View Full Version : Command.exe removal
fixmeplease
2008-10-29, 19:21
I'm having tons of pop ups. I ran spybot, it tries to uninstall at startup, but it never goes away. My computer won't let me run updates, or my antivirus program (Sophos). My HijackThis log is below. Any assistance would be appreciated. Please let me know if you need additional inforation.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:57 AM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Lisa Yiu\lsass.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Lisa Yiu\Application Data\Facegame\Facegame.exe
C:\Documents and Settings\Lisa Yiu\Application Data\Gool\Gool.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lisa Yiu\Application Data\SpeedRunner\SpeedRunner.exe
C:\DOCUME~1\LISAYI~1\APPLIC~1\ICROSO~1\winlogon.exe
C:\WINDOWS\system32\F?nts\r?gsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [pwdir] "C:\Program Files\PasswordDirector\PasswordDirector.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Lisa Yiu\lsass.exe
O4 - HKLM\..\Run: [mapkbdzwxbbo] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vprfbtmwxabgda.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Facegame] "C:\Documents and Settings\Lisa Yiu\Application Data\Facegame\Facegame.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\Lisa Yiu\Application Data\Gool\Gool.exe"
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Lisa Yiu\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Lisa Yiu\Application Data\Microsoft\Windows\ofjyfn.exe
O4 - HKCU\..\Run: [GetPack23] "C:\Program Files\GetPack\GetPack23.exe"
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\LISAYI~1\APPLIC~1\ICROSO~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Xgclk] C:\WINDOWS\system32\F?nts\r?gsvr32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} (CRS Inc. Data Object) - http://tarmls.crsdata.com/CRSDataObject/CRSNInfo.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://tarmls.crsdata.com/realestate/maps/downloads/mgaxctrlv65.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file:///C:/DOCUME~1/LISAYI~1/LOCALS~1/Temp/IXP000.TMP/setup.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} (eWebEditProLibCtl4.eWEPLoader) - http://v25.salesaspects.com/ewebeditpro4/ewebeditpro4.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 8869 bytes
Baabiouz
2008-10-29, 19:51
Hi :)
Please rename HijackThis.exe to Fixmeplease.exe.
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe -> Fixmeplease.exe
____________________
We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Post a fresh Hijackthis log (Fixmeplease.exe) and Combofix log back here :)
fixmeplease
2008-10-29, 20:47
Ok...
Here is the Combofix log:
ComboFix 08-10-29.07 - Lisa Yiu 2008-10-29 11:32:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.568 [GMT -7:00]
Running from: C:\Documents and Settings\Lisa Yiu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lisa Yiu\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\DOCUME~1\LISAYI~1\LOCALS~1\Temp\tmp2.tmp
C:\Documents and Settings\Lisa Yiu\Application Data\Facegame
C:\Documents and Settings\Lisa Yiu\Application Data\Facegame\Facegame.exe
C:\Documents and Settings\Lisa Yiu\Application Data\ICROSO~1
C:\Documents and Settings\Lisa Yiu\Application Data\ICROSO~1\?icrosoft\
C:\Documents and Settings\Lisa Yiu\Application Data\ICROSO~1\winlogon.exe
C:\Documents and Settings\Lisa Yiu\Application Data\SpeedRunner
C:\Documents and Settings\Lisa Yiu\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\Lisa Yiu\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Lisa Yiu\Application Data\SpeedRunner\SRUninstall.exe
C:\Documents and Settings\Lisa Yiu\lsass.exe
C:\Documents and Settings\Lisa Yiu\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Lisa Yiu\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Lisa Yiu\Temporary Internet Files\fbk.sts
C:\temp\tn3
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000025_.tmp.dll
C:\WINDOWS\system32\bjsnge.dll
C:\WINDOWS\system32\bjwjbp.dll
C:\WINDOWS\system32\ddo.dll
C:\WINDOWS\system32\drivers\asyncmacc.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\efcBttsT.dll
C:\WINDOWS\system32\ekgoewks.exe
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~1\r?gsvr32.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hwqlhwcs.dll
C:\WINDOWS\system32\ljJDTnoo.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ncwexwed.ini
C:\WINDOWS\system32\nkdfimsu.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rpwnw64p.exe
C:\WINDOWS\system32\txdodtdv.ini
C:\WINDOWS\system32\vlizww.dll
C:\WINDOWS\system32\wHOXyyay.ini
C:\WINDOWS\system32\wHOXyyay.ini2
C:\WINDOWS\system32\whyjbugh.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wxilikqs.exe
C:\WINDOWS\system32\yayyXOHw.dll
C:\WINDOWS\system32\ysmiicyq.dll
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASYNCMACC
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_asyncmacc
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.
2008-10-29 09:21 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-10-29 08:07 . 2008-10-29 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-28 20:54 . 2008-10-28 20:55 <DIR> d-------- C:\Program Files\CCleaner
2008-10-28 20:49 . 2008-10-28 20:49 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-10-28 20:49 . 2008-10-28 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-10-28 20:49 . 2008-10-28 19:04 17,920 --a------ C:\WINDOWS\system32\sophosboottasks.exe
2008-10-28 20:03 . 2008-10-28 20:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-28 19:04 . 2008-10-28 20:49 <DIR> d-------- C:\Program Files\Sophos
2008-10-28 19:04 . 2008-10-28 19:04 101,120 --a------ C:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2008-10-28 19:04 . 2008-10-28 19:04 33,408 --a------ C:\WINDOWS\system32\drivers\savonaccessfilter.sys
2008-10-28 15:40 . 2008-10-28 16:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-28 15:40 . 2008-10-28 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-28 15:24 . 2008-10-28 15:24 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-10-28 15:24 . 2008-10-28 15:24 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-10-28 15:18 . 2008-10-28 15:18 <DIR> d-------- C:\WINDOWS\ufur
2008-10-28 15:18 . 2008-10-29 09:09 <DIR> d-------- C:\Program Files\Common Files\ufur
2008-10-28 15:13 . 2008-10-28 15:13 <DIR> d-------- C:\Program Files\OINAnalytics
2008-10-28 14:47 . 2008-10-28 14:47 <DIR> d-------- C:\Documents and Settings\Lisa Yiu\Application Data\Gool
2008-10-28 14:43 . 2008-10-28 14:43 <DIR> d-------- C:\Program Files\Webtools
2008-10-28 14:38 . 2008-10-28 14:38 <DIR> d-------- C:\Program Files\Mjcore
2008-10-28 13:25 . 2008-10-28 13:25 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2008-10-28 13:24 . 2008-10-28 13:24 90,915 --a------ C:\WINDOWS\system32\vwytzykprnnesd.dll-uninst.exe
