Documents and Settings\Scott\Application Data\AdobeUM
2008-09-04 01:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-01 14:22 --------- d-----w C:\Program Files\e-Sword
2008-08-29 03:30 --------- d-----w C:\Program Files\Canon
2008-08-28 03:56 --------- d-----w C:\Program Files\Bible Explorer 4
2008-08-27 23:55 --------- d-----w C:\Program Files\Common Files\HumanConcepts
2008-08-27 23:39 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-08-27 23:39 --------- d-----w C:\Program Files\Yahoo!
2008-08-27 23:32 --------- d-----w C:\Program Files\Ulead Systems
2008-08-27 23:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-08-27 22:56 --------- d-----w C:\Program Files\Java
2008-08-27 03:47 --------- d-----w C:\Program Files\Corel
2008-08-26 02:46 --------- d-----w C:\Program Files\Task Reporter
2008-08-26 02:34 --------- d-----w C:\Program Files\HumanConcepts
2008-08-26 00:28 --------- d-----w C:\Documents and Settings\Scott\Application Data\Vso
2008-08-25 07:56 --------- d-----w C:\Program Files\Common Files\Real
2008-08-23 04:00 --------- d-----w C:\Program Files\Norton SystemWorks
2008-08-22 06:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 21:26 --------- d-----w C:\Program Files\QPcard
2008-08-17 05:47 --------- d-----w C:\Documents and Settings\Scott\Application Data\ATI
2008-08-17 05:14 --------- d-----w C:\Documents and Settings\Scott\Application Data\Apple Computer
2008-08-16 04:19 --------- d-----w C:\Documents and Settings\Scott\Application Data\dvdcss
2008-08-16 04:11 --------- d-----w C:\Program Files\Apple Software Update
2008-08-15 14:54 --------- d-----w C:\Program Files\VSO
2008-08-15 14:28 --------- d-----w C:\Program Files\CamStudio
2008-08-14 00:52 --------- d-----w C:\Program Files\Password Safe
2008-08-14 00:15 --------- d-----w C:\Program Files\Hobopublishing
2008-08-12 04:47 --------- d-----w C:\Program Files\MagicTune Premium
2008-08-10 20:02 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-08-10 02:04 --------- d-----w C:\Program Files\Common Files\Nikon
2008-08-10 02:04 --------- d-----w C:\Documents and Settings\Scott\Application Data\Nikon
2008-08-09 18:11 --------- d-----w C:\Program Files\CyberLink
2008-08-09 18:03 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2008-08-06 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\espionServerData
2008-08-06 15:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-06 14:59 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-08-06 14:51 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-06 14:51 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-06 14:51 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-08-04 06:43 --------- d-----w C:\Documents and Settings\Scott\Application Data\Purchases v1.2 7 05246
2008-08-04 06:38 --------- d-----w C:\Documents and Settings\Scott\Application Data\woodtracker 5 05246
2008-08-04 06:35 --------- d-----w C:\Program Files\woodtracker
2008-08-04 06:35 --------- d-----w C:\Program Files\Purchases
2008-08-04 06:35 --------- d-----w C:\Program Files\PenBox
2008-08-04 06:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-08-04 06:13 --------- d-----w C:\Documents and Settings\Scott\Application Data\PenBox 53 05297
2008-08-04 06:11 --------- d-----w C:\Program Files\Brilliant Database WPE 51
2008-08-02 19:38 --------- d-----w C:\Program Files\Conduit
2008-08-02 19:38 --------- d-----w C:\Program Files\CalendarHome.com
2008-08-02 06:06 --------- d-----w C:\Program Files\CATVids
2008-07-29 21:49 --------- d-----w C:\Documents and Settings\Scott\Application Data\Pen Box Demo Beta 2.0.1 1 05246
2008-04-08 21:50 30,601 ----a-w C:\Documents and Settings\Scott\x.exe
2008-02-22 19:24 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-08-30 13:23 32 --sh--w C:\WINDOWS\{1AD6AE75-5F97-4472-AB53-EEC65DA985BD}.dat
2007-08-30 13:20 32 --sh--w C:\WINDOWS\{1CB2A1D9-6434-44F4-B148-0D121A4A23BC}.dat
2007-08-30 13:18 32 --sh--w C:\WINDOWS\{4D71CFE6-3348-4040-B4A7-EA756AA30A06}.dat
2007-08-30 13:23 32 --sh--w C:\WINDOWS\{594AEE07-1F1A-4881-BEC0-848B1D438E72}.dat
2007-08-30 13:20 32 --sh--w C:\WINDOWS\{707C7B5D-967C-4F2B-94AB-1F7CDE526E6D}.dat
2007-08-30 13:20 32 --sh--w C:\WINDOWS\{E4F3A074-1D2F-4F08-8523-09D2199C182E}.dat
2007-08-30 13:22 32 --sh--w C:\WINDOWS\{E7BC84C1-FB88-4BB5-8BD5-12930FBDE53F}.dat
2007-11-08 07:08 80 --sh--r C:\WINDOWS\system32\1FE9CC6202.dll
2007-08-30 13:20 32 --sha-w C:\WINDOWS\system32\{190659DF-7512-4893-99A6-5F3044DDFA01}.dat
2007-08-30 13:20 32 --sha-w C:\WINDOWS\system32\{1B23F303-8BDE-4908-98D8-E06718694B1E}.dat
2007-08-30 13:22 32 --sha-w C:\WINDOWS\system32\{6A74D0AB-CA54-4EB3-83B4-549F6B0BE0C0}.dat
2007-08-30 13:23 32 --sha-w C:\WINDOWS\system32\{77FC3A42-1083-4010-9A5C-AFFB9F26F1E4}.dat
