View Full Version : cmdService Help
Marvelous007
2008-11-18, 00:24
Hey,
I was just experiencing some slowdowns on my computer and decided to run Spybot check. It came up with several issues that were easily fixed. But cmdService could not be removed even after the program requested to run after a restart. Here is my HJT File. Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:30 PM, on 11/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\dXNlcg\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ncnttsdl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BIND SUPPORT SEEK FIRST] C:\Documents and Settings\All Users\Application Data\dumb pure bind support\link manager.exe
O4 - HKLM\..\Run: [media poll bib first] C:\Documents and Settings\All Users\Application Data\up creative first dumb\Date Grim Team.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kqavmauuntaw] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\dysmsnjuqslhnpv.dll"
O4 - HKLM\..\Run: [{5F-F5-5F-F3-DW}] c:\windows\system32\dwwnw64r.exe DWmmm01FF
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [Intra Bike] C:\DOCUME~1\user\APPLIC~1\slowlist\Mix Bash Coal.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncnttsdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218296795078
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O20 - AppInit_DLLs: pcaqvx.dll dwhjsy.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 8927 bytes
Hi Marvelous007
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.
You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.
After that, rename HijackThis.exe to Marvelous007.exe and post back a fresh HijackThis log, please :)
Marvelous007
2008-11-20, 00:26
Hey!
Well I downloaded AntiVir and installed it. It was giving me a pop up every so often saying I had TR/Vundo.fyd.21. So I ran Spybot and a Kaspersky in safe mode and thought I managed to reduce some problems. After restarting in regular mode I ran Spybot and it keeps detecting Virtumonde, even after I fix it with Spybot. I only ran the steps above because my computer became so unstable I could not even open Firefox.
Here is my HijackThis file after renaming to Marvelous007.exe. Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:58 PM, on 11/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BIND SUPPORT SEEK FIRST] C:\Documents and Settings\All Users\Application Data\dumb pure bind support\link manager.exe
O4 - HKLM\..\Run: [media poll bib first] C:\Documents and Settings\All Users\Application Data\up creative first dumb\Date Grim Team.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kqavmauuntaw] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\dysmsnjuqslhnpv.dll"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [Intra Bike] C:\DOCUME~1\user\APPLIC~1\slowlist\Mix Bash Coal.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218296795078
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O20 - AppInit_DLLs: pcaqvx.dll dwhjsy.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 8582 bytes
Marvelous007
2008-11-20, 00:31
Hey I just read your post again and I realized I only renamed the shortcut to HijackThis.exe. So i went into the program file and renamed it to Marvelous007.exe and created a log. Here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:41 PM, on 11/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Marvelous007.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {10BAFF9B-E6DB-4B9D-9D4E-EA8F3CB1ADED} - C:\WINDOWS\system32\mlJDvusR.dll
O2 - BHO: netupbanner browser enhancer - {3E093889-A8E8-B9DF-A1CF-E9AEDB4A0FE7} - C:\WINDOWS\system32\dysmsnjuqslhnpv.dll (file missing)
O2 - BHO: agadoo browser optimizer - {41e28ddb-ab53-f0fa-ae43-1675f6b802a8} - C:\WINDOWS\system32\ynhduzpdar.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63D19E9D-E380-4910-A13D-AF21E149624D} - (no file)
O2 - BHO: (no name) - {73259091-9574-4ED8-A40F-7F65AFC28634} - C:\WINDOWS\system32\mlJDvSLE.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: mysidesearch search enhancer - {89786c04-cf6f-dc6a-178c-fa881cb0675c} - C:\WINDOWS\system32\cgybkeyqhsxqe.dll (file missing)
O2 - BHO: {2831a1f0-024d-324a-9354-5afab5b58be8} - {8eb85b5b-afa5-4539-a423-d4200f1a1382} - C:\WINDOWS\system32\dwhjsy.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BIND SUPPORT SEEK FIRST] C:\Documents and Settings\All Users\Application Data\dumb pure bind support\link manager.exe
O4 - HKLM\..\Run: [media poll bib first] C:\Documents and Settings\All Users\Application Data\up creative first dumb\Date Grim Team.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kqavmauuntaw] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\dysmsnjuqslhnpv.dll"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [Intra Bike] C:\DOCUME~1\user\APPLIC~1\slowlist\Mix Bash Coal.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218296795078
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O20 - AppInit_DLLs: pcaqvx.dll dwhjsy.dll
O20 - Winlogon Notify: mlJDvSLE - mlJDvSLE.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 10035 bytes
There are multiple infections present. Let's start with this:
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Marvelous007
2008-11-20, 19:11
Hey, I downloaded ComboFix, disabled my AntiVirus and my AntiSpyware and ran the file. It downloaded Windows Recovery Console and scanned my computer, restarted and created a log file. Here it is:
ComboFix 08-11-19.08 - user 2008-11-20 11:44:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.561 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\user\Application Data\gadcom
c:\documents and settings\user\Application Data\inst.exe
c:\documents and settings\user\Desktop\Videos.url
c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\user\Local Settings\Temporary Internet Files\sph264.dll
c:\documents and settings\user\Local Settings\Temporary Internet Files\spmpeg4.dll
c:\documents and settings\user\Local Settings\Temporary Internet Files\sptheo.dll
c:\documents and settings\user\Local Settings\Temporary Internet Files\StreamPlug.dll
C:\Documents
c:\windows\system32\bjfmiphv.ini
c:\windows\system32\ckijgvrs.ini
c:\windows\system32\iodlyi.dll
c:\windows\system32\m1
c:\windows\system32\mlJDvusR.dll
c:\windows\system32\MSINET.oca
c:\windows\system32\rloobrft.ini
c:\windows\system32\RsuvDJlm.ini
c:\windows\system32\RsuvDJlm.ini2
c:\windows\system32\tfrboolr.dll
c:\windows\system32\tqljfhtc.dll
c:\windows\system32\winpfz33.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.
2008-11-19 09:26 . 2008-11-19 09:26 <DIR> d-------- C:\VundoFix Backups
2008-11-19 09:18 . 2008-11-19 11:04 488 --a------ c:\windows\wininit.ini
2008-11-18 18:57 . 2008-11-18 18:58 <DIR> d-------- c:\documents and settings\Administrator
2008-11-18 13:38 . 2008-11-18 13:38 <DIR> d-------- c:\program files\Avira
2008-11-18 13:38 . 2008-11-18 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-17 14:07 . 2008-11-17 17:01 64,859 --a------ c:\windows\system32\fayqhusytjjvhqzbr.exe
2008-11-17 12:40 . 2008-11-17 12:40 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 00:10 . 2008-11-17 00:10 90,915 --a------ c:\windows\system32\cgybkeyqhsxqe.dll-uninst.exe
2008-11-17 00:09 . 2008-11-18 17:48 <DIR> d-------- c:\windows\system32\sys3
2008-11-17 00:09 . 2008-11-18 17:48 <DIR> d-------- c:\windows\system32\sX3i19
2008-11-17 00:09 . 2008-11-18 17:48 <DIR> d-------- c:\windows\system32\ES
2008-11-17 00:09 . 2008-11-17 00:09 <DIR> d-------- c:\windows\system32\emi
2008-11-17 00:09 . 2008-11-17 00:09 <DIR> d-------- c:\temp\PRE45
2008-11-17 00:09 . 2008-11-17 15:01 <DIR> d-------- C:\Temp
2008-11-17 00:09 . 2008-11-17 00:09 79,094 --a------ c:\windows\system32\dxxntgbdovynrgzcx.exe
2008-10-27 13:08 . 2008-10-27 13:08 <DIR> d-------- c:\program files\Codebox
2008-10-27 13:08 . 2008-10-27 13:10 <DIR> d-------- c:\documents and settings\user\Application Data\Bitmeter2
2008-10-27 13:08 . 2008-11-20 11:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Bitmeter2
2008-10-21 00:11 . 2008-10-21 00:11 <DIR> d-------- c:\program files\CDisplay
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 16:35 --------- d-----w c:\program files\mIRC
2008-11-20 01:59 --------- d-----w c:\documents and settings\user\Application Data\Hamachi
2008-11-20 01:59 --------- d-----w c:\documents and settings\user\Application Data\dvdcss