2008-10-27 05:03 . 2008-10-27 05:03 172,032 --a------ C:\WINDOWS\system32\vprfbtmwxabgda.dll
2008-10-27 03:48 . 2008-10-27 03:48 <DIR> d-------- C:\Program Files\Sun
2008-10-26 03:41 . 2008-10-26 03:41 <DIR> d-------- C:\ESXPXML
2008-10-26 03:41 . 2008-10-28 19:04 641 --a------ C:\avremove.csv
2008-10-26 02:52 . 2008-10-26 02:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-10-26 02:41 . 2008-10-26 02:41 548,928 --a------ C:\WINDOWS\system32\rcntptdl.exe
2008-10-26 02:41 . 2008-10-26 02:41 153,475 --a------ C:\WINDOWS\system32\g38.exe
2008-10-26 02:41 . 2008-10-28 18:27 78,628 --a------ C:\WINDOWS\system32\hikjlmupwmdpxdhyq.exe
2008-10-26 02:31 . 2008-10-29 09:09 <DIR> d--hs---- C:\WINDOWS\TGlzYSBZaXU
2008-10-26 02:30 . 2008-10-29 09:09 <DIR> d-------- C:\WINDOWS\system32\wi
2008-10-26 02:30 . 2008-10-26 02:30 <DIR> d-------- C:\WINDOWS\system32\PX
2008-10-26 02:30 . 2008-10-26 02:31 <DIR> d-------- C:\WINDOWS\system32\m3v
2008-10-26 02:30 . 2008-10-26 02:30 <DIR> d-------- C:\WINDOWS\system32\fs3
2008-10-26 02:30 . 2008-10-26 02:30 <DIR> d-------- C:\WINDOWS\system32\EV02
2008-10-26 02:30 . 2008-10-29 09:09 <DIR> d-------- C:\WINDOWS\system32\ec2
2008-10-26 02:13 . 2008-10-26 02:13 <DIR> d-------- C:\Documents and Settings\Lisa Yiu\Application Data\Sonic
2008-10-07 11:39 . 2008-10-07 11:39 0 --a------ C:\.autoreg
2008-10-07 10:57 . 2008-10-07 11:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-10-07 10:53 . 2008-10-29 11:37 <DIR> d--hs---- C:\WINDOWS\Installer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 12:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-27 11:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-27 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-27 11:43 --------- d-----w C:\Program Files\Citrix
2008-10-27 11:42 --------- d-----w C:\Program Files\WildTangent
2008-10-27 11:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-27 10:48 --------- d-----w C:\Program Files\Java
2008-10-26 11:29 --------- d-----w C:\Program Files\SmartDraw 2008
2008-10-07 18:45 --------- d-----w C:\Program Files\Google
2008-10-07 18:42 --------- d-----w C:\Program Files\eBay
2008-10-07 18:42 --------- d-----w C:\Documents and Settings\Lisa Yiu\Application Data\eBay
2008-10-07 18:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\eBay
2008-10-07 18:33 --------- d-----w C:\Program Files\Webroot
2008-10-07 18:32 --------- d-----w C:\Documents and Settings\Lisa Yiu\Application Data\Webroot
2008-10-07 18:05 --------- d-----w C:\Program Files\Disney Interactive
2008-09-11 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-06-01 15:53 166 ----a-w C:\Documents and Settings\Lisa Yiu\Application Data\wklnhst.dat
2007-05-08 20:10 56,912 ----a-w C:\Documents and Settings\Lisa Yiu\g2mdlhlpx.exe
2007-04-17 23:30 630,784 ----a-w C:\Documents and Settings\Lisa Yiu\GoToAssist_chat2way__317_en.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4597005E-4565-C7D8-719C-5F8F0F68D0A2}]
2008-10-27 05:03 172032 --a------ C:\WINDOWS\system32\vprfbtmwxabgda.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc56ad52-2c78-5f8d-d97e-cc7762a5322a}]
2008-07-03 08:49 364544 --a------ C:\WINDOWS\system32\vwytzykprnnesd.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xgclk"="C:\WINDOWS\system32\F?nts\r?gsvr32.exe" [?]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Gool"="C:\Documents and Settings\Lisa Yiu\Application Data\Gool\Gool.exe" [2008-10-28 61440]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 224248]
"pwdir"="C:\Program Files\PasswordDirector\PasswordDirector.exe" [2007-12-20 1978368]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"mapkbdzwxbbo"="C:\WINDOWS\system32\vprfbtmwxabgda.dll" [2008-10-27 172032]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-26 7561216]
"MsmqIntCert"="mqrt.dll" [2007-07-06 C:\WINDOWS\system32\mqrt.dll]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-08-02 245760]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2008-10-28 101120]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2008-10-28 33408]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [ ]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [ ]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [ ]
*Newly Created Service* - SAVADMINSERVICE
*Newly Created Service* - SAVSERVICE
.
Contents of the 'Scheduled Tasks' folder
2008-09-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-{3ab81398-38dc-4b83-b44e-58c6b012d3fb} - C:\WINDOWS\system32\vlizww.dll
BHO-{6690A949-0104-4CE1-9034-14089A75AE07} - C:\WINDOWS\system32\ljJDTnoo.dll
BHO-{6F85ED3B-26DE-7959-DF49-59C073568DCE} - C:\WINDOWS\system32\ddo.dll
BHO-{897EC404-99F5-43A3-B798-139F2F85BCEF} - C:\WINDOWS\system32\yayyXOHw.dll
BHO-{D1F2989D-6C07-40F4-B6E2-014536CCBDA1} - (no file)
BHO-{E6F9F0D8-E7A1-4838-AAA2-D5F23B5B00B6} - (no file)
HKCU-Run-Facegame - C:\Documents and Settings\Lisa Yiu\Application Data\Facegame\Facegame.exe
HKCU-Run-GetPack23 - C:\Program Files\GetPack\GetPack23.exe
HKCU-Run-Snte - C:\DOCUME~1\LISAYI~1\APPLIC~1\ICROSO~1\winlogon.exe
ShellExecuteHooks-{6690A949-0104-4CE1-9034-14089A75AE07} - C:\WINDOWS\system32\ljJDTnoo.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://my.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 -: eBay Search - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {0612502E-29F8-11D6-BC3C-00C0F0167E34} - hxxp://tarmls.crsdata.com/CRSDataObject/CRSNInfo.cab
C:\WINDOWS\Downloaded Program Files\CRSNinfo.inf
C:\WINDOWS\Downloaded Program Files\CRSNInfo.dll
O16 -: {62BC5DB2-0044-4040-B366-D628F3CFD551} - file:///C:/DOCUME~1/LISAYI~1/LOCALS~1/Temp/IXP000.TMP/setup.cab
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Downloaded Program Files\PrinterBvr.dll
O16 -: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} - hxxp://v25.salesaspects.com/ewebeditpro4/ewebeditpro4.cab
C:\WINDOWS\Downloaded Program Files\ewebeditpro4.INF
C:\WINDOWS\system32\mscomct2.ocx
C:\WINDOWS\system32\MSCOMCTL.OCX
C:\WINDOWS\system32\comdlg32.ocx
C:\WINDOWS\system32\MSVBVM60.DLL
C:\WINDOWS\system32\OLEAUT32.DLL
C:\WINDOWS\system32\OLEPRO32.DLL
C:\WINDOWS\system32\ASYCFILT.DLL
C:\WINDOWS\system32\STDOLE2.TLB
C:\WINDOWS\system32\COMCAT.DLL
C:\Program Files\Microsoft Office\Office\MSCAL.OCX
C:\WINDOWS\system32\ekmediatransfer4.dll
C:\WINDOWS\system32\Actbar2.ocx
C:\WINDOWS\system32\ewepoperation4.dll
C:\WINDOWS\system32\ewebeditrtf4.ocx
C:\WINDOWS\system32\ewebedittoolbar4.ocx
C:\WINDOWS\system32\ekversion.dll
C:\WINDOWS\system32\eWebSchemaStore4.dll
C:\WINDOWS\system32\ekclean4.dll
C:\WINDOWS\system32\ewebeditpro4.ocx
O16 -: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
C:\WINDOWS\Downloaded Program Files\mapviewer.ocx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 11:36:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
.