2007-08-30 13:23 32 --sha-w C:\WINDOWS\system32\{958DAD85-C439-4399-94C7-7D1C0A2A4AE6}.dat
2007-08-30 13:18 32 --sha-w C:\WINDOWS\system32\{D5088350-8183-4017-873A-7405292E3D56}.dat
2007-08-30 13:20 32 --sha-w C:\WINDOWS\system32\{EC24209C-7A62-4779-96CF-FFF31AF5E701}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCPal"="C:\Program Files\PCPal\PalAgnt.exe" [2007-10-24 522736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB1526"="command" [X]
"SpybotDeletingD8877"="del" [X]
"SpybotDeletingB3644"="command" [X]
"SpybotDeletingD963"="del" [X]
"SpybotDeletingB6967"="command" [X]
"SpybotDeletingD1980"="del" [X]
"SpybotDeletingB1614"="command" [X]
"SpybotDeletingD7794"="del" [X]
"SpybotDeletingB5579"="command" [X]
"SpybotDeletingD6407"="del" [X]
"SpybotDeletingB9105"="command" [X]
"SpybotDeletingD9145"="del" [X]
"SpybotDeletingB1823"="command" [X]
"SpybotDeletingD7845"="del" [X]
"SpybotDeletingB9592"="command" [X]
"SpybotDeletingD6932"="del" [X]
"SpybotDeletingB1518"="command" [X]
"SpybotDeletingD7421"="del" [X]
"SpybotDeletingB8869"="command" [X]
"SpybotDeletingD557"="del" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-09-20 1397760]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-03-12 81920]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2007-07-25 57344]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2003-11-30 177152]
"EzPrint"="C:\Program Files\Lexmark 350 Series\ezprint.exe" [2006-06-06 98304]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-25 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"20c9e5df"="C:\WINDOWS\system32\tkkhxjce.dll" [2008-09-18 89600]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-06-14 479232]
VirtualExpander.lnk - C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe [2007-09-04 434176]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2007-10-24 98304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wmunem.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"vidc.VP31"= vp31vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"GhostStartTrayApp"=C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"LXCVCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCVtime.dll,_RunDLLEntry@16
"SPM2007 PasswordManagerFFAutoFill"="C:\Program Files\Steganos Password Manager 2007\PasswordManagerFFAutoFill.exe"
"InstaVerse"=C:\Program Files\InstaVerse\InstaVerse.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Smart PC Solutions\\Magic Speed\\MagicSpeed.exe"=
"C:\\WINDOWS\\system32\\lxcvcoms.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BookCAT\\BookCAT.exe"=
"C:\\Program Files\\CATVids\\CATVids.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"C:\\Program Files\\CyberLink\\PowerDirector Express\\PDX.exe"=
"C:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 156800]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 5248]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-30 77312]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 5632]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]
S2 adunidrv;UniDriver for OneCare;C:\WINDOWS\system32\DRIVERS\adunidrv.sys [2007-09-25 7168]
S2 advproct;Microsoft Corporation Process Trigger Driver;C:\WINDOWS\system32\DRIVERS\advproct.sys [2007-09-25 6656]
S2 lxcv_device;lxcv_device;C:\WINDOWS\system32\lxcvcoms.exe [2006-06-21 528384]
S2 PCPalSrvHost;PCPalSrvHost;C:\Program Files\PCPal\PCPalSrvHost.exe [2007-10-24 312304]
S2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 40832]
S3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 42624]
S3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 18432]
S3 Si670m;WayTech Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\Si670m.sys [2006-09-28 13312]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe -auto
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\Setup.exe -auto
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{55737035-1B75-48DD-A4D8-66155D8AC7A3} - C:\WINDOWS\system32\jkkJDtqq.dll
BHO-{8C0ABB22-E9DC-40DE-8A96-008210F8C1D9} - C:\WINDOWS\system32\opnlLeCv.dll
Toolbar-SITEguard - (no file)
Toolbar-{d56fa2da-9935-4585-b130-9757ab462371} - (no file)
ShellIconOverlayIdentifiers-{E4000AC4-5E5F-4956-807A-C5854405D64F} - %SystemRoot%\system32\VirtualExpander\VEShellExt.dll
HKLM-Run-lphc3ojj0ejcg - C:\WINDOWS\system32\lphc3ojj0ejcg.exe
HKLM-Run-\VIE2A2.exe - C:\Windows\System32\VIE2A2.exe
HKLM-Run-\VIE2A3.exe - C:\Windows\System32\VIE2A3.exe
HKLM-Run-\VIE2A6.exe - C:\Windows\System32\VIE2A6.exe
HKLM-Run-BM23fad643 - C:\WINDOWS\system32\jxdaycsw.dll
HKLM-Run-NWEReboot - (no file)
ShellExecuteHooks-{55737035-1B75-48DD-A4D8-66155D8AC7A3} - C:\WINDOWS\system32\jkkJDtqq.dll
Notify-AtiExtEvent - (no file)
Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKLM-Main,Start Page = hxxp://cm.my.yahoo.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://sitedirector.symantec.com/932743328/?ssdcat=112&oslang=iso:ENG&oslocale=iso:US&spskum=11309257&plang=EN&linkid=006&osver=5.1&pversionid=1.4
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.inf
C:\WINDOWS\Downloaded Program Files\Manager.exe
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 15:56:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Completion time: 2008-09-20 16:06:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-20 20:06:09
Pre-Run: 11,993,202,688 bytes free
Post-Run: 12,868,575,232 bytes free
356 --- E O F --- 2008-04-13 03:27:50
2) The Hijack This Log (after running ComboFix)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:48 PM, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://sitedirector.symantec.com/932743328/?ssdcat=112&oslang=iso:ENG&oslocale=iso:US&spskum=11309257&plang=EN&linkid=006&osver=5.1&pversionid=1.4
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {ce856594-e988-4b2b-31c4-200350f48408} - {80484f05-3002-4c13-b2b4-889e495658ec} - C:\WINDOWS\system32\wmunem.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 350 Series\ezprint.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [20c9e5df] rundll32.exe "C:\WINDOWS\system32\tkkhxjce.dll",b
O4 - HKCU\..\Run: [PCPal] "C:\Program Files\PCPal\PalAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1526] command /c del "C:\Program Files\PCHealthCenter\0.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8877] cmd /c del "C:\Program Files\PCHealthCenter\0.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3644] command /c del "C:\Program Files\PCHealthCenter\1.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD963] cmd /c del "C:\Program Files\PCHealthCenter\1.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6967] command /c del "C:\Program Files\PCHealthCenter\1.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1980] cmd /c del "C:\Program Files\PCHealthCenter\1.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1614] command /c del "C:\Program Files\PCHealthCenter\2.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7794] cmd /c del "C:\Program Files\PCHealthCenter\2.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5579] command /c del "C:\Program Files\PCHealthCenter\2.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6407] cmd /c del "C:\Program Files\PCHealthCenter\2.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9105] command /c del "C:\Program Files\PCHealthCenter\2.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9145] cmd /c del "C:\Program Files\PCHealthCenter\2.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1823] command /c del "C:\Program Files\PCHealthCenter\3.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7845] cmd /c del "C:\Program Files\PCHealthCenter\3.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9592] command /c del "C:\Program Files\PCHealthCenter\0.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6932] cmd /c del "C:\Program Files\PCHealthCenter\0.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1518] command /c del "C:\Program Files\PCHealthCenter\1.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7421] cmd /c del "C:\Program Files\PCHealthCenter\1.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8869] command /c del "C:\WINDOWS\system32\jxdaycsw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD557] cmd /c del "C:\WINDOWS\system32\jxdaycsw.dll_old"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203459842953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203459890406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553635000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: wmunem.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcv_device - - C:\WINDOWS\system32\lxcvcoms.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCPalSrvHost - Unknown owner - C:\Program Files\PCPal\PCPalSrvHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 12516 bytes
Again, thank you and just let me know if anything else needs to be done to complete this fix.
pskelley
2008-09-21, 00:09
Again, thank you and just let me know if anything else needs to be done to complete this fix.
You have a very infected computer, and we are just getting started. Please continue to try to start in Normal Mode and let me know what happens, any messages, when you do.
Please read this information: File Sharing, otherwise known as Peer To Peer. (P2P)
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
C:\Documents and Settings\Scott\.limewire
Follow the directions carefully and in the numbered order.
1) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\wmunem.dll
C:\WINDOWS\system32\tkkhxjce.dll
C:\WINDOWS\system32\esmrkjoy.dll
C:\WINDOWS\system32\vahmew.dll
C:\WINDOWS\system32\sntyubty.dll
C:\WINDOWS\system32\nfaoqvmg.dll
C:\WINDOWS\system32\kfvqbpma.dll
C:\WINDOWS\system32\hhfeonbs.dll
C:\WINDOWS\system32\djucom.dll
C:\WINDOWS\system32\ofqdxnhd.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: {ce856594-e988-4b2b-31c4-200350f48408} - {80484f05-3002-4c13-b2b4-889e495658ec} - C:\WINDOWS\system32\wmunem.dll
O4 - HKLM\..\Run: [20c9e5df] rundll32.exe "C:\WINDOWS\system32\tkkhxjce.dll",b
O4 - HKCU\..\RunOnce: [SpybotDeletingB1526] command /c del "C:\Program Files\PCHealthCenter\0.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8877] cmd /c del "C:\Program Files\PCHealthCenter\0.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3644] command /c del "C:\Program Files\PCHealthCenter\1.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD963] cmd /c del "C:\Program Files\PCHealthCenter\1.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6967] command /c del "C:\Program Files\PCHealthCenter\1.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1980] cmd /c del "C:\Program Files\PCHealthCenter\1.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1614] command /c del "C:\Program Files\PCHealthCenter\2.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7794] cmd /c del "C:\Program Files\PCHealthCenter\2.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5579] command /c del "C:\Program Files\PCHealthCenter\2.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6407] cmd /c del "C:\Program Files\PCHealthCenter\2.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9105] command /c del "C:\Program Files\PCHealthCenter\2.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9145] cmd /c del "C:\Program Files\PCHealthCenter\2.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1823] command /c del "C:\Program Files\PCHealthCenter\3.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7845] cmd /c del "C:\Program Files\PCHealthCenter\3.gif"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9592] command /c del "C:\Program Files\PCHealthCenter\0.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6932] cmd /c del "C:\Program Files\PCHealthCenter\0.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1518] command /c del "C:\Program Files\PCHealthCenter\1.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7421] cmd /c del "C:\Program Files\PCHealthCenter\1.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8869] command /c del "C:\WINDOWS\system32\jxdaycsw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD557] cmd /c del "C:\WINDOWS\system32\jxdaycsw.dll_old"
O20 - AppInit_DLLs: wmunem.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Let me know how the computer is running now, and post the HJT log in Normal mode, or post the message you get when you try to do that.
Here is something else to try if you can not access Normal Mode:
Boot up in safe mode
bring up taskmgr (alt/ctl/del)
Select file: either use the browse button to get to this path and double click on msconfig.exe or type the entire path in by hand (copy/paste will work)
C:\windows\pchealth\helpctr\binaries\msconfig.exe
This will bring you back to msconfig screen.
From there you can select the boot.ini tab and unselect the /SAFEBOOT check box. Restart your PC and see if you can start normally.
Thanks
shake48471
2008-09-24, 17:46
I downloaded the programs you requested but when I ran the first one (TeaTimer.bat) I got the following error:
SpyBot and Tea Timer must be closed!!
Press any key to continue . . .
CScript Error: Can't find script engine "VBScript" for script "C:\Documents and
Settings\Scott\Desktop\GetPaths.vbs".
'SetPaths.bat' is not recognized as an internal or external command,
operable program or batch file.
Could Not Find C:\Documents and Settings\Scott\Desktop\SetPaths.bat
Finished
Press any key to continue . . .
I wasn't sure if this is what it's supposed to get so I did not want to proceed any further until I get direction from you. By the way, I am now able to log into windows normally (after performing the fixes on the previous thread). Should I continue on with the other fixes on the current thread or do I need to do something else to get the teaTimer.bat file to work? Thanks for your help!
pskelley
2008-09-24, 19:48
I don't know what you are doing with ResetTeaTimer.bat? It's just a simple batch file that clears the TeaTimer memory and has nothing to do with CFScript? Finish the rest of the instructions and post the requested information.
Thanks
shake48471
2008-09-28, 23:11
I am running the other fixes you requested on the computer and so far everything has worked...but I won't be able to finish it till I get home from work tonight, but didn't want this to go inactive...I will send all the info you requested tonight when I get done. As far as ResetTeaTimer.bat, I followed exactly the instructions that were posted...I hadn't done anything with the CFScript at this point (not sure if you had noticed...I didn't at first...but the error said "CScript Error" not CFScript Error"). But hopefully everything else will work good. Thank you so much for your help! I'll post again later tonight.
shake48471
2008-09-29, 12:02
I completed the tasks you requested from your last post...the computer seems to be running better...I can access Normal mode with no problems now. One thing I wasn't sure of though, I didn't know if you needed a HJT log after the computer rebooted from dragging the CFScript into ComboFix but before performing the HJT scan where we were fixing the checked entries, so I printed a log there just in case (called hijackthis_1.txt). But I also did the one at the end that I know you wanted (called hijackthis_2.txt).
