View Full Version : Loaded with them
JohnnyJon
2008-11-25, 01:14
before i post the hjt log, i may have to relate to the historic of what i've done till now
1 - Used Spybot updated version, it found the smitfraud-c, the virtumonde a few trojans, it cleaned some of the malware off the cpu but not all of them
2- i then proceeced to download a few other softwares to try to get rid of them: Fileassasin and then HJT, didnt use file assasin because i saw it asked to find specific files and actually delete them if we select that option,which would not be helpful.
3 - i did suceed at installing HJT on my C: drive, and did successfully do a an analysis and create a log, but didnt use it or post it anywhere yet
4- I then proceeded by downloading Smitfraudfix, restarted my computer on safe mode, ripped it because it would not open when i double clicked it to try and install it, and sucessfully use smitfraud (the 2nd option of the program), to try and clean it
5- Without being sure if it worked, i reopened my cpu on normal mode, it worked but very, very, very slowly, most of my registry was changed back to its original format. The only positive aspect is that the message i got originally when i opened folders (i.e. " Attention "my name" your computer may be at risk...download antivirus 2009) didnt appear that time when i reopened my cpu. Problem is i know this malware or virus copies itself on other files,which mean since my cpu since very slow and always busy, its probably still there.
Im afraid to use my computer too often (im on my laptop right now) without solving this problem, i have a lot of important files (especially hard to find music) on my C drive, and realize this might cause the lost of everything on the computer, weather i solve it or not.It is very slow and crashes often, and i dont want those music files to be infected.
Have i gone too far with the procedures i've taken?as it been more harmful then helpful?
Is it possible, even after using smitfraud and spybot, that this malware is still existant on the system?
If the answers all point to yes, i will save the log on an usb key of the HJT analysis(if its not infected), and then proceed by transferring it on this board. Thank you very much in advance for the help
here's the HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:54:08, on 2008-11-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\HPAware.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL Companion\companion.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://http://proxy.umontreal.ca:443/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [Applications Driver] svohost.exe
O4 - HKLM\..\Run: [bofameneki] Rundll32.exe "C:\WINDOWS\system32\wilawibe.dll",s
O4 - HKLM\..\Run: [e8788d2e] rundll32.exe "C:\WINDOWS\system32\cuiidlrc.dll",b
O4 - HKLM\..\Run: [HP Update Assistant] C:\WINDOWS\system32\HPAware.exe
O4 - HKLM\..\RunServices: [Applications Driver] svohost.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [bofameneki] Rundll32.exe "C:\WINDOWS\system32\wilawibe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [bofameneki] Rundll32.exe "C:\WINDOWS\system32\wilawibe.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://johnnyjonpuc.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll,C:\WINDOWS\system32\bokiluve.dll hoyvxj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 11413 bytes
i'd like to know, as for information, which process shows infection. Thanks in advance :) .
also, there's a warning message when i try top open certain programs, it says that the "realplay.exe cannot read a certain memory, linked to a .dll file", so i think it causes for most programs to not be able to run or run correctly (tried to run spybot, it didnt run, tried to run windows media player, it started loading the program, but then it frooze had to manually shut down the computer by killing the power switch, not even the turn on|turn off button. Dont know if its something that i shall attend to separatly from the current problem.
Hello JohnnyJon
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your personal data before starting any clean up procedure.
Please reply to this thread only by using the Submit Reply and do not start any New Threads
This is what your up against
http://www.bleepingcomputer.com/startups/svohost.exe-7534.html
Do this first...Important
Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Do not proceed until the TeaTimer is disabled
MessengerPlus3<--Uninstall this via the Add Remove Programs, you can reinstall it when we're done if you wish correctly.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Applications Driver] svohost.exe
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\wilawibe.dll",s
O4 - HKLM\..\Run: [e8788d2e] rundll32.exe "C:\WINDOWS\system32\cuiidlrc.dll",b
O4 - HKUS\S-1-5-19\..\Run: [bofameneki] Rundll32.exe "C:\WINDOWS\system32\wilawibe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [bofameneki] Rundll32.exe "C:\WINDOWS\system32\wilawibe.dll",s (User 'NETWORK SERVICE')
O4 - HKLM\..\RunServices: [Applications Driver] svohost.exe
O20 - AppInit_DLLs: MsgPlusLoader.dll,C:\WINDOWS\system32\bokiluve.dll hoyvxj.dll
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
[b]Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
JohnnyJon
2008-11-25, 23:24
thanks for the response
quick question: what if i am unable to run spybot? i've been double clicking, right clicking and selecting open and run as, nothing. started and safe mode and cant run it :sad:. It says sometimes when i try to open that theres a problem with realplay.exe
JohnnyJon
2008-11-25, 23:32
the only realplay. exe reference i've found in my computer is in my Windows/Profetch folder
I'm not really concerned about that right now, my main concern , and it should be yours too is to clean this nasty infection off your computer.