**************************************************************************
.
Completion time: 2008-10-29 11:41:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-29 18:41:02
Pre-Run: 37,378,494,464 bytes free
Post-Run: 37,364,957,184 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
290 --- E O F --- 2008-10-27 10:50:00
Here is the new Hijackthis (renamed fixmeplease.exe) log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:21 AM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\PasswordDirector\PasswordDirector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Lisa Yiu\Application Data\Gool\Gool.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\update\update.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Fixmeplease.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: agadoo browser enhancer - {4597005E-4565-C7D8-719C-5F8F0F68D0A2} - C:\WINDOWS\system32\vprfbtmwxabgda.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: mysidesearch search enhancer - {bc56ad52-2c78-5f8d-d97e-cc7762a5322a} - C:\WINDOWS\system32\vwytzykprnnesd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [pwdir] "C:\Program Files\PasswordDirector\PasswordDirector.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mapkbdzwxbbo] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vprfbtmwxabgda.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\Lisa Yiu\Application Data\Gool\Gool.exe"
O4 - HKCU\..\Run: [Xgclk] C:\WINDOWS\system32\F?nts\r?gsvr32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} (CRS Inc. Data Object) - http://tarmls.crsdata.com/CRSDataObject/CRSNInfo.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://tarmls.crsdata.com/realestate/maps/downloads/mgaxctrlv65.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file:///C:/DOCUME~1/LISAYI~1/LOCALS~1/Temp/IXP000.TMP/setup.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} (eWebEditProLibCtl4.eWEPLoader) - http://v25.salesaspects.com/ewebeditpro4/ewebeditpro4.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 8961 bytes
I'll be anxiously awaiting further instructions.
Thank you for your help!
Baabiouz
2008-10-30, 07:41
Hi :)
Step #1
Please click on Start > Control Panel > Add/Remove Programs (http://www.bleepingcomputer.com/forums/topic42133.html) and uninstall the following programs(if present):
OINAnalytics
Webtools
PasswordDirector
Step #2
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
File::
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\vwytzykprnnesd.dll-uninst.exe
C:\WINDOWS\system32\vprfbtmwxabgda.dll
C:\avremove.csv
C:\WINDOWS\system32\rcntptdl.exe
C:\WINDOWS\system32\g38.exe
C:\WINDOWS\system32\hikjlmupwmdpxdhyq.exe
C:\WINDOWS\system32\vwytzykprnnesd.dll
Folder::
C:\WINDOWS\ufur
C:\Program Files\Common Files\ufur
C:\Program Files\OINAnalytics
C:\Documents and Settings\Lisa Yiu\Application Data\Gool
C:\Program Files\Webtools
C:\Program Files\Mjcore
C:\ESXPXML
C:\WINDOWS\TGlzYSBZaXU
C:\WINDOWS\system32\wi
C:\WINDOWS\system32\PX
C:\WINDOWS\system32\m3v
C:\WINDOWS\system32\fs3
C:\WINDOWS\system32\EV02
C:\WINDOWS\system32\ec2
C:\Documents and Settings\Lisa Yiu\Application Data\Gool
C:\Program Files\PasswordDirector
C:\WINDOWS\system32\F?nts
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4597005E-4565-C7D8-719C-5F8F0F68D0A2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc56ad52-2c78-5f8d-d97e-cc7762a5322a}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xgclk"=-
"Gool"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pwdir"=-
"mapkbdzwxbbo"=-
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
Step #3
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here (http://www.besttechie.net/tools/mbam-setup.exe) and save to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Step #4
Please post Combofix log, Mbam results and a fresh Hijackthis log back here :)
fixmeplease
2008-10-30, 19:45
My laptop lost power :oops: at the end of running combo fix, but it seemed to pickup where it left off when I turned it back in. Let me know if I need to repeat anything because of that.