2008-11-20 00:49 --------- d-----w c:\program files\Warcraft III
2008-11-18 20:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-17 19:03 --------- d-s---w c:\program files\Xfire
2008-11-17 19:03 --------- d-----w c:\program files\HollywoodPoker
2008-11-17 19:03 --------- d-----w c:\documents and settings\user\Application Data\Xfire
2008-11-17 18:59 --------- d-----w c:\program files\Java
2008-11-04 21:58 --------- d-----w c:\program files\PokerStars
2008-11-04 21:41 --------- d-----w c:\documents and settings\user\Application Data\uTorrent
2008-10-22 07:56 --------- d-----w c:\program files\DivX
2008-10-04 15:40 --------- d-----w c:\program files\iTunes
2008-10-04 15:40 --------- d-----w c:\program files\iPod
2008-10-04 15:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-27 23:14 --------- d-----w c:\documents and settings\user\Application Data\U3
2008-09-24 15:49 --------- d-----w c:\documents and settings\user\Application Data\ByteOMeter
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2007-08-16 14:54 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2007-04-08 23:34 18,224 ----a-w c:\documents and settings\user\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DrvMon.exe"="c:\windows\System32\DrvMon.exe" [2004-11-29 53248]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-03 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2008-10-11 1462272]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pcaqvx.dll dwhjsy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= c:\windows\System32\ir32_32.dll
"vidc.iv32"= c:\windows\System32\ir32_32.dll
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"VIDC.XFR1"= xfcodec.dll
"vidc.ir41"= c:\windows\System32\ir41_32.ax
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 02:56 1667584 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\user\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys [2007-11-09 1414528]
S3 mamotou;mamotou;c:\windows\system32\DRIVERS\mamotou.sys [2007-02-17 49399]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\system32\Drivers\xbreader.sys [2007-08-30 19677]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4eedc15-8036-11dd-8233-0007e98f97d6}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-11-20 c:\windows\Tasks\ADD2B54A918D2892.job
- c:\docume~1\user\applic~1\slowlist\64 sect hide.exe []
2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{10BAFF9B-E6DB-4B9D-9D4E-EA8F3CB1ADED} - c:\windows\system32\mlJDvusR.dll
BHO-{3E093889-A8E8-B9DF-A1CF-E9AEDB4A0FE7} - c:\windows\system32\dysmsnjuqslhnpv.dll
BHO-{41e28ddb-ab53-f0fa-ae43-1675f6b802a8} - c:\windows\system32\ynhduzpdar.dll
BHO-{63D19E9D-E380-4910-A13D-AF21E149624D} - (no file)
BHO-{73259091-9574-4ED8-A40F-7F65AFC28634} - (no file)
BHO-{89786c04-cf6f-dc6a-178c-fa881cb0675c} - c:\windows\system32\cgybkeyqhsxqe.dll
BHO-{8eb85b5b-afa5-4539-a423-d4200f1a1382} - c:\windows\system32\dwhjsy.dll
HKCU-Run-Intra Bike - c:\docume~1\user\APPLIC~1\slowlist\Mix Bash Coal.exe
HKCU-Run-Veoh - c:\program files\Veoh Networks\Veoh\VeohClient.exe
HKLM-Run-BIND SUPPORT SEEK FIRST - c:\documents and settings\All Users\Application Data\dumb pure bind support\link manager.exe
HKLM-Run-media poll bib first - c:\documents and settings\All Users\Application Data\up creative first dumb\Date Grim Team.exe
HKLM-Run-kqavmauuntaw - c:\windows\system32\dysmsnjuqslhnpv.dll
HKLM-Run-CmUsbSound - cmcnfgu.cpl
Notify-mlJDvSLE - mlJDvSLE.dll
MSConfigStartUp-InternetCalls - c:\program files\InternetCalls.com\InternetCalls\InternetCalls.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\l2x2yqkk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/ig?hl=en
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 11:52:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-20 12:04:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 17:03:56
Pre-Run: 3,095,019,520 bytes free
Post-Run: 3,040,419,840 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
224 --- E O F --- 2007-08-02 23:56:03
I then ran HijackThis (renamed to Marvelous007.exe). Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:18 PM, on 11/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Marvelous007.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218296795078
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O20 - AppInit_DLLs: pcaqvx.dll dwhjsy.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 8842 bytes
Thanks.
We will continue with this:
Disable resident protections (Antivirus...); you'll re-enable them after the scan
DownloadLop S&D here (http://eric.71.mespages.googlepages.com/LopSD.exe)
Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (C:\lopR.txt)
Marvelous007
2008-11-21, 05:19
I disabled AntiVirus and AntiSpyware and ran the search. Here is the log:
--------------------\\ Lop S&D 4.2.4-9c XP/Vista
Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel(R) Pentium(R) 4 CPU 2.60GHz )
BIOS : Default System BIOS
USER : user ( Administrator )
BOOT : Normal boot
Antivirus : Avira AntiVir PersonalEdition 8.0.1.30 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:38 Go (Free:0 Go)
D:\ (CD or DVD) - UDF - Total:6 Go (Free:0 Go)
F:\ (CD or DVD)
"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( Thu 11/20/2008|22:15 )
--------------------\\ Listing folders in APPLIC~1
[11/18/2008|08:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Adobe
[11/18/2008|08:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Macromedia
[11/18/2008|08:26] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[11/18/2008|07:56] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Mozilla
[11/18/2008|08:26] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun
[10/04/2008|10:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[08/16/2007|09:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> 1Click DVD Copy
[08/09/2008|11:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[03/29/2008|03:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[08/09/2008|11:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[11/18/2008|01:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avira
[11/20/2008|10:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Bitmeter2
[05/07/2008|12:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CanonBJ
[01/10/2007|02:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Creative
[08/10/2008|10:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[04/07/2008|10:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Kaspersky Lab
[03/13/2007|08:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[06/26/2008|11:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NexonUS
[02/12/2007|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NVIDIA
[02/22/2007|10:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> nView_Profiles
[08/11/2008|03:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Roxio
[08/10/2008|10:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sonic
[11/17/2008|04:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[10/28/2007|10:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[08/24/2007|12:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia
[08/09/2008|10:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[01/10/2007|12:00] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[11/17/2008|08:47] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Macromedia
[01/10/2007|12:00] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[11/17/2008|02:03] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Mozilla
[08/10/2008|10:07] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Roxio
[01/10/2007|12:00] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft
[04/02/2008|12:09] C:\DOCUME~1\user\APPLIC~1\<DIR> Activision
[12/06/2007|09:01] C:\DOCUME~1\user\APPLIC~1\<DIR> Adobe
[01/21/2007|02:00] C:\DOCUME~1\user\APPLIC~1\<DIR> Apple Computer
[03/22/2007|08:17] C:\DOCUME~1\user\APPLIC~1\<DIR> Azureus
[10/27/2008|01:10] C:\DOCUME~1\user\APPLIC~1\<DIR> Bitmeter2
[09/24/2008|10:49] C:\DOCUME~1\user\APPLIC~1\<DIR> ByteOMeter
[03/01/2007|02:23] C:\DOCUME~1\user\APPLIC~1\<DIR> CyberLink
[11/20/2008|01:49] C:\DOCUME~1\user\APPLIC~1\<DIR> dvdcss
[08/31/2007|09:42] C:\DOCUME~1\user\APPLIC~1\<DIR> FlashFXP
[05/06/2007|09:08] C:\DOCUME~1\user\APPLIC~1\<DIR> gtk-2.0
[11/20/2008|07:21] C:\DOCUME~1\user\APPLIC~1\<DIR> Hamachi
[08/15/2007|09:27] C:\DOCUME~1\user\APPLIC~1\<DIR> Help