Please follow the instructions in my previous post
JohnnyJon
2008-11-26, 07:44
you are right. How can i run spybot on normal or safe mode, tried again, it doesnt want to hear anything :sad:
Hello,
Do you see anything in my instructions about running Spybot??????? Somehow we are not on the same page. I don't think you realize how infected this computer is and the type of infection that you have. Its important that you read my post and follow those instructions as soon as possible.
JohnnyJon
2008-11-26, 20:15
Hi again
yes i can read your post,and this is the first thing you told me to do
Do this first...Important
Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking
* Run Spybot-S&D in Advanced Mode. (Which is what im saying, i know you guys have to be quick to respond, but The computer i am using refuses to open spybot, it cannot open it, it cant run spybot, i tried,but it cant, the spybot program does not want to open, i see the hourglass icon,but then it goes off, spybot S&D doesnt open)
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.<--You need to do this for it to take effect
I barely could produce a hijackthis log, the program closed right after, but the spybot s&d doesnt open, and i tried everyday till now, is there a way to be able to open spybot S&D. I am currently on my laptop and not on my desktop, its my desktop that is infected
Go to your Add Remove Programs in the Control Panel and uninstall it, we can reinstall it later if you want to. Then proceed with the rest of the fix
JohnnyJon,
The way you posted it looked like you where trying to run a Spybot Scan, well we are both on the same page now.
Just go ahead and uninstall Spybot, if it won't let you then just proceed with the fix and lets not worry about it.
If Malwarebytes gives you some problems running it, install the program, check for updates and then boot to Safemode to run it.
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
So, remove those entries with HJT and then go ahead and run Malwarebytes. Malwarebytes will take a good chunk of the infection out, there will be more to do I am sure.
JohnnyJon
2008-11-26, 22:50
i did succeed in uninstallingl spybot, i then proceeded with hijackthis, checked the boxes after doing a system scan only, and clicked on "fix checked", i then proceeded by trying to install the mbam-setup.exe, but AGAIN the installing setup does not want to start, i see the hourglass icon again for 4 seconds,and then it disappears, nothing happens, waited 5-6 minutes,still nothing opened
I checked if it was among the running processes, and it was,but not action were detected.
I did howerer produced another HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:16:56, on 2008-11-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPAware.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Documents and Settings\Jonathan\Desktop\mbam-setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://http://proxy.umontreal.ca:443/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [HP Update Assistant] C:\WINDOWS\system32\HPAware.exe
O4 - HKLM\..\Run: [bofameneki] Rundll32.exe "C:\WINDOWS\system32\wilawibe.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [bofameneki] Rundll32.exe "C:\WINDOWS\system32\wilawibe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [bofameneki] Rundll32.exe "C:\WINDOWS\system32\wilawibe.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://johnnyjonpuc.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\bokiluve.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 10680 bytes
Hi,
Did you try running Malwarebytes in Safemode?? If not try it please
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
JohnnyJon
2008-11-27, 18:16
i was decided last night on ending this,so i stayed up till 6 am (eastern timezone) and i am already up,left the cpu running. I succeeded in starting mbam setup and installing and also combofix by renaming them both.
here are the copies of the transcripts of the freshly produced logs:
Combofix:
ComboFix 08-11-26.05 - Jonathan 2008-11-27 3:11:58.1 - NTFSx86
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\k.txt
c:\windows\SysNotifier.exe
c:\windows\system32\~.exe
c:\windows\system32\av.dat
c:\windows\system32\bokiluve.dll
c:\windows\system32\crldiiuc.ini
c:\windows\system32\cuiidlrc.dll
c:\windows\system32\ddcCUkkk.dll
c:\windows\system32\dopkfs.dll
c:\windows\system32\doqyjn.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\TDSSpxst.sys
c:\windows\system32\geBqNDSj.dll
c:\windows\system32\getfn32.dll
c:\windows\system32\hoyvxj.dll
c:\windows\system32\hrnpauyh.dll
c:\windows\system32\hyuapnrh.ini
c:\windows\system32\jylttrpn.dll
c:\windows\system32\kbtglm.dll
c:\windows\system32\kkkUCcdd.ini
c:\windows\system32\kkkUCcdd.ini2
c:\windows\system32\mcrh.tmp
c:\windows\system32\mlJYopqP.dll
c:\windows\system32\mpqss.bak1
c:\windows\system32\mpqss.bak2
c:\windows\system32\mpqss.ini
c:\windows\system32\nbvlonbb.dll
c:\windows\system32\odkkakek.dll
c:\windows\system32\ovastfsf.dll
c:\windows\system32\packet.dll
c:\windows\system32\pxeeqaul.ini
c:\windows\system32\relakiva.dll
c:\windows\system32\rnvffg.dll
c:\windows\system32\smwin32.dll
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSSdxcp.dll
c:\windows\system32\TDSSkkao.log
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnvuo.dll
c:\windows\system32\TDSSoitt.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvoqm.dll
c:\windows\system32\TDSSxhyf.log
c:\windows\system32\tkxstipi.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\ycdbjroc.dll
c:\windows\Tasks\wudtxogp.job
----- BITS: Possible infected sites -----
hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.