One other note...when I was going through and checking the boxes of the items on the HijackThis scan from the list on your last post I noticed there were quite a few from your list that did not come up for me to check the box on (you'll notice if you compare the first HJT log with your list)...I hope that's ok. Anyway, here are the logs in order that they were run...if I need to redo anything just let me know:
1) ComboFix log:
ComboFix 08-09-20.02 - Scott 2008-09-28 14:48:15.2 - NTFSx86
Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Scott\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\djucom.dll
C:\WINDOWS\system32\esmrkjoy.dll
C:\WINDOWS\system32\hhfeonbs.dll
C:\WINDOWS\system32\kfvqbpma.dll
C:\WINDOWS\system32\nfaoqvmg.dll
C:\WINDOWS\system32\ofqdxnhd.dll
C:\WINDOWS\system32\sntyubty.dll
C:\WINDOWS\system32\tkkhxjce.dll
C:\WINDOWS\system32\vahmew.dll
C:\WINDOWS\system32\wmunem.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\djucom.dll
C:\WINDOWS\system32\esmrkjoy.dll
C:\WINDOWS\system32\hhfeonbs.dll
C:\WINDOWS\system32\kfvqbpma.dll
C:\WINDOWS\system32\nfaoqvmg.dll
C:\WINDOWS\system32\ofqdxnhd.dll
C:\WINDOWS\system32\sntyubty.dll
C:\WINDOWS\system32\tkkhxjce.dll
C:\WINDOWS\system32\vahmew.dll
C:\WINDOWS\system32\wmunem.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.
2008-09-20 16:19 . 2008-09-28 14:48 594 ---hs---- C:\WINDOWS\system32\ecjxhkkt.ini
2008-09-18 14:49 . 2008-09-18 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-18 09:32 . 2008-09-18 09:32 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-18 00:35 . 2008-09-18 00:35 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-17 23:41 . 2008-09-17 23:41 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-09-17 18:04 . 2008-09-17 18:04 <DIR> d-------- C:\Program Files\gs
2008-09-17 18:04 . 2008-09-17 18:04 43 --a------ C:\WINDOWS\gswin32.ini
2008-09-17 18:00 . 2008-09-17 18:00 <DIR> d-------- C:\Program Files\PlotSoft
2008-09-17 18:00 . 2005-05-07 14:14 90,112 --a------ C:\WINDOWS\system32\custmon2k.dll
2008-09-17 18:00 . 2004-06-06 20:17 53,248 --a------ C:\WINDOWS\system32\uninstpw.exe
2008-09-17 18:00 . 2005-05-07 14:15 24,576 --a------ C:\WINDOWS\system32\custsave.exe
2008-09-10 15:35 . 2008-09-10 15:35 <DIR> d-------- C:\Program Files\iPod
2008-09-10 15:35 . 2008-09-10 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-10 15:32 . 2008-09-10 15:32 <DIR> d-------- C:\Program Files\Bonjour
2008-09-10 15:30 . 2008-09-10 15:31 <DIR> d-------- C:\Program Files\QuickTime
2008-09-08 18:03 . 2008-09-08 18:03 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\CyberLink
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-09-04 12:48 . 2008-09-04 12:48 35 --a------ C:\WINDOWS\iltwain.ini
2008-09-04 12:39 . 2008-09-04 14:02 <DIR> d-------- C:\Program Files\Qimage
2008-08-30 14:50 . 2008-08-30 14:50 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Electronic Arts
2008-08-29 20:34 . 2008-08-29 20:36 <DIR> d-------- C:\Program Files\Xfire
2008-08-29 20:34 . 2008-08-29 20:35 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Xfire
2008-08-29 14:54 . 2008-08-30 01:12 <DIR> d-------- C:\Mythic
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll
2008-08-29 00:51 . 2008-08-29 00:51 <DIR> d-------- C:\Program Files\Disney
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 18:39 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2008-09-28 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-18 13:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-18 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-18 04:51 --------- d-----w C:\Program Files\Norton Security Scan
2008-09-18 03:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-16 00:49 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2008-09-11 02:22 --------- d-----w C:\Program Files\BookCAT
2008-09-10 19:36 --------- d-----w C:\Program Files\iTunes
2008-09-10 19:30 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-08 22:10 --------- d-----w C:\Documents and Settings\Scott\Application Data\U3
2008-09-08 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2008-09-06 20:51 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-05 17:21 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-04 01:21 --------- d-----w C:\Documents and Settings\Scott\Application Data\AdobeUM
2008-09-04 01:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-01 14:22 --------- d-----w C:\Program Files\e-Sword
2008-08-29 03:30 --------- d-----w C:\Program Files\Canon
2008-08-28 03:56 --------- d-----w C:\Program Files\Bible Explorer 4
2008-08-28 00:25 --------- d-----w C:\Program Files\PowerISO
2008-08-27 23:55 --------- d-----w C:\Program Files\Common Files\HumanConcepts
2008-08-27 23:39 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-08-27 23:39 --------- d-----w C:\Program Files\Yahoo!