Combofix Log:
ComboFix 08-10-29.07 - Lisa Yiu 2008-10-30 9:02:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT -7:00]
Running from: C:\Documents and Settings\Lisa Yiu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lisa Yiu\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\avremove.csv
C:\WINDOWS\system32\g38.exe
C:\WINDOWS\system32\hikjlmupwmdpxdhyq.exe
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\rcntptdl.exe
C:\WINDOWS\system32\vprfbtmwxabgda.dll
C:\WINDOWS\system32\vwytzykprnnesd.dll
C:\WINDOWS\system32\vwytzykprnnesd.dll-uninst.exe
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\avremove.csv
C:\Documents and Settings\Lisa Yiu\Application Data\Gool
C:\Documents and Settings\Lisa Yiu\Application Data\Gool\Gool.exe
C:\Documents and Settings\Lisa Yiu\Temporary Internet Files\bestwiner.stt
C:\ESXPXML
C:\ESXPXML\cac.pem
C:\ESXPXML\cidsync.upd
C:\ESXPXML\instmsiw.exe
C:\ESXPXML\master.upd
C:\ESXPXML\mrinit.conf
C:\ESXPXML\product.spi
C:\ESXPXML\root.upd
C:\ESXPXML\sau\1028.mst
C:\ESXPXML\sau\1031.mst
C:\ESXPXML\sau\1033.mst
C:\ESXPXML\sau\1034.mst
C:\ESXPXML\sau\1036.mst
C:\ESXPXML\sau\1040.mst
C:\ESXPXML\sau\1041.mst
C:\ESXPXML\sau\2052.mst
C:\ESXPXML\sau\3076.mst
C:\ESXPXML\sau\cidsync.upd
C:\ESXPXML\sau\commonappdata\sophos\autoupdate\defaultconfig\iconn.cfg
C:\ESXPXML\sau\commonappdata\sophos\autoupdate\defaultconfig\idata.cfg
C:\ESXPXML\sau\commonappdata\sophos\autoupdate\defaultconfig\ilog.cfg
C:\ESXPXML\sau\commonappdata\sophos\autoupdate\defaultconfig\imon.cfg
C:\ESXPXML\sau\commonappdata\sophos\autoupdate\defaultconfig\isched.cfg
C:\ESXPXML\sau\commonappdata\sophos\autoupdate\defaultconfig\iupd.cfg
C:\ESXPXML\sau\manifest.dat
C:\ESXPXML\sau\program files\sophos\autoupdate\almon.exe
C:\ESXPXML\sau\program files\sophos\autoupdate\almon.exe.manifest
C:\ESXPXML\sau\program files\sophos\autoupdate\alsvc.exe
C:\ESXPXML\sau\program files\sophos\autoupdate\alupdate.exe
C:\ESXPXML\sau\program files\sophos\autoupdate\auadapter.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\boost_date_time-vc71-mt-1_32.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\channelupdater.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\cidsync.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\config.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\crypto.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\de\alhelp.chm
C:\ESXPXML\sau\program files\sophos\autoupdate\de\almonres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\de\iconfres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\de\ilogres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\de\ischdres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\de\sharedres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\eecustomactions.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\en\alhelp.chm
C:\ESXPXML\sau\program files\sophos\autoupdate\en\almonres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\en\iconfres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\en\ilogres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\en\ischdres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\en\sharedres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\es\alhelp.chm
C:\ESXPXML\sau\program files\sophos\autoupdate\es\almonres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\es\iconfres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\es\ilogres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\es\ischdres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\es\sharedres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\fr\alhelp.chm
C:\ESXPXML\sau\program files\sophos\autoupdate\fr\almonres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\fr\iconfres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\fr\ilogres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\fr\ischdres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\fr\sharedres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\iconfig.ppi
C:\ESXPXML\sau\program files\sophos\autoupdate\ilog.ppi
C:\ESXPXML\sau\program files\sophos\autoupdate\inetconn.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\instlmgr.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\isched.ppi
C:\ESXPXML\sau\program files\sophos\autoupdate\ispsheet.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\it\alhelp.chm
C:\ESXPXML\sau\program files\sophos\autoupdate\it\almonres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\it\iconfres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\it\ilogres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\it\ischdres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\it\sharedres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\ja\alhelp.chm
C:\ESXPXML\sau\program files\sophos\autoupdate\ja\almonres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\ja\iconfres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\ja\ilogres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\ja\ischdres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\ja\sharedres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\libcurl.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\libeay32.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\license_agreements.txt
C:\ESXPXML\sau\program files\sophos\autoupdate\logger.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\mfc71.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\msvcp71.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\msvcr71.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\ps.crl
C:\ESXPXML\sau\program files\sophos\autoupdate\ps_rootca.crt
C:\ESXPXML\sau\program files\sophos\autoupdate\retailer.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\sauconfigdll.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\scf.dat
C:\ESXPXML\sau\program files\sophos\autoupdate\swlocale.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\xmlcpp.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\xmlparse.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\xmltok.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_cn\alhelp.chm
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_cn\almonres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_cn\iconfres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_cn\ilogres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_cn\ischdres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_cn\sharedres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_tw\alhelp.chm
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_tw\almonres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_tw\iconfres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_tw\ilogres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_tw\ischdres.dll
C:\ESXPXML\sau\program files\sophos\autoupdate\zh_tw\sharedres.dll
C:\ESXPXML\sau\sauconf.xml
C:\ESXPXML\sau\setup.dll
C:\ESXPXML\sau\sophos autoupdate.msi
C:\ESXPXML\sau\toplevelcatalogue.dat
C:\ESXPXML\savxp\access-a.ide
C:\ESXPXML\savxp\agen-fam.ide
C:\ESXPXML\savxp\agen-ghf.ide
C:\ESXPXML\savxp\agen-ghm.ide
C:\ESXPXML\savxp\agen-ghn.ide
C:\ESXPXML\savxp\agen-ght.ide
C:\ESXPXML\savxp\agen-gia.ide
C:\ESXPXML\savxp\agen-gil.ide
C:\ESXPXML\savxp\agen-giq.ide
C:\ESXPXML\savxp\agen-gis.ide
C:\ESXPXML\savxp\agen-giu.ide
C:\ESXPXML\savxp\agen-giv.ide