2008-11-27 02:47 . 2008-11-27 02:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-27 02:47 . 2008-11-27 02:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-27 02:47 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-27 02:47 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-27 02:32 . 2008-11-27 02:32 <DIR> d-------- c:\documents and settings\Administrator
2008-11-27 01:44 . 2008-11-27 01:44 299,008 --a------ c:\windows\system32\dllcache\winlz.dll
2008-11-26 13:57 . 2008-11-26 13:57 2,351,283 --a------ C:\mbam-setup.rar
2008-11-23 20:02 . 2008-11-23 20:56 <DIR> d-------- C:\SmitfraudFix
2008-11-23 20:02 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-23 20:02 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-23 20:02 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-23 20:02 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-23 20:02 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-23 20:02 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-23 20:02 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-23 20:02 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-23 20:02 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-23 20:02 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-23 19:46 . 2008-11-23 19:47 1,581,247 --a------ C:\SmitfraudFix.exe
2008-11-23 19:24 . 2008-11-23 19:25 1,734 --a------ C:\HJTInstaller.lnk
2008-11-23 19:23 . 2008-11-23 19:23 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 19:04 . 2008-11-23 19:06 2,372,472 --a------ C:\mbam-setup.exe.exe
2008-11-23 18:56 . 2008-11-23 18:56 812,344 --a------ C:\HijackThis.exe
2008-11-23 17:48 . 2008-11-23 17:48 <DIR> d-------- c:\program files\FileASSASSIN
2008-11-22 21:58 . 2008-11-22 21:58 955 --a------ C:\Spybot - Search & Destroy (for blind users).lnk
2008-11-22 21:50 . 2008-11-22 21:55 14,968,808 --a------ C:\spybotsd160.exe
2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-22 19:05 . 2008-11-22 19:05 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-11-22 19:05 . 2008-11-14 11:58 23,096 --a------ c:\windows\system32\drivers\SndTAudio.sys
2008-11-22 19:05 . 2008-11-14 11:58 3,768 --a------ c:\windows\system32\drivers\SndTVideo.sys
2008-11-22 18:17 . 2008-11-23 19:01 <DIR> d-------- c:\program files\Power MP3 WMA Converter
2008-11-22 18:16 . 2008-11-22 18:16 <DIR> d-------- c:\program files\Common Files\Ahead
2008-11-22 18:16 . 2008-11-22 18:16 <DIR> d-------- c:\program files\Ahead
2008-11-22 18:16 . 2004-03-22 16:59 1,798,144 --------- c:\windows\UnWMPBurn.exe
2008-11-22 18:16 . 2004-03-23 13:43 33,951 --------- c:\windows\UnWMPBurn.cfg
2008-11-22 02:44 . 2008-11-22 02:44 <DIR> d-------- c:\windows\system32\Logs
2008-11-22 02:44 . 2008-11-22 03:03 <DIR> d-------- c:\documents and settings\Jonathan\Application Data\tunebite
2008-11-22 00:32 . 2008-11-22 00:32 <DIR> d-------- c:\program files\RapidSolution
2008-11-22 00:32 . 2008-11-22 01:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\RapidSolution
2008-11-21 23:58 . 2008-11-21 23:58 2 --a------ c:\windows\system32\RICHTX.DEP
2008-11-21 23:57 . 2008-11-22 00:02 <DIR> d-------- c:\program files\MP3 WAV Converter
2008-11-12 00:30 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 00:29 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-10 16:19 . 2008-11-25 16:14 <DIR> d-------- c:\program files\SpiralFrog
2008-10-29 15:17 . 2007-02-16 10:31 227,328 --a------ c:\program files\mpTrim.exe
2008-10-29 15:11 . 2007-04-27 13:41 64,512 --a------ c:\program files\mp3val.exe
2008-10-29 15:03 . 2008-10-29 15:03 <DIR> d-------- c:\program files\Aspect one
2008-10-29 15:02 . 2005-08-12 21:23 981,284 --a------ c:\program files\MP3RTSetup.exe
2008-10-29 15:00 . 2007-04-27 13:43 62,464 --a------ c:\program files\mp3val-frontend.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 08:28 200,704 ----a-w c:\windows\SysNotifier.exe
2008-11-26 19:20 38,906 ----a-w c:\documents and settings\Jonathan\Application Data\wklnhst.dat
2008-11-26 18:46 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-26 18:46 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 03:10 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2008-11-23 02:37 --------- d-----w c:\program files\Windows Live Toolbar
2008-11-23 02:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 02:27 --------- d-----w c:\program files\eBay