2008-08-27 23:32 --------- d-----w C:\Program Files\Ulead Systems
2008-08-27 23:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-08-27 22:56 --------- d-----w C:\Program Files\Java
2008-08-27 15:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-27 03:47 --------- d-----w C:\Program Files\Corel
2008-08-26 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\CinemaNow
2008-08-26 03:12 --------- d-----w C:\Program Files\Common Files\fluxDVD
2008-08-26 02:46 --------- d-----w C:\Program Files\Task Reporter
2008-08-26 02:34 --------- d-----w C:\Program Files\HumanConcepts
2008-08-26 00:28 --------- d-----w C:\Documents and Settings\Scott\Application Data\Vso
2008-08-25 23:16 --------- d-----w C:\Program Files\Common Files\mpDRM
2008-08-25 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\mpDRM
2008-08-25 23:15 --------- d-----w C:\Program Files\CinemaNow
2008-08-25 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\fluxDVD
2008-08-25 07:57 --------- d-----w C:\Program Files\Common Files\xing shared
2008-08-25 07:56 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-08-25 07:56 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-08-25 07:56 --------- d-----w C:\Program Files\Common Files\Real
2008-08-23 07:44 --------- d-----w C:\Program Files\GetData
2008-08-23 04:00 --------- d-----w C:\Program Files\Norton SystemWorks
2008-08-22 06:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-20 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-20 20:40 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-08-20 20:37 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-08-19 21:26 --------- d-----w C:\Program Files\QPcard
2008-08-17 05:47 --------- d-----w C:\Documents and Settings\Scott\Application Data\ATI
2008-08-17 05:14 --------- d-----w C:\Documents and Settings\Scott\Application Data\Apple Computer
2008-08-16 04:19 --------- d-----w C:\Documents and Settings\Scott\Application Data\dvdcss
2008-08-16 04:11 --------- d-----w C:\Program Files\Apple Software Update
2008-08-15 14:54 --------- d-----w C:\Program Files\VSO
2008-08-15 14:28 --------- d-----w C:\Program Files\CamStudio
2008-08-14 00:52 --------- d-----w C:\Program Files\Password Safe
2008-08-14 00:15 --------- d-----w C:\Program Files\Hobopublishing
2008-08-12 22:07 42,320 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-08-12 04:47 --------- d-----w C:\Program Files\MagicTune Premium
2008-08-10 20:02 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-08-10 02:04 --------- d-----w C:\Program Files\Common Files\Nikon
2008-08-10 02:04 --------- d-----w C:\Documents and Settings\Scott\Application Data\Nikon
2008-08-09 18:11 --------- d-----w C:\Program Files\CyberLink
2008-08-09 18:03 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2008-08-06 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\espionServerData
2008-08-06 15:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-06 14:59 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-08-06 14:51 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-06 14:51 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-06 14:51 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-08-06 14:51 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-08-06 14:51 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-08-06 14:51 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-08-04 06:43 --------- d-----w C:\Documents and Settings\Scott\Application Data\Purchases v1.2 7 05246
2008-08-04 06:38 --------- d-----w C:\Documents and Settings\Scott\Application Data\woodtracker 5 05246
2008-08-04 06:35 --------- d-----w C:\Program Files\woodtracker
2008-08-04 06:35 --------- d-----w C:\Program Files\Purchases
2008-08-04 06:35 --------- d-----w C:\Program Files\PenBox
2008-08-04 06:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-08-04 06:13 --------- d-----w C:\Documents and Settings\Scott\Application Data\PenBox 53 05297
2008-08-04 06:11 --------- d-----w C:\Program Files\Brilliant Database WPE 51
2008-08-04 06:10 180,224 ----a-w C:\WINDOWS\system32\IJL11.dll
2008-08-02 19:38 --------- d-----w C:\Program Files\Conduit
2008-08-02 19:38 --------- d-----w C:\Program Files\CalendarHome.com
2008-08-02 06:06 --------- d-----w C:\Program Files\CATVids
2008-07-29 21:49 --------- d-----w C:\Documents and Settings\Scott\Application Data\Pen Box Demo Beta 2.0.1 1 05246
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-06-29 16:54 229,452 ----a-w C:\WINDOWS\system32\mls_set4.dll
2008-06-29 16:54 118,784 ----a-w C:\WINDOWS\system32\f18dll.dll
2008-06-29 16:52 69,632 ----a-w C:\WINDOWS\system32\f15dll.dll
2008-06-29 16:52 557,328 ----a-w C:\WINDOWS\system32\DAO360.dll