C:\ESXPXML\savxp\agen-giy.ide
C:\ESXPXML\savxp\agen-gjg.ide
C:\ESXPXML\savxp\agen-gjl.ide
C:\ESXPXML\savxp\agen-gjq.ide
C:\ESXPXML\savxp\agen-gjr.ide
C:\ESXPXML\savxp\agen-gju.ide
C:\ESXPXML\savxp\agen-gkh.ide
C:\ESXPXML\savxp\agen-gki.ide
C:\ESXPXML\savxp\agen-gkk.ide
C:\ESXPXML\savxp\agen-gkl.ide
C:\ESXPXML\savxp\agen-glf.ide
C:\ESXPXML\savxp\ambler-a.ide
C:\ESXPXML\savxp\appc01.vdb
C:\ESXPXML\savxp\atax-a.ide
C:\ESXPXML\savxp\autor-ad.ide
C:\ESXPXML\savxp\autor-ae.ide
C:\ESXPXML\savxp\autor-ag.ide
C:\ESXPXML\savxp\autoru-s.ide
C:\ESXPXML\savxp\autoru-t.ide
C:\ESXPXML\savxp\autoru-x.ide
C:\ESXPXML\savxp\autoru-y.ide
C:\ESXPXML\savxp\bagle-ti.ide
C:\ESXPXML\savxp\bancb-qr.ide
C:\ESXPXML\savxp\banco-ak.ide
C:\ESXPXML\savxp\bank-ejw.ide
C:\ESXPXML\savxp\bank-ekh.ide
C:\ESXPXML\savxp\bankd-dc.ide
C:\ESXPXML\savxp\banlo-et.ide
C:\ESXPXML\savxp\banlo-eu.ide
C:\ESXPXML\savxp\bbdos-a.ide
C:\ESXPXML\savxp\bckd-qkk.ide
C:\ESXPXML\savxp\bckd-qku.ide
C:\ESXPXML\savxp\bdoo-aiy.ide
C:\ESXPXML\savxp\bdoo-ajb.ide
C:\ESXPXML\savxp\binder-a.ide
C:\ESXPXML\savxp\blehs-a.ide
C:\ESXPXML\savxp\buzzit-b.ide
C:\ESXPXML\savxp\cargar-a.ide
C:\ESXPXML\savxp\cashgr-t.ide
C:\ESXPXML\savxp\cekar-e.ide
C:\ESXPXML\savxp\cidsync.upd
C:\ESXPXML\savxp\cimuz-cs.ide
C:\ESXPXML\savxp\common\cisco systems\ciscotrustagent\plugins\install\savpostureplugin.dll
C:\ESXPXML\savxp\common\cisco systems\ciscotrustagent\plugins\install\savpostureplugin.inf
C:\ESXPXML\savxp\commonappdata\sophos\sophos anti-virus\config\bootstrap.xml
C:\ESXPXML\savxp\commonappdata\sophos\sophos anti-virus\config\factory.xml
C:\ESXPXML\savxp\commonappdata\sophos\sophos anti-virus\config\machine.xml
C:\ESXPXML\savxp\commonappdata\sophos\sophos anti-virus\config\quarantine.xml
C:\ESXPXML\savxp\commonappdata\sophos\sophos anti-virus\config\saviconfigfile.xml
C:\ESXPXML\savxp\commonappdata\sophos\sophos anti-virus\config\storebootstrap.xml
C:\ESXPXML\savxp\configuresav.exe
C:\ESXPXML\savxp\conho-al.ide
C:\ESXPXML\savxp\delf-ezc.ide
C:\ESXPXML\savxp\delf-ezi.ide
C:\ESXPXML\savxp\dloa-bfz.ide
C:\ESXPXML\savxp\dloa-bgi.ide
C:\ESXPXML\savxp\dloa-bgo.ide
C:\ESXPXML\savxp\dloa-bgr.ide
C:\ESXPXML\savxp\dloa-bgs.ide
C:\ESXPXML\savxp\dload-ab.ide
C:\ESXPXML\savxp\dload-ae.ide
C:\ESXPXML\savxp\dload-af.ide
C:\ESXPXML\savxp\dload-ag.ide
C:\ESXPXML\savxp\dload-ai.ide
C:\ESXPXML\savxp\dload-am.ide
C:\ESXPXML\savxp\dorf-aj.ide
C:\ESXPXML\savxp\dorf-ak.ide
C:\ESXPXML\savxp\dorf-am.ide
C:\ESXPXML\savxp\dorf-an.ide
C:\ESXPXML\savxp\dorf-ao.ide
C:\ESXPXML\savxp\droopy-a.ide
C:\ESXPXML\savxp\drop-d.ide
C:\ESXPXML\savxp\drop-e.ide
C:\ESXPXML\savxp\dropp-sr.ide
C:\ESXPXML\savxp\dropp-sz.ide
C:\ESXPXML\savxp\drpr-gen.ide
C:\ESXPXML\savxp\dwnl-gzh.ide
C:\ESXPXML\savxp\dwnl-gzs.ide
C:\ESXPXML\savxp\etap-a.ide
C:\ESXPXML\savxp\feebs-bz.ide
C:\ESXPXML\savxp\feebs-ca.ide
C:\ESXPXML\savxp\flux-eg.ide
C:\ESXPXML\savxp\framer-b.ide
C:\ESXPXML\savxp\goopo-a.ide
C:\ESXPXML\savxp\hipsconfig-1-0-4.dat
C:\ESXPXML\savxp\hipsrules-1-0-4.bdl
C:\ESXPXML\savxp\hookbi-a.ide
C:\ESXPXML\savxp\hoxi-b.ide
C:\ESXPXML\savxp\hoxi-d.ide
C:\ESXPXML\savxp\hupig-sv.ide
C:\ESXPXML\savxp\hupig-sx.ide
C:\ESXPXML\savxp\idas-a.ide
C:\ESXPXML\savxp\ircbo-zm.ide
C:\ESXPXML\savxp\jalous-a.ide
C:\ESXPXML\savxp\jetdro-a.ide
C:\ESXPXML\savxp\kenfa-a.ide
C:\ESXPXML\savxp\killa-ed.ide
C:\ESXPXML\savxp\killdi-l.ide
C:\ESXPXML\savxp\killfi-i.ide
C:\ESXPXML\savxp\ldpin-rg.ide
C:\ESXPXML\savxp\linea-cu.ide
C:\ESXPXML\savxp\linea-cv.ide
C:\ESXPXML\savxp\linea-cw.ide
C:\ESXPXML\savxp\looke-eb.ide
C:\ESXPXML\savxp\mabeza-b.ide
C:\ESXPXML\savxp\mailb-ci.ide
C:\ESXPXML\savxp\manifest.dat
C:\ESXPXML\savxp\mutrk-a.ide
C:\ESXPXML\savxp\mypi-fam.ide
C:\ESXPXML\savxp\nmism-a.ide
C:\ESXPXML\savxp\ntrtdr-a.ide
C:\ESXPXML\savxp\nugach-i.ide
C:\ESXPXML\savxp\nutpea-a.ide
C:\ESXPXML\savxp\onlin-ag.ide
C:\ESXPXML\savxp\osdp.dll
C:\ESXPXML\savxp\patch-c.ide
C:\ESXPXML\savxp\phish-b.ide
C:\ESXPXML\savxp\poison-n.ide
C:\ESXPXML\savxp\ppntdr-a.ide
C:\ESXPXML\savxp\proage-a.ide
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\categories.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\authorisedlists.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\backgroundscanclient.exe
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\backgroundscanning.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\bhomanagement.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\componentmanager.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\configuration.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\desktopmessaging.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\driveprocessor.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\eeconsumer.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\filterprocessors.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\fsdecomposer.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\icadapter.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\icmanagement.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\icprocessors.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\legacyconsumers.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\localisation.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\logging.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\persistance.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\savadapter.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\savmain.exe
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\savprogress.exe
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\savshellext.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\scaneditexports.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\scaneditfacade.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\scanmanagement.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\security.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\sipsmanagement.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\sophtaineradapter.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\systeminformation.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\threatdetection.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\threatmanagement.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\translators.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\module retargetable folder\virusdetection.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\msvcp71.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\msvcr71.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sav32cli.exe
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savadminservice.exe
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savcleanupservice.exe
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savhelpchs.chm
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savhelpcht.chm
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savhelpdeu.chm
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savhelpeng.chm
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savhelpesp.chm
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savhelpfra.chm
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savhelpit.chm
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savhelpjap.chm