[01/10/2007|12:09] C:\DOCUME~1\user\APPLIC~1\<DIR> Identities
[09/04/2007|10:38] C:\DOCUME~1\user\APPLIC~1\<DIR> ImgBurn
[04/05/2007|09:48] C:\DOCUME~1\user\APPLIC~1\<DIR> InternetCalls
[02/13/2007|03:45] C:\DOCUME~1\user\APPLIC~1\<DIR> Leadertech
[05/11/2008|08:11] C:\DOCUME~1\user\APPLIC~1\<DIR> LimeWire
[01/21/2007|01:44] C:\DOCUME~1\user\APPLIC~1\<DIR> Macromedia
[08/09/2008|11:30] C:\DOCUME~1\user\APPLIC~1\<DIR> Microsoft
[06/17/2008|05:32] C:\DOCUME~1\user\APPLIC~1\<DIR> Mozilla
[02/28/2007|10:28] C:\DOCUME~1\user\APPLIC~1\<DIR> Real
[08/10/2008|10:05] C:\DOCUME~1\user\APPLIC~1\<DIR> Research In Motion
[08/10/2008|10:07] C:\DOCUME~1\user\APPLIC~1\<DIR> Roxio
[08/02/2007|11:17] C:\DOCUME~1\user\APPLIC~1\<DIR> slowlist
[11/24/2007|01:57] C:\DOCUME~1\user\APPLIC~1\<DIR> Smartsims
[10/28/2007|10:13] C:\DOCUME~1\user\APPLIC~1\<DIR> SpinTop
[03/21/2007|06:46] C:\DOCUME~1\user\APPLIC~1\<DIR> Sun
[12/11/2007|12:25] C:\DOCUME~1\user\APPLIC~1\<DIR> SystemRequirementsLab
[06/08/2008|12:44] C:\DOCUME~1\user\APPLIC~1\<DIR> teamspeak2
[09/27/2008|06:14] C:\DOCUME~1\user\APPLIC~1\<DIR> U3
[11/04/2008|04:41] C:\DOCUME~1\user\APPLIC~1\<DIR> uTorrent
[07/27/2007|11:34] C:\DOCUME~1\user\APPLIC~1\<DIR> Ventrilo
[05/21/2007|12:08] C:\DOCUME~1\user\APPLIC~1\<DIR> vlc
[08/16/2007|09:54] C:\DOCUME~1\user\APPLIC~1\<DIR> Vso
[11/17/2008|02:03] C:\DOCUME~1\user\APPLIC~1\<DIR> Xfire
--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks
[11/15/2008 11:35 AM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[11/20/2008 10:00 PM][--ah-----] C:\WINDOWS\tasks\ADD2B54A918D2892.job
[11/20/2008 11:50 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[09/03/2002 02:48 PM][-r-h-----] C:\WINDOWS\tasks\desktop.ini
( ADD2B54A918D2892.job )=( c:\docume~1\user\applic~1\slowlist\64secthide.exe )
--------------------\\ Listing Folders in C:\Program Files
[05/21/2007|12:11] C:\Program Files\<DIR> 3wPlayer
[08/09/2008|11:32] C:\Program Files\<DIR> Adobe
[08/16/2007|09:33] C:\Program Files\<DIR> Ahead
[07/11/2007|11:20] C:\Program Files\<DIR> Alcohol Soft
[09/11/2008|10:16] C:\Program Files\<DIR> Apple Software Update
[11/18/2008|01:38] C:\Program Files\<DIR> Avira
[09/11/2008|09:49] C:\Program Files\<DIR> Bonjour
[10/21/2008|12:11] C:\Program Files\<DIR> CDisplay
[07/30/2008|11:49] C:\Program Files\<DIR> Cedelia
[11/09/2007|12:06] C:\Program Files\<DIR> C-Media USB Sound
[10/27/2008|01:08] C:\Program Files\<DIR> Codebox
[11/20/2008|11:46] C:\Program Files\<DIR> Common Files
[01/10/2007|11:57] C:\Program Files\<DIR> ComPlus Applications
[01/10/2007|02:15] C:\Program Files\<DIR> Creative
[01/10/2007|02:18] C:\Program Files\<DIR> CyberLink
[11/21/2007|12:39] C:\Program Files\<DIR> DAEMON Tools
[08/30/2007|04:18] C:\Program Files\<DIR> Datel
[09/03/2008|10:45] C:\Program Files\<DIR> Debugging Tools for Windows (x86)
[04/02/2008|09:15] C:\Program Files\<DIR> Dell
[03/29/2008|03:38] C:\Program Files\<DIR> Deusty
[10/22/2008|02:56] C:\Program Files\<DIR> DivX
[03/25/2008|03:38] C:\Program Files\<DIR> EA GAMES
[12/13/2007|08:57] C:\Program Files\<DIR> EA SPORTS
[11/17/2008|02:23] C:\Program Files\<DIR> File Scanner Library (Spybot - Search & Destroy)
[08/31/2007|11:52] C:\Program Files\<DIR> FlashFXP
[05/06/2007|08:38] C:\Program Files\<DIR> GIMP-2.0
[11/20/2008|12:17] C:\Program Files\<DIR> Gravity
[01/28/2008|07:16] C:\Program Files\<DIR> Hamachi
[11/17/2008|02:03] C:\Program Files\<DIR> HollywoodPoker
[09/04/2007|10:35] C:\Program Files\<DIR> ImgBurn
[10/14/2007|01:01] C:\Program Files\<DIR> Infogrames
[11/20/2008|12:17] C:\Program Files\<DIR> InstallShield Installation Information
[01/10/2007|02:01] C:\Program Files\<DIR> Intel
[08/10/2008|02:48] C:\Program Files\<DIR> Internet Explorer
[10/04/2008|10:40] C:\Program Files\<DIR> iPod
[10/04/2008|10:40] C:\Program Files\<DIR> iTunes
[11/17/2008|01:59] C:\Program Files\<DIR> Java
[03/16/2007|08:31] C:\Program Files\<DIR> LimeWire
[03/11/2007|06:11] C:\Program Files\<DIR> Logitech
[08/10/2008|02:48] C:\Program Files\<DIR> Messenger
[01/22/2007|09:39] C:\Program Files\<DIR> Microsoft ActiveSync
[01/10/2007|12:00] C:\Program Files\<DIR> microsoft frontpage
[01/22/2007|09:38] C:\Program Files\<DIR> Microsoft Office
[09/01/2008|11:46] C:\Program Files\<DIR> Microsoft Silverlight
[11/20/2008|11:35] C:\Program Files\<DIR> mIRC
[11/17/2008|02:23] C:\Program Files\<DIR> Misc. Support Library (Spybot - Search & Destroy)
[08/11/2007|07:08] C:\Program Files\<DIR> Mobile Action
[08/10/2008|02:48] C:\Program Files\<DIR> Movie Maker
[11/20/2008|05:21] C:\Program Files\<DIR> Mozilla Firefox
[01/10/2007|11:56] C:\Program Files\<DIR> MSN
[01/10/2007|11:56] C:\Program Files\<DIR> MSN Gaming Zone
[08/09/2008|11:31] C:\Program Files\<DIR> MSN Messenger
[08/10/2008|02:48] C:\Program Files\<DIR> NetMeeting
[01/10/2007|11:59] C:\Program Files\<DIR> Online Services
[08/10/2008|02:48] C:\Program Files\<DIR> Outlook Express
[11/04/2008|04:58] C:\Program Files\<DIR> PokerStars
[09/16/2007|06:39] C:\Program Files\<DIR> Project64 1.6
[09/11/2008|09:48] C:\Program Files\<DIR> QuickTime
[02/03/2007|05:38] C:\Program Files\<DIR> Real
[11/04/2007|09:24] C:\Program Files\<DIR> RealVNC
[08/11/2008|03:27] C:\Program Files\<DIR> Research In Motion
[05/20/2008|07:46] C:\Program Files\<DIR> RocketDock
[08/11/2008|03:31] C:\Program Files\<DIR> Roxio
[09/11/2008|09:52] C:\Program Files\<DIR> Safari
[11/17/2008|02:23] C:\Program Files\<DIR> SDHelper (Spybot - Search & Destroy)
[10/04/2007|12:24] C:\Program Files\<DIR> SmartSims
[09/07/2008|04:15] C:\Program Files\<DIR> SopCast
[07/21/2008|02:41] C:\Program Files\<DIR> SpeedFan
[11/18/2008|03:04] C:\Program Files\<DIR> Spybot - Search & Destroy
[07/31/2008|01:27] C:\Program Files\<DIR> Steam
[01/21/2007|07:20] C:\Program Files\<DIR> Teamspeak2_RC2
[11/17/2008|02:23] C:\Program Files\<DIR> TeaTimer (Spybot - Search & Destroy)
[11/17/2008|12:40] C:\Program Files\<DIR> Trend Micro
[01/10/2007|12:09] C:\Program Files\<DIR> Uninstall Information
[03/06/2008|03:17] C:\Program Files\<DIR> Ventrilo
[05/21/2007|12:07] C:\Program Files\<DIR> VideoLAN
[11/20/2008|06:34] C:\Program Files\<DIR> Warcraft III
[05/06/2008|10:48] C:\Program Files\<DIR> WC3Banlist
[08/10/2008|02:48] C:\Program Files\<DIR> Windows Media Player
[08/10/2008|02:48] C:\Program Files\<DIR> Windows NT
[01/22/2007|07:21] C:\Program Files\<DIR> WindowsUpdate
[12/27/2007|12:53] C:\Program Files\<DIR> WinPcap
[08/15/2007|09:27] C:\Program Files\<DIR> WinRAR
[08/30/2007|07:05] C:\Program Files\<DIR> XBCD
[01/10/2007|12:00] C:\Program Files\<DIR> xerox
[11/17/2008|02:03] C:\Program Files\<DIR> Xfire
--------------------\\ Listing Folders in C:\Program Files\Common Files
[08/09/2008|11:33] C:\Program Files\Common Files\<DIR> Adobe
[08/16/2007|09:33] C:\Program Files\Common Files\<DIR> Ahead
[08/09/2008|11:35] C:\Program Files\Common Files\<DIR> Apple
[07/19/2008|04:59] C:\Program Files\Common Files\<DIR> Blizzard Entertainment
[01/22/2007|09:38] C:\Program Files\Common Files\<DIR> Designer
[05/06/2007|08:37] C:\Program Files\Common Files\<DIR> GTK
[05/30/2008|10:11] C:\Program Files\Common Files\<DIR> INCA Shared
[08/10/2008|09:57] C:\Program Files\Common Files\<DIR> InstallShield
[03/16/2007|08:26] C:\Program Files\Common Files\<DIR> Java
[04/21/2007|09:19] C:\Program Files\Common Files\<DIR> L&H
[07/01/2008|08:30] C:\Program Files\Common Files\<DIR> Microsoft Shared
[08/11/2007|07:05] C:\Program Files\Common Files\<DIR> Motorola Shared
[01/10/2007|11:58] C:\Program Files\Common Files\<DIR> MSSoap
[01/10/2007|06:36] C:\Program Files\Common Files\<DIR> ODBC
[02/03/2007|05:38] C:\Program Files\Common Files\<DIR> Real
[03/11/2007|06:12] C:\Program Files\Common Files\<DIR> Remote Control Software Shared
[08/11/2008|03:28] C:\Program Files\Common Files\<DIR> Research In Motion
[08/11/2008|03:32] C:\Program Files\Common Files\<DIR> Roxio Shared
[01/10/2007|11:58] C:\Program Files\Common Files\<DIR> Services
[08/11/2008|03:30] C:\Program Files\Common Files\<DIR> Sonic Shared
[01/10/2007|06:36] C:\Program Files\Common Files\<DIR> SpeechEngines
[08/10/2008|02:47] C:\Program Files\Common Files\<DIR> System
[03/06/2008|03:15] C:\Program Files\Common Files\<DIR> Wise Installation Wizard
[02/03/2007|05:38] C:\Program Files\Common Files\<DIR> xing shared
--------------------\\ Process
( 37 Processes )
... OK !