2008-06-29 16:52 53,248 ----a-w C:\WINDOWS\system32\EZTW32.dll
2008-06-29 16:52 32,768 ----a-w C:\WINDOWS\system32\tstream.dll
2008-06-29 16:52 32,768 ----a-w C:\WINDOWS\system32\Base64.dll
2008-06-29 16:52 229,454 ----a-w C:\WINDOWS\system32\mls_set3.dll
2007-08-30 13:23 32 --sh--w C:\WINDOWS\{1AD6AE75-5F97-4472-AB53-EEC65DA985BD}.dat
2007-08-30 13:20 32 --sh--w C:\WINDOWS\{1CB2A1D9-6434-44F4-B148-0D121A4A23BC}.dat
2007-08-30 13:18 32 --sh--w C:\WINDOWS\{4D71CFE6-3348-4040-B4A7-EA756AA30A06}.dat
2007-08-30 13:23 32 --sh--w C:\WINDOWS\{594AEE07-1F1A-4881-BEC0-848B1D438E72}.dat
2007-08-30 13:20 32 --sh--w C:\WINDOWS\{707C7B5D-967C-4F2B-94AB-1F7CDE526E6D}.dat
2007-08-30 13:20 32 --sh--w C:\WINDOWS\{E4F3A074-1D2F-4F08-8523-09D2199C182E}.dat
2007-08-30 13:22 32 --sh--w C:\WINDOWS\{E7BC84C1-FB88-4BB5-8BD5-12930FBDE53F}.dat
2007-11-08 07:08 80 --sh--r C:\WINDOWS\system32\1FE9CC6202.dll
2007-08-30 13:20 32 --sha-w C:\WINDOWS\system32\{190659DF-7512-4893-99A6-5F3044DDFA01}.dat
2007-08-30 13:20 32 --sha-w C:\WINDOWS\system32\{1B23F303-8BDE-4908-98D8-E06718694B1E}.dat
2007-08-30 13:22 32 --sha-w C:\WINDOWS\system32\{6A74D0AB-CA54-4EB3-83B4-549F6B0BE0C0}.dat
2007-08-30 13:23 32 --sha-w C:\WINDOWS\system32\{77FC3A42-1083-4010-9A5C-AFFB9F26F1E4}.dat
2007-08-30 13:23 32 --sha-w C:\WINDOWS\system32\{958DAD85-C439-4399-94C7-7D1C0A2A4AE6}.dat
2007-08-30 13:18 32 --sha-w C:\WINDOWS\system32\{D5088350-8183-4017-873A-7405292E3D56}.dat
2007-08-30 13:20 32 --sha-w C:\WINDOWS\system32\{EC24209C-7A62-4779-96CF-FFF31AF5E701}.dat
.
2) 1st HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:20, on 2008-09-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\lxcvcoms.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PCPal\PCPalSrvHost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Lexmark 350 Series\ezprint.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PCPal\PalAgnt.exe
C:\Program Files\Smart PC Solutions\Magic Speed\MagicSpeedBooster.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {d56fa2da-9935-4585-b130-9757ab462371} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {ce856594-e988-4b2b-31c4-200350f48408} - {80484f05-3002-4c13-b2b4-889e495658ec} - C:\WINDOWS\system32\wmunem.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 350 Series\ezprint.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [20c9e5df] rundll32.exe "C:\WINDOWS\system32\tkkhxjce.dll",b
O4 - HKCU\..\Run: [PCPal] "C:\Program Files\PCPal\PalAgnt.exe" /startup
O4 - HKCU\..\Run: [MagicSpeedBooster] C:\Program Files\Smart PC Solutions\Magic Speed\MagicSpeedBooster.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [\VIE2A2.exe] C:\Windows\System32\VIE2A2.exe
O4 - HKCU\..\Run: [\VIE2A3.exe] C:\Windows\System32\VIE2A3.exe
O4 - HKCU\..\Run: [\VIE2A4.exe] C:\Windows\System32\VIE2A4.exe
O4 - HKCU\..\Run: [\VIE2A5.exe] C:\Windows\System32\VIE2A5.exe
O4 - HKCU\..\Run: [\VIE2A6.exe] C:\Windows\System32\VIE2A6.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O15 - Trusted Zone: http://www.irs.gov
O15 - Trusted Zone: *.softpedia.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203459842953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203459890406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553635000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcv_device - - C:\WINDOWS\system32\lxcvcoms.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCPalSrvHost - Unknown owner - C:\Program Files\PCPal\PCPalSrvHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 14147 bytes
3) 2nd HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:02, on 2008-09-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\lxcvcoms.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PCPal\PCPalSrvHost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\Lexmark 350 Series\ezprint.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {d56fa2da-9935-4585-b130-9757ab462371} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 350 Series\ezprint.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PCPal] "C:\Program Files\PCPal\PalAgnt.exe" /startup
O4 - HKCU\..\Run: [MagicSpeedBooster] C:\Program Files\Smart PC Solutions\Magic Speed\MagicSpeedBooster.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O15 - Trusted Zone: http://www.irs.gov
O15 - Trusted Zone: *.softpedia.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203459842953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203459890406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553635000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcv_device - - C:\WINDOWS\system32\lxcvcoms.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCPalSrvHost - Unknown owner - C:\Program Files\PCPal\PCPalSrvHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 12927 bytes