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savmscm.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savneutralres.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savres.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savreschs.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savrescht.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savresdeu.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savreseng.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savresesp.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savresfra.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savresit.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savresjap.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savservice.exe
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savshellextia64.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\savshellextx64.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\scf.dat
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophos anti-virus (de).url
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophos anti-virus (es).url
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophos anti-virus (fr).url
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophos anti-virus (it).url
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophos anti-virus (ja).url
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophos anti-virus (zh_cn).url
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophos anti-virus (zh_tw).url
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophos anti-virus.url
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophosbho.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophosbhoia64.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophosbhores.dll
C:\ESXPXML\savxp\program files\sophos\sophos anti-virus\sophosbhox64.dll
C:\ESXPXML\savxp\proxy-ib.ide
C:\ESXPXML\savxp\psyme-fx.ide
C:\ESXPXML\savxp\psyme-gb.ide
C:\ESXPXML\savxp\psyme-gc.ide
C:\ESXPXML\savxp\psyme-gm.ide
C:\ESXPXML\savxp\pushu-e.ide
C:\ESXPXML\savxp\pushu-f.ide
C:\ESXPXML\savxp\pws-apl.ide
C:\ESXPXML\savxp\pws-apw.ide
C:\ESXPXML\savxp\ranck-fs.ide
C:\ESXPXML\savxp\rbot-gvk.ide
C:\ESXPXML\savxp\rbot-gvl.ide
C:\ESXPXML\savxp\rbot-gvm.ide
C:\ESXPXML\savxp\rbot-gvo.ide
C:\ESXPXML\savxp\rbot-gvr.ide
C:\ESXPXML\savxp\remmah-b.ide
C:\ESXPXML\savxp\revkey-a.ide
C:\ESXPXML\savxp\savi.dll
C:\ESXPXML\savxp\savsync.upd
C:\ESXPXML\savxp\sdbo-djc.ide
C:\ESXPXML\savxp\sdbo-dje.ide
C:\ESXPXML\savxp\setup.dll
C:\ESXPXML\savxp\silly-bp.ide
C:\ESXPXML\savxp\silly-bq.ide
C:\ESXPXML\savxp\silly-tl.ide
C:\ESXPXML\savxp\silly-tt.ide
C:\ESXPXML\savxp\sillyp-a.ide
C:\ESXPXML\savxp\smit-a.ide
C:\ESXPXML\savxp\sohan-ap.ide
C:\ESXPXML\savxp\sophos anti-virus.msi
C:\ESXPXML\savxp\sophos_detoured.dll
C:\ESXPXML\savxp\spy-ad.ide
C:\ESXPXML\savxp\spybo-of.ide
C:\ESXPXML\savxp\startp-w.ide
C:\ESXPXML\savxp\strat-tl.ide
C:\ESXPXML\savxp\sus01.vdb
C:\ESXPXML\savxp\svf.xml
C:\ESXPXML\savxp\sxs\msxml4.cat
C:\ESXPXML\savxp\sxs\msxml4.dll
C:\ESXPXML\savxp\sxs\msxml4.manifest
C:\ESXPXML\savxp\sxs\msxml4r.cat
C:\ESXPXML\savxp\sxs\msxml4r.dll
C:\ESXPXML\savxp\sxs\msxml4r.manifest
C:\ESXPXML\savxp\system\msxml4.dll
C:\ESXPXML\savxp\system\msxml4a.dll
C:\ESXPXML\savxp\system\msxml4r.dll
C:\ESXPXML\savxp\tagbot-a.ide
C:\ESXPXML\savxp\tanto-g.ide
C:\ESXPXML\savxp\tibs-tv.ide
C:\ESXPXML\savxp\tibspk-b.ide
C:\ESXPXML\savxp\tileb-kr.ide
C:\ESXPXML\savxp\torpi-by.ide
C:\ESXPXML\savxp\trats-a.ide
C:\ESXPXML\savxp\trinit-c.ide
C:\ESXPXML\savxp\vb-dyd.ide
C:\ESXPXML\savxp\vb-dye.ide
C:\ESXPXML\savxp\vb-dyf.ide
C:\ESXPXML\savxp\vbdrop-e.ide
C:\ESXPXML\savxp\vdl.dat
C:\ESXPXML\savxp\vdl01.vdb
C:\ESXPXML\savxp\vdl02.vdb
C:\ESXPXML\savxp\vdl03.vdb
C:\ESXPXML\savxp\vdl04.vdb
C:\ESXPXML\savxp\vdl05.vdb
C:\ESXPXML\savxp\vdl06.vdb
C:\ESXPXML\savxp\vdl07.vdb
C:\ESXPXML\savxp\vdl08.vdb
C:\ESXPXML\savxp\vdl09.vdb
C:\ESXPXML\savxp\vdl10.vdb
C:\ESXPXML\savxp\vdl11.vdb
C:\ESXPXML\savxp\vdl12.vdb
C:\ESXPXML\savxp\vdl13.vdb
C:\ESXPXML\savxp\vdl14.vdb
C:\ESXPXML\savxp\vdl15.vdb
C:\ESXPXML\savxp\vdl16.vdb
C:\ESXPXML\savxp\vdl17.vdb
C:\ESXPXML\savxp\vdl18.vdb
C:\ESXPXML\savxp\vdl19.vdb
C:\ESXPXML\savxp\vdl20.vdb
C:\ESXPXML\savxp\vdl21.vdb
C:\ESXPXML\savxp\vdl22.vdb
C:\ESXPXML\savxp\vdl23.vdb
C:\ESXPXML\savxp\vdl24.vdb
C:\ESXPXML\savxp\vdl25.vdb
C:\ESXPXML\savxp\vdl26.vdb
C:\ESXPXML\savxp\vdl27.vdb
C:\ESXPXML\savxp\vdl28.vdb
C:\ESXPXML\savxp\vdl29.vdb
C:\ESXPXML\savxp\vdl30.vdb
C:\ESXPXML\savxp\vdl31.vdb
C:\ESXPXML\savxp\vdl32.vdb
C:\ESXPXML\savxp\vdl33.vdb
C:\ESXPXML\savxp\vdl34.vdb
C:\ESXPXML\savxp\vdl35.vdb
C:\ESXPXML\savxp\vdl36.vdb
C:\ESXPXML\savxp\vdl37.vdb
C:\ESXPXML\savxp\veex.dll
C:\ESXPXML\savxp\virtin-a.ide
C:\ESXPXML\savxp\virtin-b.ide
C:\ESXPXML\savxp\votera-a.ide
C:\ESXPXML\savxp\vvf.xml
C:\ESXPXML\savxp\weird-l.ide
C:\ESXPXML\savxp\wiepaz-a.ide
C:\ESXPXML\savxp\win2k\savonaccesscontrol.sys
C:\ESXPXML\savxp\win2k\savonaccessdriv.inf
C:\ESXPXML\savxp\win2k\savonaccessfilter.sys
C:\ESXPXML\savxp\win2k\sophosboottasks.exe
C:\ESXPXML\savxp\winlh_amd64\native.exe
C:\ESXPXML\savxp\winlh_amd64\sav.cat
C:\ESXPXML\savxp\winlh_amd64\savonaccess.sys
C:\ESXPXML\savxp\winlh_amd64\savonaccessdriv.inf
C:\ESXPXML\savxp\winlh_amd64\sophosboottasks.exe
C:\ESXPXML\savxp\winlh_i386\sav.cat
C:\ESXPXML\savxp\winlh_i386\savonaccess.sys
C:\ESXPXML\savxp\winlh_i386\savonaccessdriv.inf
C:\ESXPXML\savxp\winlh_i386\sophosboottasks.exe
C:\ESXPXML\savxp\winlh_ia64\native.exe
C:\ESXPXML\savxp\winlh_ia64\sav.cat
C:\ESXPXML\savxp\winlh_ia64\savonaccess.sys
C:\ESXPXML\savxp\winlh_ia64\savonaccessdriv.inf
C:\ESXPXML\savxp\winlh_ia64\sophosboottasks.exe
C:\ESXPXML\savxp\winxp_amd64\native.exe
C:\ESXPXML\savxp\winxp_amd64\savonaccesscontrol.sys
C:\ESXPXML\savxp\winxp_amd64\savonaccessdriv.inf
C:\ESXPXML\savxp\winxp_amd64\savonaccessfilter.sys
C:\ESXPXML\savxp\winxp_amd64\sophosboottasks.exe
C:\ESXPXML\savxp\winxp_i386\sav.cat
C:\ESXPXML\savxp\winxp_i386\savonaccesscontrol.sys
C:\ESXPXML\savxp\winxp_i386\savonaccessdriv.inf
C:\ESXPXML\savxp\winxp_i386\savonaccessfilter.sys
C:\ESXPXML\savxp\winxp_i386\sophosboottasks.exe
C:\ESXPXML\savxp\winxp_ia64\native.exe
C:\ESXPXML\savxp\winxp_ia64\savonaccesscontrol.sys
C:\ESXPXML\savxp\winxp_ia64\savonaccessdriv.inf
C:\ESXPXML\savxp\winxp_ia64\savonaccessfilter.sys
C:\ESXPXML\savxp\winxp_ia64\sophosboottasks.exe
C:\ESXPXML\savxp\xorer-a.ide
C:\ESXPXML\savxp\ymworm-a.ide
C:\ESXPXML\savxp\zbot-b.ide
C:\ESXPXML\savxp\zlob-agj.ide
C:\ESXPXML\savxp\zlob-ago.ide
C:\ESXPXML\savxp\zlob-fam.ide
C:\ESXPXML\sdf.xml
C:\ESXPXML\setup.exe
C:\ESXPXML\setupchs.dll
C:\ESXPXML\setupcht.dll
C:\ESXPXML\setupdeu.dll
C:\ESXPXML\setupenu.dll
C:\ESXPXML\setupesp.dll
C:\ESXPXML\setupfra.dll
C:\ESXPXML\setupita.dll
C:\ESXPXML\setupjpn.dll
C:\ESXPXML\svf.xml
C:\ESXPXML\vvf.xml
C:\Program Files\Common Files\ufur
C:\Program Files\Common Files\ufur\ufura.lck
C:\Program Files\Common Files\ufur\ufurd\class-barrel
C:\Program Files\Common Files\ufur\ufurd\vocabulary
C:\Program Files\Common Files\ufur\ufurl.lck
C:\Program Files\Common Files\ufur\ufurm.lck
C:\Program Files\Mjcore
C:\Program Files\Mjcore\Mjcore.dll
C:\Program Files\PasswordDirector
C:\Program Files\PasswordDirector\clvlk2.dll
C:\Program Files\PasswordDirector\lartl.dll
C:\Program Files\PasswordDirector\PasswordDirector.exe
C:\Program Files\PasswordDirector\pwdir.dll
C:\Program Files\PasswordDirector\scrkbd.dll
C:\Program Files\PasswordDirector\sf.dll