--------------------\\ Searching with S_Lop
No Lop folder found !
--------------------\\ Searching for Lop Files - Folders
C:\DOCUME~1\user\APPLIC~1\slowlist
C:\Program Files\3wPlayer
C:\DOCUME~1\user\Cookies\user@adopt.euroclick[1].txt
C:\DOCUME~1\user\Cookies\user@partypoker[2].txt
C:\WINDOWS\Tasks\ADD2B54A918D2892.job
--------------------\\ Searching within the Registry
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
..... OK !
--------------------\\ Checking the Hosts file
Hosts file CLEAN
--------------------\\ Searching for hidden files with Catchme
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 22:16:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 2
--------------------\\ Searching for other infections
--------------------\\ Cracks & Keygens ..
C:\DOCUME~1\user\Desktop\Warcraft_3_1.21a_no-cd_cracks_and_online_play.3714028.TPB.torrent
C:\DOCUME~1\user\Recent\Warcraft_3_1.21a_no-cd_cracks_and_online_play.3714028.TPB.torrent.lnk
[F:1][D:1]-> C:\DOCUME~1\user\LOCALS~1\Temp
[F:86][D:0]-> C:\DOCUME~1\user\Cookies
[F:97][D:4]-> C:\DOCUME~1\user\LOCALS~1\TEMPOR~1\content.IE5
1 - "C:\Lop SD\LopR_1.txt" - Thu 11/20/2008|22:18 - Option : [1]
--------------------\\ Scan completed at 22:18:29
Restart Lop S&D
This time choose Option 3 (Fix - Hosts)
Don't close the window during suppression!
Post the log which is created: (C:\lopR.txt)
Marvelous007
2008-11-22, 01:07
Here is the log file:
--------------------\\ Lop S&D 4.2.4-9c XP/Vista
Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel(R) Pentium(R) 4 CPU 2.60GHz )
BIOS : Default System BIOS
USER : user ( Administrator )
BOOT : Normal boot
Antivirus : Avira AntiVir PersonalEdition 8.0.1.30 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:38 Go (Free:0 Go)
D:\ (CD or DVD) - UDF - Total:6 Go (Free:0 Go)
F:\ (CD or DVD)
"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [3] ( Fri 11/21/2008|18:02 )
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX
Deleted! - C:\DOCUME~1\user\Cookies\user@adopt.euroclick[1].txt
Deleted! - C:\DOCUME~1\user\Cookies\user@partypoker[2].txt
Deleted! - C:\WINDOWS\Tasks\ADD2B54A918D2892.job
Deleted! - C:\DOCUME~1\user\APPLIC~1\slowlist
Deleted! - C:\Program Files\3wPlayer
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
--------------------\\ Listing folders in APPLIC~1
[11/18/2008|08:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Adobe
[11/18/2008|08:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Macromedia
[11/18/2008|08:26] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[11/18/2008|07:56] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Mozilla
[11/18/2008|08:26] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun
[10/04/2008|10:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[08/16/2007|09:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> 1Click DVD Copy
[08/09/2008|11:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[03/29/2008|03:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[08/09/2008|11:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[11/18/2008|01:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avira
[11/21/2008|06:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Bitmeter2
[05/07/2008|12:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CanonBJ
[01/10/2007|02:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Creative
[08/10/2008|10:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[04/07/2008|10:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Kaspersky Lab
[03/13/2007|08:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[06/26/2008|11:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NexonUS
[02/12/2007|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NVIDIA
[02/22/2007|10:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> nView_Profiles
[08/11/2008|03:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Roxio
[08/10/2008|10:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sonic
[11/17/2008|04:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[10/28/2007|10:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[08/24/2007|12:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia
[08/09/2008|10:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[01/10/2007|12:00] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[11/17/2008|08:47] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Macromedia
[01/10/2007|12:00] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[11/17/2008|02:03] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Mozilla
[08/10/2008|10:07] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Roxio
[01/10/2007|12:00] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft
[04/02/2008|12:09] C:\DOCUME~1\user\APPLIC~1\<DIR> Activision
[12/06/2007|09:01] C:\DOCUME~1\user\APPLIC~1\<DIR> Adobe
[01/21/2007|02:00] C:\DOCUME~1\user\APPLIC~1\<DIR> Apple Computer
[03/22/2007|08:17] C:\DOCUME~1\user\APPLIC~1\<DIR> Azureus
[10/27/2008|01:10] C:\DOCUME~1\user\APPLIC~1\<DIR> Bitmeter2
[09/24/2008|10:49] C:\DOCUME~1\user\APPLIC~1\<DIR> ByteOMeter
[03/01/2007|02:23] C:\DOCUME~1\user\APPLIC~1\<DIR> CyberLink
[11/20/2008|01:49] C:\DOCUME~1\user\APPLIC~1\<DIR> dvdcss
[08/31/2007|09:42] C:\DOCUME~1\user\APPLIC~1\<DIR> FlashFXP
[05/06/2007|09:08] C:\DOCUME~1\user\APPLIC~1\<DIR> gtk-2.0
[11/21/2008|02:20] C:\DOCUME~1\user\APPLIC~1\<DIR> Hamachi
[08/15/2007|09:27] C:\DOCUME~1\user\APPLIC~1\<DIR> Help
[01/10/2007|12:09] C:\DOCUME~1\user\APPLIC~1\<DIR> Identities
[09/04/2007|10:38] C:\DOCUME~1\user\APPLIC~1\<DIR> ImgBurn
[04/05/2007|09:48] C:\DOCUME~1\user\APPLIC~1\<DIR> InternetCalls
[02/13/2007|03:45] C:\DOCUME~1\user\APPLIC~1\<DIR> Leadertech
[05/11/2008|08:11] C:\DOCUME~1\user\APPLIC~1\<DIR> LimeWire
[01/21/2007|01:44] C:\DOCUME~1\user\APPLIC~1\<DIR> Macromedia
[08/09/2008|11:30] C:\DOCUME~1\user\APPLIC~1\<DIR> Microsoft
[06/17/2008|05:32] C:\DOCUME~1\user\APPLIC~1\<DIR> Mozilla
[02/28/2007|10:28] C:\DOCUME~1\user\APPLIC~1\<DIR> Real
[08/10/2008|10:05] C:\DOCUME~1\user\APPLIC~1\<DIR> Research In Motion
[08/10/2008|10:07] C:\DOCUME~1\user\APPLIC~1\<DIR> Roxio
[11/24/2007|01:57] C:\DOCUME~1\user\APPLIC~1\<DIR> Smartsims
[10/28/2007|10:13] C:\DOCUME~1\user\APPLIC~1\<DIR> SpinTop
[03/21/2007|06:46] C:\DOCUME~1\user\APPLIC~1\<DIR> Sun
[12/11/2007|12:25] C:\DOCUME~1\user\APPLIC~1\<DIR> SystemRequirementsLab
[06/08/2008|12:44] C:\DOCUME~1\user\APPLIC~1\<DIR> teamspeak2
[09/27/2008|06:14] C:\DOCUME~1\user\APPLIC~1\<DIR> U3
[11/04/2008|04:41] C:\DOCUME~1\user\APPLIC~1\<DIR> uTorrent
[07/27/2007|11:34] C:\DOCUME~1\user\APPLIC~1\<DIR> Ventrilo
[05/21/2007|12:08] C:\DOCUME~1\user\APPLIC~1\<DIR> vlc
[08/16/2007|09:54] C:\DOCUME~1\user\APPLIC~1\<DIR> Vso
[11/17/2008|02:03] C:\DOCUME~1\user\APPLIC~1\<DIR> Xfire
--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks
[11/15/2008 11:35 AM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[11/20/2008 11:50 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[09/03/2002 02:48 PM][-r-h-----] C:\WINDOWS\tasks\desktop.ini
--------------------\\ Listing Folders in C:\Program Files
[08/09/2008|11:32] C:\Program Files\<DIR> Adobe
[08/16/2007|09:33] C:\Program Files\<DIR> Ahead
[07/11/2007|11:20] C:\Program Files\<DIR> Alcohol Soft
[09/11/2008|10:16] C:\Program Files\<DIR> Apple Software Update
[11/18/2008|01:38] C:\Program Files\<DIR> Avira