4) Malwarebytes' log:
Malwarebytes' Anti-Malware 1.28
Database version: 1221
Windows 5.1.2600 Service Pack 2
2008-09-29 01:00:34
mbam-log-2008-09-29 (01-00-34).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 175090
Time elapsed: 1 hour(s), 32 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 26
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie2a2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie2a3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie2a4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie2a5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie2a6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\djucom.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\esmrkjoy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hhfeonbs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nfaoqvmg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ofqdxnhd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sntyubty.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tkkhxjce.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vahmew.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\VIE2A2.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\VIE2A3.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\VIE2A6.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wmunem.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xtsqrkor.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2305F6D5-C93C-4FDB-9BE3-C3B9EDCA3D1B}\RP486\A0156734.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2305F6D5-C93C-4FDB-9BE3-C3B9EDCA3D1B}\RP486\A0156735.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2305F6D5-C93C-4FDB-9BE3-C3B9EDCA3D1B}\RP486\A0156736.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2305F6D5-C93C-4FDB-9BE3-C3B9EDCA3D1B}\RP486\A0156738.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2305F6D5-C93C-4FDB-9BE3-C3B9EDCA3D1B}\RP486\A0160764.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2305F6D5-C93C-4FDB-9BE3-C3B9EDCA3D1B}\RP486\A0160766.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2305F6D5-C93C-4FDB-9BE3-C3B9EDCA3D1B}\RP486\A0160769.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2305F6D5-C93C-4FDB-9BE3-C3B9EDCA3D1B}\Rv 4h72倃h\寿義 ?|V[缘v攴<*@Ge e妟M2暿,8Z舙m 5ye4)鴅m,2< 遵jh1唍Fb)gn0 0鷑曝蛨筛渟h0︺ 12薦7堒D\ 扡緼滼諑*无x zN钫{蹉lyFm誮 ").kYDU蒕 n(4振鮰拻 軡靌
KAszOf忀 憡0窐鵠櫓涃鏹 <73鸑f偦佡p. `憖?o嗃=Iv' ?{舶 .裤,祄% 躾Q歩咔缠 -"踙X奐蝋*d/ 叅P}!V满淢 x1印;$R碓? 旁戓竱赦pv鎣1R 懴覩9M5Ql 5eq4嵹Кx缬险 -z&/E^皇tPZ} 鹙螪鸨D酿J騛
b 踶{
W 黏!竻N?e L6:o89o7}m榢~7| i(n$ kF}>PoJSZ7oJ5oJ26oJg4f6oPog8'7 42'磿]o0嗭 づ'喋~\lR穓錸 ML5鋹N;啇 #d亭*
+覃滣* Ψpv6焦黿R鸣 %罞L硨儸% 臤\俆姢)d[ 鴄﹑4毎鹁I 睉#9YEL 怵;1$Po"嗠畛O u\*咼鏒仈溞D k
2`(/=岪 J"欀Cv:剕*D徘 豬倱T*w" 懏9逬/嶬
I don't know what's up with the funny characters on the last few lines of the MBAM log but they were on there. Please let me know I need to do from here (if there are more steps to go). Thank you so much for your help...I really appreciate all that you've done to help me fix this!
pskelley
2008-09-29, 15:57
Thanks for returning your information and the feedback, CFScript likely removed the items that were gone when you got to the HJT removal instructions.
For your information, the HJT log tell us what the tool has accomplished so it is always needs to be created after the tool has been run.
I don't know why the strange item in the MBAM log either, but that is an item in an infected System Restore file. We will clean those and remove combofix/quarantine after the next instruction.
I must have missed these, use HJT to remove them if you wish:
Dead line:
R3 - URLSearchHook: (no name) - {d56fa2da-9935-4585-b130-9757ab462371} - (no file)
If you really trust these enough to allow that much acccess to your computer, you can leave them.
O15 - Trusted Zone: http://www.irs.gov
O15 - Trusted Zone: *.softpedia.com
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
shake48471
2008-10-04, 23:52
I sucessuflly installed the Windows Recovery Console...the following is the CF-RC log:
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
Just let me know what to do next...thanks!!
pskelley
2008-10-05, 00:14
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to make sure we missed none of the junk, no need to post a clean scan result.
Update Norton AntiVirus and scan the system to be sure it is running right and scanning clean. If you have problems with the program, contact teck support for instructions.
http://www.symantec.com/enterprise/support/index.jsp
Let me know if all is well at that point and I will close your topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html