C:\Program Files\PasswordDirector\vdicapi.dll
C:\Program Files\Webtools
C:\Program Files\Webtools\webtools.dll
C:\WINDOWS\system32\ec2
C:\WINDOWS\system32\EV02
C:\WINDOWS\system32\EV02\EV022328.exe
C:\WINDOWS\system32\fs3
C:\WINDOWS\system32\fs3\CL65CON2.exe
C:\WINDOWS\system32\g38.exe
C:\WINDOWS\system32\hikjlmupwmdpxdhyq.exe
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\m3v
C:\WINDOWS\system32\PX
C:\WINDOWS\system32\PX\TP6567IV.exe
C:\WINDOWS\system32\rcntptdl.exe
C:\WINDOWS\system32\vprfbtmwxabgda.dll
C:\WINDOWS\system32\vwytzykprnnesd.dll-uninst.exe
C:\WINDOWS\system32\vwytzykprnnesd.dll
C:\WINDOWS\system32\wi
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\TGlzYSBZaXU
C:\WINDOWS\ufur
C:\WINDOWS\ufur\ufur.dat
C:\WINDOWS\ufur\wu
.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.
2008-10-30 08:55 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-10-29 11:41 . 2008-10-29 11:49 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-29 08:07 . 2008-10-29 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-28 20:54 . 2008-10-28 20:55 <DIR> d-------- C:\Program Files\CCleaner
2008-10-28 20:49 . 2008-10-28 20:49 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-10-28 20:49 . 2008-10-28 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-10-28 20:49 . 2008-10-29 14:25 17,920 --a------ C:\WINDOWS\system32\sophosboottasks.exe
2008-10-28 20:03 . 2008-10-28 20:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-28 19:04 . 2008-10-29 14:25 <DIR> d-------- C:\Program Files\Sophos
2008-10-28 19:04 . 2008-10-29 14:26 101,120 --a------ C:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2008-10-28 19:04 . 2008-10-29 14:26 33,408 --a------ C:\WINDOWS\system32\drivers\savonaccessfilter.sys
2008-10-28 15:40 . 2008-10-28 16:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-28 15:40 . 2008-10-28 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-28 13:25 . 2008-10-28 13:25 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2008-10-27 03:48 . 2008-10-27 03:48 <DIR> d-------- C:\Program Files\Sun
2008-10-26 02:52 . 2008-10-26 02:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-10-26 02:13 . 2008-10-26 02:13 <DIR> d-------- C:\Documents and Settings\Lisa Yiu\Application Data\Sonic
2008-10-07 11:39 . 2008-10-07 11:39 0 --a------ C:\.autoreg
2008-10-07 10:57 . 2008-10-07 11:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-10-07 10:53 . 2008-10-30 08:57 <DIR> d--hs---- C:\WINDOWS\Installer
2008-09-11 12:34 . 2008-05-01 07:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 12:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-27 11:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-27 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-27 11:43 --------- d-----w C:\Program Files\Citrix
2008-10-27 11:42 --------- d-----w C:\Program Files\WildTangent
2008-10-27 11:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-27 10:48 --------- d-----w C:\Program Files\Java
2008-10-26 11:29 --------- d-----w C:\Program Files\SmartDraw 2008
2008-10-15 16:57 332,800 ----a-w C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-07 18:45 --------- d-----w C:\Program Files\Google
2008-10-07 18:42 --------- d-----w C:\Program Files\eBay
2008-10-07 18:42 --------- d-----w C:\Documents and Settings\Lisa Yiu\Application Data\eBay
2008-10-07 18:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\eBay
2008-10-07 18:33 --------- d-----w C:\Program Files\Webroot
2008-10-07 18:32 --------- d-----w C:\Documents and Settings\Lisa Yiu\Application Data\Webroot
2008-10-07 18:05 --------- d-----w C:\Program Files\Disney Interactive
2008-10-03 17:41 6,066,176 ----a-w C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-09-11 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-09-06 06:30 241,704 ----a-w C:\WINDOWS\system32\dllcache\wgaLogon.dll
2008-09-06 06:29 917,032 ----a-w C:\WINDOWS\system32\dllcache\WgaTray.exe
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-08-14 09:57 2,185,984 ----a-w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-08-14 09:55 2,142,720 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:55 2,142,720 ----a-w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:18 2,062,976 ----a-w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:18 2,020,864 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-14 09:18 2,020,864 ----a-w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-01 15:53 166 ----a-w C:\Documents and Settings\Lisa Yiu\Application Data\wklnhst.dat
2007-05-08 20:10 56,912 ----a-w C:\Documents and Settings\Lisa Yiu\g2mdlhlpx.exe
2007-04-17 23:30 630,784 ----a-w C:\Documents and Settings\Lisa Yiu\GoToAssist_chat2way__317_en.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-29_11.40.39.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-29 02:04:40 65,536 ----a-r C:\WINDOWS\Installer\{15C418EB-7675-42be-B2B3-281952DA014D}\ARPPRODUCTICON.exe
+ 2008-10-29 21:25:55 65,536 ----a-r C:\WINDOWS\Installer\{15C418EB-7675-42be-B2B3-281952DA014D}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 224248]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-26 7561216]
"MsmqIntCert"="mqrt.dll" [2007-07-06 C:\WINDOWS\system32\mqrt.dll]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-08-02 245760]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2008-10-29 101120]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2008-10-29 33408]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [ ]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [ ]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
2008-09-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-mapkbdzwxbbo - C:\WINDOWS\system32\vprfbtmwxabgda.dll
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 09:09:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-30 9:13:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-30 16:13:07
ComboFix2.txt 2008-10-29 18:41:05
Pre-Run: 37,099,253,760 bytes free
Post-Run: 37,113,417,728 bytes free
692 --- E O F --- 2008-10-27 10:50:00
Here is the Malware log:
Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 2
10/30/2008 10:38:34 AM
mbam-log-2008-10-30 (10-38-34).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 142135
Time elapsed: 50 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 58