[09/11/2008|09:49] C:\Program Files\<DIR> Bonjour
[10/21/2008|12:11] C:\Program Files\<DIR> CDisplay
[07/30/2008|11:49] C:\Program Files\<DIR> Cedelia
[11/09/2007|12:06] C:\Program Files\<DIR> C-Media USB Sound
[10/27/2008|01:08] C:\Program Files\<DIR> Codebox
[11/20/2008|11:46] C:\Program Files\<DIR> Common Files
[01/10/2007|11:57] C:\Program Files\<DIR> ComPlus Applications
[01/10/2007|02:15] C:\Program Files\<DIR> Creative
[01/10/2007|02:18] C:\Program Files\<DIR> CyberLink
[11/21/2007|12:39] C:\Program Files\<DIR> DAEMON Tools
[08/30/2007|04:18] C:\Program Files\<DIR> Datel
[09/03/2008|10:45] C:\Program Files\<DIR> Debugging Tools for Windows (x86)
[04/02/2008|09:15] C:\Program Files\<DIR> Dell
[03/29/2008|03:38] C:\Program Files\<DIR> Deusty
[10/22/2008|02:56] C:\Program Files\<DIR> DivX
[03/25/2008|03:38] C:\Program Files\<DIR> EA GAMES
[12/13/2007|08:57] C:\Program Files\<DIR> EA SPORTS
[11/17/2008|02:23] C:\Program Files\<DIR> File Scanner Library (Spybot - Search & Destroy)
[08/31/2007|11:52] C:\Program Files\<DIR> FlashFXP
[05/06/2007|08:38] C:\Program Files\<DIR> GIMP-2.0
[11/20/2008|12:17] C:\Program Files\<DIR> Gravity
[01/28/2008|07:16] C:\Program Files\<DIR> Hamachi
[11/17/2008|02:03] C:\Program Files\<DIR> HollywoodPoker
[09/04/2007|10:35] C:\Program Files\<DIR> ImgBurn
[10/14/2007|01:01] C:\Program Files\<DIR> Infogrames
[11/20/2008|12:17] C:\Program Files\<DIR> InstallShield Installation Information
[01/10/2007|02:01] C:\Program Files\<DIR> Intel
[08/10/2008|02:48] C:\Program Files\<DIR> Internet Explorer
[10/04/2008|10:40] C:\Program Files\<DIR> iPod
[10/04/2008|10:40] C:\Program Files\<DIR> iTunes
[11/17/2008|01:59] C:\Program Files\<DIR> Java
[03/16/2007|08:31] C:\Program Files\<DIR> LimeWire
[03/11/2007|06:11] C:\Program Files\<DIR> Logitech
[08/10/2008|02:48] C:\Program Files\<DIR> Messenger
[01/22/2007|09:39] C:\Program Files\<DIR> Microsoft ActiveSync
[01/10/2007|12:00] C:\Program Files\<DIR> microsoft frontpage
[01/22/2007|09:38] C:\Program Files\<DIR> Microsoft Office
[09/01/2008|11:46] C:\Program Files\<DIR> Microsoft Silverlight
[11/20/2008|11:35] C:\Program Files\<DIR> mIRC
[11/17/2008|02:23] C:\Program Files\<DIR> Misc. Support Library (Spybot - Search & Destroy)
[08/11/2007|07:08] C:\Program Files\<DIR> Mobile Action
[08/10/2008|02:48] C:\Program Files\<DIR> Movie Maker
[11/21/2008|05:59] C:\Program Files\<DIR> Mozilla Firefox
[01/10/2007|11:56] C:\Program Files\<DIR> MSN
[01/10/2007|11:56] C:\Program Files\<DIR> MSN Gaming Zone
[08/09/2008|11:31] C:\Program Files\<DIR> MSN Messenger
[08/10/2008|02:48] C:\Program Files\<DIR> NetMeeting
[01/10/2007|11:59] C:\Program Files\<DIR> Online Services
[08/10/2008|02:48] C:\Program Files\<DIR> Outlook Express
[11/04/2008|04:58] C:\Program Files\<DIR> PokerStars
[09/16/2007|06:39] C:\Program Files\<DIR> Project64 1.6
[09/11/2008|09:48] C:\Program Files\<DIR> QuickTime
[02/03/2007|05:38] C:\Program Files\<DIR> Real
[11/04/2007|09:24] C:\Program Files\<DIR> RealVNC
[08/11/2008|03:27] C:\Program Files\<DIR> Research In Motion
[05/20/2008|07:46] C:\Program Files\<DIR> RocketDock
[08/11/2008|03:31] C:\Program Files\<DIR> Roxio
[09/11/2008|09:52] C:\Program Files\<DIR> Safari
[11/17/2008|02:23] C:\Program Files\<DIR> SDHelper (Spybot - Search & Destroy)
[10/04/2007|12:24] C:\Program Files\<DIR> SmartSims
[09/07/2008|04:15] C:\Program Files\<DIR> SopCast
[07/21/2008|02:41] C:\Program Files\<DIR> SpeedFan
[11/18/2008|03:04] C:\Program Files\<DIR> Spybot - Search & Destroy
[07/31/2008|01:27] C:\Program Files\<DIR> Steam
[01/21/2007|07:20] C:\Program Files\<DIR> Teamspeak2_RC2
[11/17/2008|02:23] C:\Program Files\<DIR> TeaTimer (Spybot - Search & Destroy)
[11/17/2008|12:40] C:\Program Files\<DIR> Trend Micro
[01/10/2007|12:09] C:\Program Files\<DIR> Uninstall Information
[03/06/2008|03:17] C:\Program Files\<DIR> Ventrilo
[05/21/2007|12:07] C:\Program Files\<DIR> VideoLAN
[11/21/2008|05:34] C:\Program Files\<DIR> Warcraft III
[05/06/2008|10:48] C:\Program Files\<DIR> WC3Banlist
[08/10/2008|02:48] C:\Program Files\<DIR> Windows Media Player
[08/10/2008|02:48] C:\Program Files\<DIR> Windows NT
[01/22/2007|07:21] C:\Program Files\<DIR> WindowsUpdate
[12/27/2007|12:53] C:\Program Files\<DIR> WinPcap
[08/15/2007|09:27] C:\Program Files\<DIR> WinRAR
[08/30/2007|07:05] C:\Program Files\<DIR> XBCD
[01/10/2007|12:00] C:\Program Files\<DIR> xerox
[11/17/2008|02:03] C:\Program Files\<DIR> Xfire
--------------------\\ Listing Folders in C:\Program Files\Common Files
[08/09/2008|11:33] C:\Program Files\Common Files\<DIR> Adobe
[08/16/2007|09:33] C:\Program Files\Common Files\<DIR> Ahead
[08/09/2008|11:35] C:\Program Files\Common Files\<DIR> Apple
[07/19/2008|04:59] C:\Program Files\Common Files\<DIR> Blizzard Entertainment
[01/22/2007|09:38] C:\Program Files\Common Files\<DIR> Designer
[05/06/2007|08:37] C:\Program Files\Common Files\<DIR> GTK
[05/30/2008|10:11] C:\Program Files\Common Files\<DIR> INCA Shared
[08/10/2008|09:57] C:\Program Files\Common Files\<DIR> InstallShield
[03/16/2007|08:26] C:\Program Files\Common Files\<DIR> Java
[04/21/2007|09:19] C:\Program Files\Common Files\<DIR> L&H
[07/01/2008|08:30] C:\Program Files\Common Files\<DIR> Microsoft Shared
[08/11/2007|07:05] C:\Program Files\Common Files\<DIR> Motorola Shared
[01/10/2007|11:58] C:\Program Files\Common Files\<DIR> MSSoap
[01/10/2007|06:36] C:\Program Files\Common Files\<DIR> ODBC
[02/03/2007|05:38] C:\Program Files\Common Files\<DIR> Real
[03/11/2007|06:12] C:\Program Files\Common Files\<DIR> Remote Control Software Shared
[08/11/2008|03:28] C:\Program Files\Common Files\<DIR> Research In Motion
[08/11/2008|03:32] C:\Program Files\Common Files\<DIR> Roxio Shared
[01/10/2007|11:58] C:\Program Files\Common Files\<DIR> Services
[08/11/2008|03:30] C:\Program Files\Common Files\<DIR> Sonic Shared
[01/10/2007|06:36] C:\Program Files\Common Files\<DIR> SpeechEngines
[08/10/2008|02:47] C:\Program Files\Common Files\<DIR> System
[03/06/2008|03:15] C:\Program Files\Common Files\<DIR> Wise Installation Wizard
[02/03/2007|05:38] C:\Program Files\Common Files\<DIR> xing shared
--------------------\\ Process
( 34 Processes )
... OK !
--------------------\\ Searching with S_Lop
No Lop folder found !
--------------------\\ Searching for Lop Files - Folders
No Lop folder found !
--------------------\\ Searching within the Registry
..... OK !
--------------------\\ Checking the Hosts file
Hosts file CLEAN
--------------------\\ Searching for hidden files with Catchme
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 18:03:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 2
--------------------\\ Searching for other infections
--------------------\\ Cracks & Keygens ..
C:\DOCUME~1\user\Desktop\Warcraft_3_1.21a_no-cd_cracks_and_online_play.3714028.TPB.torrent
C:\DOCUME~1\user\Recent\Warcraft_3_1.21a_no-cd_cracks_and_online_play.3714028.TPB.torrent.lnk
[F:84][D:0]-> C:\DOCUME~1\user\Cookies
[F:100][D:4]-> C:\DOCUME~1\user\LOCALS~1\TEMPOR~1\content.IE5
1 - "C:\Lop SD\LopR_1.txt" - Thu 11/20/2008|22:18 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - Fri 11/21/2008|18:04 - Option : [3]
--------------------\\ Scan completed at 18:04:30
Before I ran this I got a couple alerts from AntiVir saying vundo was detected. Just thought u should know. Thanks.
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Marvelous007
2008-11-22, 18:33
Here is the list:
ActionReplay Xbox
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Advertisement Service
Ahead Nero Burning ROM
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Battlefield 2(TM)
BitMeter
BlackBerry Desktop Software 4.5
BlackBerry Desktop Software 4.5
Bonjour
Canon i320
CDisplay 1.8
C-Media USB Sound
Debugging Tools for Windows (x86)
Dell ResourceCD
DivX Web Player
EA SPORTS online 2008
FlashFXP v3
GTK+ 2.10.6-1 runtime environment
Hamachi 1.0.2.5
HijackThis 2.0.2
HollywoodPoker.com (remove only)
ImgBurn (Remove Only)
Intel(R) PRO Network Adapters and Drivers
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 2
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
LimeWire PRO 4.9.41
Logitech Harmony Remote Software 7
Microsoft .NET Framework 2.0
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MikesBikes-Intro
mIRC
MobileMe Control Panel
Mojo
Motorola Driver Installation
Motorola PEBL U6-RAZR V3 USB - Handset Manager V9.5
Mozilla Firefox (3.0.4)
MSXML 6.0 Parser
MySidesearch Search Assistant Bfinding
NVIDIA Drivers
OpenSSL 0.9.8g
PokerStars
PowerDVD
Project64 1.6
QuickTime
RagnarokOnline
RealPlayer
RocketDock 1.3.5
RON Tool Netupbanner
Roxio Media Manager
Safari
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB920683)
SopCast 2.0.2
Sound Blaster Live!
SpeechRedist
SpeedFan (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
StreamPlug Player
TeamSpeak 2 RC2
The GIMP 2.2.13
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Ventrilo Client
VeohTV BETA
VideoLAN VLC media player 0.8.6b
VNC Free Edition 4.1.2
WC3Banlist
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
WinPcap 3.1
WinRAR archiver
WoWscape Server Browser
XBCD 1.07
Xfire (remove only)
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
LimeWire PRO 4.9.41
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Uninstall also these:
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Please run a new uninstall list scan when finished and post the log back here.
Marvelous007
2008-11-23, 13:24
Here is the new uninstall log:
ActionReplay Xbox
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Advertisement Service
Ahead Nero Burning ROM
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Battlefield 2(TM)
BitMeter
BlackBerry Desktop Software 4.5
BlackBerry Desktop Software 4.5
Bonjour
Canon i320
CDisplay 1.8
C-Media USB Sound
Debugging Tools for Windows (x86)
Dell ResourceCD
DivX Web Player
EA SPORTS online 2008
FlashFXP v3
GTK+ 2.10.6-1 runtime environment
Hamachi 1.0.2.5
HijackThis 2.0.2
HollywoodPoker.com (remove only)
ImgBurn (Remove Only)
Intel(R) PRO Network Adapters and Drivers
iTunes
Java(TM) 6 Update 7
Kaspersky Online Scanner
Logitech Harmony Remote Software 7
Microsoft .NET Framework 2.0
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MikesBikes-Intro
mIRC
MobileMe Control Panel
Mojo
Motorola Driver Installation
Motorola PEBL U6-RAZR V3 USB - Handset Manager V9.5
Mozilla Firefox (3.0.4)
MSXML 6.0 Parser
MySidesearch Search Assistant Bfinding
NVIDIA Drivers
OpenSSL 0.9.8g
PokerStars
PowerDVD
Project64 1.6
QuickTime
RagnarokOnline
RealPlayer
RocketDock 1.3.5
RON Tool Netupbanner
Roxio Media Manager
Safari
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB920683)
SopCast 2.0.2
Sound Blaster Live!
SpeechRedist
SpeedFan (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
StreamPlug Player
TeamSpeak 2 RC2
The GIMP 2.2.13
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Ventrilo Client
VeohTV BETA
VideoLAN VLC media player 0.8.6b
VNC Free Edition 4.1.2
WC3Banlist
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
WinPcap 3.1
WinRAR archiver
WoWscape Server Browser
XBCD 1.07
Xfire (remove only)
Uninstall also these:
Advertisement Service
MySidesearch Search Assistant Bfinding
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\system32\fayqhusytjjvhqzbr.exe
c:\windows\system32\cgybkeyqhsxqe.dll-uninst.exe
c:\windows\system32\dxxntgbdovynrgzcx.exe
Folder::
c:\windows\system32\sys3
c:\windows\system32\sX3i19
c:\windows\system32\ES
c:\windows\system32\emi
c:\temp\PRE45
c:\documents and settings\user\Application Data\uTorrent
c:\documents and settings\user\Application Data\LimeWire
C:\Program Files\LimeWire
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Marvelous007
2008-11-24, 17:49
I disabled Tea timer and AntiVirus then rebooted, then created the CFScript file and dragged it over ComboFix. It scanned and produced a log file without requiring restart. I also created a new HijackThis log then reenabled my local protections. Here are the logs:
ComboFix 08-11-19.08 - user 2008-11-24 10:36:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.666 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\cgybkeyqhsxqe.dll-uninst.exe
c:\windows\system32\dxxntgbdovynrgzcx.exe
c:\windows\system32\fayqhusytjjvhqzbr.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\user\Application Data\LimeWire
c:\documents and settings\user\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\documents and settings\user\Application Data\LimeWire\49splashpro.png
c:\documents and settings\user\Application Data\LimeWire\createtimes.cache
c:\documents and settings\user\Application Data\LimeWire\fileurns.bak
c:\documents and settings\user\Application Data\LimeWire\fileurns.cache
c:\documents and settings\user\Application Data\LimeWire\filters.props
c:\documents and settings\user\Application Data\LimeWire\gnutella.net
c:\documents and settings\user\Application Data\LimeWire\installation.props
c:\documents and settings\user\Application Data\LimeWire\library.dat
c:\documents and settings\user\Application Data\LimeWire\limewire.props
c:\documents and settings\user\Application Data\LimeWire\pub1.key
c:\documents and settings\user\Application Data\LimeWire\public.key
c:\documents and settings\user\Application Data\LimeWire\questions.props
c:\documents and settings\user\Application Data\LimeWire\simpp.xml
c:\documents and settings\user\Application Data\LimeWire\spam.dat
c:\documents and settings\user\Application Data\LimeWire\tables.props
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme.lwtp
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\01_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\02_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\03_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\04_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\05_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\chat.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\dir_closed.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\dir_open.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\forward_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\forward_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\kill.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\kill_on.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\lime.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\logo.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\notsearching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\pause_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\pause_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\play_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\play_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\question.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\rewind_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\rewind_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\searching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\splash.png
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\stop_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\stop_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\theme.txt
c:\documents and settings\user\Application Data\LimeWire\themes\black_theme\warning.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme.lwtp
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\01_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\02_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\03_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\04_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\05_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\chat.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\dir_closed.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\dir_open.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\forward_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\forward_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\kill.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\logo.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\notsearching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\pause_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\pause_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\play_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\play_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\question.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\rewind_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\rewind_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\search.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\searching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\splash.png
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\stop_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\stop_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\theme.txt
c:\documents and settings\user\Application Data\LimeWire\themes\classic_theme\warning.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme.lwtp
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\01_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\02_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\03_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\04_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\05_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\chat.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\dir_closed.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\dir_open.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\forward_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\forward_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\kill.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\kill_on.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\lime.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\logo.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\notsearching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\pause_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\pause_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\play_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\play_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\question.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\rewind_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\rewind_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\searching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\splash.png
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\stop_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\stop_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\theme.txt
c:\documents and settings\user\Application Data\LimeWire\themes\limewire_theme\warning.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme.lwtp