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Lisa Yiu\Application Data\Facegame\Facegame.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Lisa Yiu\Application Data\Gool\Gool.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Lisa Yiu\Application Data\ICROSO~1\winlogon.exe.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Webtools\webtools.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bjsnge.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bjwjbp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ddo.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ekgoewks.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hwqlhwcs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nkdfimsu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vlizww.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wxilikqs.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yayyXOHw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ysmiicyq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\asyncmacc.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\EV02\EV022328.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fs3\CL65CON2.exe.vir (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\PX\TP6567IV.exe.vir (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP624\A0078047.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP625\A0078172.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP625\A0078175.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP625\A0078176.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP625\A0078185.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP625\A0078188.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP625\A0078203.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP625\A0078204.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP625\A0078184.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP625\A0078267.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080023.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080024.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080025.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080026.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080027.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080028.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080029.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080030.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080031.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP627\A0080035.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080204.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080208.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080209.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080222.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080223.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080225.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080226.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080228.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080229.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080232.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080234.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080236.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080237.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP630\A0080238.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP631\A0081037.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP631\A0081290.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP631\A0081291.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP631\A0081292.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP631\A0081296.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Yiu\Desktop\Internet Security Suite.url (Rogue.Link) -> Quarantined and deleted successfully.
Here is the HTJ log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:33 AM, on 10/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Fixmeplease.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} (CRS Inc. Data Object) - http://tarmls.crsdata.com/CRSDataObject/CRSNInfo.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://tarmls.crsdata.com/realestate/maps/downloads/mgaxctrlv65.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file:///C:/DOCUME~1/LISAYI~1/LOCALS~1/Temp/IXP000.TMP/setup.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} (eWebEditProLibCtl4.eWEPLoader) - http://v25.salesaspects.com/ewebeditpro4/ewebeditpro4.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 8205 bytes
Baabiouz
2008-10-31, 08:14
Great job. HijackThis log looks ok.
Please download ATF-cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
___________________
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.
___________________
Combofix removed this folder:
C:\ESXPXML
And now looks that it contained some Sophos files... (Not sure were they legit or not) So it would be good if you uninstall your Sophos and install it again. (Then we make sure that you have all files)
Please post a fresh HijackThis log and Kaspersky's results :)
Do you have any problems?
fixmeplease
2008-11-03, 23:19
I uninstalled & Reinstalled Sophos; however, something is still blocking it from updating & running like normal.
Here's the Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 3, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 03, 2008 17:00:38
Records in database: 1369018
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 99444
Threat name: 9
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 02:13:43
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Lisa Yiu\Application Data\SpeedRunner\SpeedRunner.exe.vir Infected: Trojan-Downloader.Win32.Agent.alda 1
C:\Qoobox\Quarantine\C\Documents and Settings\Lisa Yiu\Application Data\SpeedRunner\SRUninstall.exe.vir Infected: Trojan-Downloader.Win32.Agent.aldb 1
C:\Qoobox\Quarantine\C\Documents and Settings\Lisa Yiu\lsass.exe.vir Infected: Trojan-Spy.Win32.VB.agh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcBttsT.dll.vir Infected: Trojan.Win32.Monderb.vut 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\FNTS~1\rеgsvr32.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.jw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\g38.exe.vir Infected: Trojan-Clicker.Win32.Agent.bvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gside.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ymu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJDTnoo.dll.vir Infected: Trojan.Win32.Monderb.vut 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rcntptdl.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ca 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rpwnw64p.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vwytzykprnnesd.dll.vir Infected: Trojan-Downloader.Win32.Zlob.ymu 1
C:\Start.exe Infected: Trojan-Spy.Win32.VB.agh 1
D:\Start.exe Infected: Trojan-Spy.Win32.VB.agh 1
The selected area was scanned.
*&D drive is my thumbdrive; it infects w/ start.exe each time it gets plugged into this computer; Sophos on my other computer catches & quarantines it each time.
Here's the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:51 PM, on 11/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Fixmeplease.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} (CRS Inc. Data Object) - http://tarmls.crsdata.com/CRSDataObject/CRSNInfo.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://tarmls.crsdata.com/realestate/maps/downloads/mgaxctrlv65.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file:///C:/DOCUME~1/LISAYI~1/LOCALS~1/Temp/IXP000.TMP/setup.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} (eWebEditProLibCtl4.eWEPLoader) - http://v25.salesaspects.com/ewebeditpro4/ewebeditpro4.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 7726 bytes
Baabiouz
2008-11-04, 16:31
Hi
Plug your thumbdrive in and then don't let Sophos remove the file.
Then View Hidden Files & Folders
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK
Navigate and remove these files:
C:\Start.exe
D:\Start.exe
And remove this folder:
C:\Qoobox
____________________
Do you use Webroot Internet Security?
This topic has been archived due to inactivity.
As it has been five days or more since your last post, this topic has been archived and will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.
Thank you Baabiouz. :)