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\01_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\02_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\03_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\04_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\05_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\chat.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\dir_closed.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\dir_open.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\forward_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\forward_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\kill.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\kill_on.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\lime.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\logo.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\notsearching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\pause_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\pause_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\play_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\play_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\question.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\rewind_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\rewind_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\searching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\splash.png
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\stop_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\stop_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\theme.txt
c:\documents and settings\user\Application Data\LimeWire\themes\limewirePro_theme\warning.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme.lwtp
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\01_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\02_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\03_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\04_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\05_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\chat.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\forward_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\forward_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\kill.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\kill_on.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\logo.png
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\notsearching.png
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\pause_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\pause_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\play_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\play_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\question.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\rewind_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\rewind_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\searching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\splash.png
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\stop_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\stop_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\theme.txt
c:\documents and settings\user\Application Data\LimeWire\themes\other_theme\warning.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\splash.png
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\user\Application Data\LimeWire\ttree.cache
c:\documents and settings\user\Application Data\LimeWire\update.xml
c:\documents and settings\user\Application Data\LimeWire\version.key
c:\documents and settings\user\Application Data\LimeWire\version.xml
c:\documents and settings\user\Application Data\LimeWire\xml\data\audio.sxml
c:\documents and settings\user\Application Data\LimeWire\xml\data\delete_me
c:\documents and settings\user\Application Data\LimeWire\xml\data\video.sxml
c:\documents and settings\user\Application Data\LimeWire\xml\misc\application.gif
c:\documents and settings\user\Application Data\LimeWire\xml\misc\audio.gif
c:\documents and settings\user\Application Data\LimeWire\xml\misc\document.gif
c:\documents and settings\user\Application Data\LimeWire\xml\misc\image.gif
c:\documents and settings\user\Application Data\LimeWire\xml\misc\video.gif
c:\documents and settings\user\Application Data\LimeWire\xml\schemas\application.xsd
c:\documents and settings\user\Application Data\LimeWire\xml\schemas\audio.xsd
c:\documents and settings\user\Application Data\LimeWire\xml\schemas\document.xsd
c:\documents and settings\user\Application Data\LimeWire\xml\schemas\image.xsd
c:\documents and settings\user\Application Data\LimeWire\xml\schemas\video.xsd
c:\documents and settings\user\Application Data\uTorrent
c:\documents and settings\user\Application Data\uTorrent\Agent.Cody.Banks.2003.Swesub.DVDRip.Xvid-monica112.torrent
c:\documents and settings\user\Application Data\uTorrent\Batman - The Killing Joke.cbr.torrent
c:\documents and settings\user\Application Data\uTorrent\Batman Begins - Soundtrack [2005].rar.torrent
c:\documents and settings\user\Application Data\uTorrent\batman_the_killing_joke_deluxe_edition_marsh07.rar.torrent
c:\documents and settings\user\Application Data\uTorrent\Blade Runner The final cut KLAXXON.torrent
c:\documents and settings\user\Application Data\uTorrent\Boiler.Room.2000.iNT.DVDRip.XViD-EXT.torrent
c:\documents and settings\user\Application Data\uTorrent\Dead Poets Society.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\dht.dat
c:\documents and settings\user\Application Data\uTorrent\dht.dat.old
c:\documents and settings\user\Application Data\uTorrent\Ennio Morricone.torrent
c:\documents and settings\user\Application Data\uTorrent\Entourage S03E19 HDTV XviD-LOL.torrent
c:\documents and settings\user\Application Data\uTorrent\GReYs aNaToMy (S04).torrent
c:\documents and settings\user\Application Data\uTorrent\Harry.Potter.And.The.Order.Of.The.Phoenix[2007]DvDrip[Eng]-aXXo.torrent
c:\documents and settings\user\Application Data\uTorrent\How_I_Met_Your_Mother.S03E18.Rebound_Bro.HDTV_XviD-FoV.[MFD].avi.torrent
c:\documents and settings\user\Application Data\uTorrent\LOST - Complete Season 3 (x264-AAC-mkv).torrent
c:\documents and settings\user\Application Data\uTorrent\Lost 4x06 The Other Woman PROPER HDTV XviD-FoV [btarena.org].avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Lost.S04E01.HDTV.XviD-XOR.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Lost.S04E02.HDTV.XviD-2HD.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Lost.S04E03.HDTV.XviD-XOR.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Lost.S04E04.REPACK.HDTV.XviD-0TV.torrent
c:\documents and settings\user\Application Data\uTorrent\Lost.S04E05.HDTV[Www.Yestorrent.Com].torrent
c:\documents and settings\user\Application Data\uTorrent\Lost.S04E06.HDTV.XviD-2HD [btarena.org].avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Lost.S04E06.The.Other.Woman.PROPER.HDTV.XviD-FoV.[www.torrentfive.com].torrent
c:\documents and settings\user\Application Data\uTorrent\Lost.S04E13-E14.HDTV.XviD-2HD.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Lost_Season02_Episodes_01-24.1.torrent
c:\documents and settings\user\Application Data\uTorrent\Lost_Season02_Episodes_01-24.2.torrent
c:\documents and settings\user\Application Data\uTorrent\Lost_Season02_Episodes_01-24.torrent
c:\documents and settings\user\Application Data\uTorrent\Marvel.Ultimate.Alliance.[XBOX][ProjectX][BlackDivX.org].torrent
c:\documents and settings\user\Application Data\uTorrent\Marvel.Ultimate.Alliance.PROPER-RELOADED.1.torrent
c:\documents and settings\user\Application Data\uTorrent\Marvel.Ultimate.Alliance.PROPER-RELOADED.torrent
c:\documents and settings\user\Application Data\uTorrent\Microsoft Office 2007 Complete Version + CD Key.torrent
c:\documents and settings\user\Application Data\uTorrent\Microsoft Office Enterprise 2007 (VOXIGEN@mininova.org).torrent
c:\documents and settings\user\Application Data\uTorrent\MILF Hunter - Ryan(FULL).asf.torrent
c:\documents and settings\user\Application Data\uTorrent\Moby.rar.torrent
c:\documents and settings\user\Application Data\uTorrent\MS.Office.2007.Enterprise.Complete.XP.Vista-HeartBug.torrent
c:\documents and settings\user\Application Data\uTorrent\NBA_Live_08-HATRED.torrent
c:\documents and settings\user\Application Data\uTorrent\No.Country.For.Old.Men.2007.DvDRip.Eng-FxM.torrent
c:\documents and settings\user\Application Data\uTorrent\Reggae Gold 2007.www.lokotorrents.com.torrent
c:\documents and settings\user\Application Data\uTorrent\resume.dat
c:\documents and settings\user\Application Data\uTorrent\resume.dat.old
c:\documents and settings\user\Application Data\uTorrent\rss.dat
c:\documents and settings\user\Application Data\uTorrent\rss.dat.old
c:\documents and settings\user\Application Data\uTorrent\Season 2.1.torrent
c:\documents and settings\user\Application Data\uTorrent\Season 2.torrent
c:\documents and settings\user\Application Data\uTorrent\settings.dat
c:\documents and settings\user\Application Data\uTorrent\settings.dat.old
c:\documents and settings\user\Application Data\uTorrent\Smallville.S07E09.PROPER.HDTV.XviD-XOR.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\smallville.s07e10.real.proper.hdtv.xvid-notv.[VTV].avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Smallville.S07E11.REPACK.PROPER.HDTV.XviD-2HD.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Smallville.S07E12.PROPER.HDTV.XviD-XOR.torrent
c:\documents and settings\user\Application Data\uTorrent\Smallville.S07E13.HDTV.XviD-NoTV.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Smallville.S07E14.HDTV.XviD-NoTV.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Smallville.S07E15.HDTV.XviD-XOR.avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Softmod.Installer.Deluxe.v5.0.Xbox-Hq.torrent
c:\documents and settings\user\Application Data\uTorrent\Softmod.Installer.Deluxe.v5.01.Xbox-Hq.torrent
c:\documents and settings\user\Application Data\uTorrent\Soul_Calibur_II_USA_XBOX-ProjectX.torrent
c:\documents and settings\user\Application Data\uTorrent\System.Shock.2.PC.Game.[FROSTY].iso.torrent
c:\documents and settings\user\Application Data\uTorrent\The Big Bang Theory - Season 1.torrent
c:\documents and settings\user\Application Data\uTorrent\The Notorious B.I.G. Discography.torrent
c:\documents and settings\user\Application Data\uTorrent\The Office Season 3 US.torrent
c:\documents and settings\user\Application Data\uTorrent\The.Namesake.2006.PROPER.DVDRip.XviD-AFO.torrent
c:\documents and settings\user\Application Data\uTorrent\The_Game_-_L.A.X._[Explicit_Retail_08]-FOZZYDABEAR.torrent
c:\documents and settings\user\Application Data\uTorrent\There.Will.Be.Blood.REPACK.DVDSCR.XViD-mVs.torrent
c:\documents and settings\user\Application Data\uTorrent\Top Gear - [12x01] - 2008.11.02 [RiVER].avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Top Gear - [12x02] - 2008.11.09 [AFFiNiTY].avi.torrent
c:\documents and settings\user\Application Data\uTorrent\Top Gear - [12x03] - 2008.11.16 [RiVER].avi.torrent
c:\documents and settings\user\Application Data\uTorrent\UT2004.zip.torrent
c:\documents and settings\user\Application Data\uTorrent\utorrent.lng
c:\documents and settings\user\Application Data\uTorrent\Warcraft III Reign of Chaos, The Frozen Throne + Update Patch War3TFT_121b_English +CD Key.torrent
c:\documents and settings\user\Application Data\uTorrent\Watchmen - complete.rar.torrent
c:\documents and settings\user\Application Data\uTorrent\Wedding Daze[2008]DvDrip[Eng]-FXG.torrent
c:\documents and settings\user\Application Data\uTorrent\XBOX Krayzie Ndure SOFTMOD Pack.torrent
c:\documents and settings\user\Application Data\uTorrent\Y - The Last Man.torrent
c:\program files\LimeWire
c:\program files\LimeWire\log.txt
c:\temp\PRE45
c:\temp\PRE45\pG8.log
c:\windows\system32\dxxntgbdovynrgzcx.exe
c:\windows\system32\emi
c:\windows\system32\ES
c:\windows\system32\fayqhusytjjvhqzbr.exe
c:\windows\system32\sX3i19
c:\windows\system32\sys3
.
((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.
2008-11-20 22:15 . 2008-11-21 18:04 <DIR> d-------- C:\Lop SD
2008-11-20 12:17 . 2008-11-20 12:17 <DIR> d-------- c:\program files\Gravity
2008-11-19 09:26 . 2008-11-19 09:26 <DIR> d-------- C:\VundoFix Backups
2008-11-19 09:18 . 2008-11-19 11:04 488 --a------ c:\windows\wininit.ini
2008-11-18 18:57 . 2008-11-18 18:58 <DIR> d-------- c:\documents and settings\Administrator
2008-11-18 13:38 . 2008-11-18 13:38 <DIR> d-------- c:\program files\Avira
2008-11-18 13:38 . 2008-11-18 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-17 12:40 . 2008-11-17 12:40 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 00:09 . 2008-11-24 10:37 <DIR> d-------- C:\Temp
2008-10-27 13:08 . 2008-10-27 13:08 <DIR> d-------- c:\program files\Codebox
2008-10-27 13:08 . 2008-10-27 13:10 <DIR> d-------- c:\documents and settings\user\Application Data\Bitmeter2
2008-10-27 13:08 . 2008-11-24 10:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Bitmeter2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 04:31 --------- d-----w c:\documents and settings\user\Application Data\dvdcss
2008-11-24 04:24 --------- d-----w c:\program files\Warcraft III
2008-11-23 02:11 --------- d-----w c:\documents and settings\user\Application Data\Hamachi
2008-11-23 02:10 --------- d-----w c:\program files\Java
2008-11-20 17:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 16:35 --------- d-----w c:\program files\mIRC
2008-11-18 20:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-17 19:03 --------- d-s---w c:\program files\Xfire
2008-11-17 19:03 --------- d-----w c:\program files\HollywoodPoker
2008-11-17 19:03 --------- d-----w c:\documents and settings\user\Application Data\Xfire
2008-11-04 21:58 --------- d-----w c:\program files\PokerStars
2008-10-22 07:56 --------- d-----w c:\program files\DivX
2008-10-21 05:11 --------- d-----w c:\program files\CDisplay
2008-10-04 15:40 --------- d-----w c:\program files\iTunes
2008-10-04 15:40 --------- d-----w c:\program files\iPod
2008-10-04 15:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-27 23:14 --------- d-----w c:\documents and settings\user\Application Data\U3
2008-09-24 15:49 --------- d-----w c:\documents and settings\user\Application Data\ByteOMeter
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2007-08-16 14:54 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2007-04-08 23:34 18,224 ----a-w c:\documents and settings\user\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DrvMon.exe"="c:\windows\System32\DrvMon.exe" [2004-11-29 53248]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-03 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2008-10-11 1462272]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pcaqvx.dll dwhjsy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= c:\windows\System32\ir32_32.dll
"vidc.iv32"= c:\windows\System32\ir32_32.dll
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"VIDC.XFR1"= xfcodec.dll
"vidc.ir41"= c:\windows\System32\ir41_32.ax
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 02:56 1667584 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\user\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys [2007-11-09 1414528]
S3 mamotou;mamotou;c:\windows\system32\DRIVERS\mamotou.sys [2007-02-17 49399]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\system32\Drivers\xbreader.sys [2007-08-30 19677]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4eedc15-8036-11dd-8233-0007e98f97d6}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 10:39:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-11-24 10:43:15
ComboFix-quarantined-files.txt 2008-11-24 15:42:13
ComboFix2.txt 2008-11-20 17:04:01
Pre-Run: 1,548,902,400 bytes free
Post-Run: 1,581,948,928 bytes free
426 --- E O F --- 2007-08-02 23:56:03
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:36 AM, on 11/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Marvelous007.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218296795078
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O20 - AppInit_DLLs: pcaqvx.dll dwhjsy.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 8570 bytes
Thanks.
Another round is needed:
Open notepad and copy/paste the text in the codebox below into it:
File::
c:\Documents and Settings\user\Desktop\utorrent.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\user\\Desktop\\utorrent.exe"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Marvelous007
2008-11-24, 21:43
Here is the ComboFix Log:
ComboFix 08-11-19.08 - user 2008-11-24 14:29:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.629 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\documents and settings\user\Desktop\utorrent.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\user\Desktop\utorrent.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.
2008-11-24 10:50 . 2008-11-24 11:01 <DIR> d-------- c:\documents and settings\user\Application Data\uTorrent
2008-11-20 22:15 . 2008-11-21 18:04 <DIR> d-------- C:\Lop SD
2008-11-20 12:17 . 2008-11-20 12:17 <DIR> d-------- c:\program files\Gravity
2008-11-19 09:26 . 2008-11-19 09:26 <DIR> d-------- C:\VundoFix Backups
2008-11-19 09:18 . 2008-11-19 11:04 488 --a------ c:\windows\wininit.ini
2008-11-18 18:57 . 2008-11-18 18:58 <DIR> d-------- c:\documents and settings\Administrator
2008-11-18 13:38 . 2008-11-18 13:38 <DIR> d-------- c:\program files\Avira
2008-11-18 13:38 . 2008-11-18 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-17 14:23 . 2008-11-17 14:23 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-17 12:40 . 2008-11-17 12:40 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 00:09 . 2008-11-24 10:37 <DIR> d-------- C:\Temp
2008-10-27 13:08 . 2008-10-27 13:08 <DIR> d-------- c:\program files\Codebox
2008-10-27 13:08 . 2008-10-27 13:10 <DIR> d-------- c:\documents and settings\user\Application Data\Bitmeter2
2008-10-27 13:08 . 2008-11-24 14:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Bitmeter2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 18:23 --------- d-----w c:\program files\Warcraft III
2008-11-24 04:31 --------- d-----w c:\documents and settings\user\Application Data\dvdcss
2008-11-23 02:11 --------- d-----w c:\documents and settings\user\Application Data\Hamachi
2008-11-23 02:10 --------- d-----w c:\program files\Java
2008-11-20 17:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 16:35 --------- d-----w c:\program files\mIRC
2008-11-18 20:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-17 19:03 --------- d-s---w c:\program files\Xfire
2008-11-17 19:03 --------- d-----w c:\program files\HollywoodPoker
2008-11-17 19:03 --------- d-----w c:\documents and settings\user\Application Data\Xfire
2008-11-04 21:58 --------- d-----w c:\program files\PokerStars
2008-10-22 07:56 --------- d-----w c:\program files\DivX
2008-10-21 05:11 --------- d-----w c:\program files\CDisplay
2008-10-04 15:40 --------- d-----w c:\program files\iTunes
2008-10-04 15:40 --------- d-----w c:\program files\iPod
2008-10-04 15:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-27 23:14 --------- d-----w c:\documents and settings\user\Application Data\U3
2008-09-24 15:49 --------- d-----w c:\documents and settings\user\Application Data\ByteOMeter
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2007-08-16 14:54 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2007-04-08 23:34 18,224 ----a-w c:\documents and settings\user\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DrvMon.exe"="c:\windows\System32\DrvMon.exe" [2004-11-29 53248]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-03 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2008-10-11 1462272]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= c:\windows\System32\ir32_32.dll
"vidc.iv32"= c:\windows\System32\ir32_32.dll
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"VIDC.XFR1"= xfcodec.dll
"vidc.ir41"= c:\windows\System32\ir41_32.ax
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 02:56 1667584 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys [2007-11-09 1414528]
S3 mamotou;mamotou;c:\windows\system32\DRIVERS\mamotou.sys [2007-02-17 49399]
S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\system32\Drivers\xbreader.sys [2007-08-30 19677]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4eedc15-8036-11dd-8233-0007e98f97d6}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 14:32:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-11-24 14:35:38
ComboFix-quarantined-files.txt 2008-11-24 19:34:34
ComboFix2.txt 2008-11-24 15:43:17
ComboFix3.txt 2008-11-20 17:04:01
Pre-Run: 1,538,293,760 bytes free
Post-Run: 1,520,709,632 bytes free
139 --- E O F --- 2007-08-02 23:56:03
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:50 PM, on 11/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Marvelous007.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218296795078
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 8526 bytes
Delete this folder:
c:\documents and settings\user\Application Data\uTorrent
Empty Recycle Bin.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
Marvelous007
2008-11-25, 19:55
Here is the Kaspersky Log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, November 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 24, 2008 19:40:58
Records in database: 1409941
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 62693
Threat name: 2
Infected objects: 17
Suspicious objects: 0
Duration of the scan: 01:54:00
File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Documents and Settings\user\Desktop\Software Upstairs\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
C:\Documents and Settings\user\Desktop\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
C:\Media\Software\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
C:\Media\Software\vnc-4_1_2-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
The selected area was scanned.
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:49 PM, on 11/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\Marvelous007.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218296795078
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 8530 bytes
Thanks.
Logs look fine.
Kaspersky findings are no threats.
Still problems?
Marvelous007
2008-11-25, 22:29
Nope everything looks fine and i'm having no problems. I'm just wondering how you learned to inspect these logs(specifically HJT)?
I was trained here (http://www.malwareremoval.com/university.php) and now teach others in that school :)
Still some issues or are you ready for final instructions?
Marvelous007
2008-11-26, 10:01
Nothing is wrong! Everything is back to normal and I just want to thank you very much! :D You have been extremely helpful.
Great :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
You can delete LOP S&D.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)
Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.