2008-11-23 00:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-11-22 22:38 --------- d-----w c:\program files\LimeWire
2008-11-22 08:26 --------- d-----w c:\documents and settings\Jonathan\Application Data\Azureus
2008-11-15 06:14 --------- d-----w c:\program files\Dl_cats
2008-10-29 20:13 85 ----a-w c:\program files\mp3val-frontend.ini
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 23:34 --------- d-----w c:\program files\AviSynth 2.5
2008-10-21 23:33 --------- d-----w c:\program files\eRightSoft
2008-10-21 23:25 --------- d-----w c:\program files\lame3.98.2
2008-10-18 02:17 --------- d-----w c:\program files\Apple Software Update
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-02-20 05:29 76,112 ----a-w c:\documents and settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2007-05-24 16:25 57 ----a-w c:\program files\What's new.txt
2007-04-27 18:34 201 ----a-w c:\program files\changelog.frontend.txt
2007-04-27 18:28 9,945 ----a-w c:\program files\manual.html
2007-04-27 18:27 1,126 ----a-w c:\program files\changelog.core.txt
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sha-r c:\windows\system32\nbDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}]
2008-11-27 01:44 299008 --a------ c:\windows\system32\dllcache\winlz.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2007-11-13 3411968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"Motive SmartBridge"="c:\progra~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2004-10-22 393216]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-10-09 180269]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 245760]
"CTRegRun"="c:\windows\CTRegRun.EXE" [1999-10-10 41984]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Update Assistant"="c:\windows\system32\HPAware.exe" [2008-05-06 187412]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\Jonathan\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-06-09 155648]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2005-09-01 156784]
AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2005-09-01 250992]
Assistant Internet.lnk - c:\program files\NetAssistant\bin\matcli.exe [2005-09-23 217088]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlz]
2008-11-27 01:44 299008 c:\windows\system32\dllcache\winlz.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\NetAssistant\\SmartBridge\\MotiveSB.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\WINDOWS\\system32\\fxssvc.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\McTskshd.exe"=
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2008-11-22 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\DRIVERS\SndTVideo.sys [2008-11-22 3768]
S3 SQTECH907B;EZCam(PID_907B_00);c:\windows\system32\Drivers\Capt907B.sys [2006-05-10 49963]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{921a073a-7695-11dc-ab1f-00038a000015}]
\Shell\AutoRun\command - E:\Installer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5668a08-4313-11dd-ad5a-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-27 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (JOHNNY_JON-Jonathan).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 17:18]
2008-11-27 c:\windows\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 14:54]
.
- - - - ORPHANS REMOVED - - - -
BHO-{085B7C17-AA40-4E5F-9050-F66E81609E27} - c:\windows\system32\ddcCUkkk.dll
BHO-{5485ac49-5205-4658-866f-c250218936cc} - c:\windows\system32\relakiva.dll
BHO-{5909D70A-46D2-4CBE-91A6-6E63224990DB} - (no file)
BHO-{77D3C578-229D-4640-99FE-C12E5588FD6F} - (no file)
BHO-{8495DD20-CB51-46BE-9B63-CB2F76E45C96} - c:\windows\system32\dzhoil.dll
BHO-{8fb7436d-9322-4c7d-adc8-b638f4dfc8f6} - c:\windows\system32\kbtglm.dll
BHO-{E9681C1C-C1DF-4970-97BB-86C3E716AFA3} - c:\windows\system32\geBqNDSj.dll
HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-bofameneki - c:\windows\system32\wilawibe.dll
HKLM-Run-StandardInstall - (no file)
ShellExecuteHooks-{E9681C1C-C1DF-4970-97BB-86C3E716AFA3} - c:\windows\system32\geBqNDSj.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\x3dcxjeu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 03:28:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\dllcache\winlz.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
.
**************************************************************************
.
Completion time: 2008-11-27 3:39:36 - machine was rebooted [Jonathan]
ComboFix-quarantined-files.txt 2008-11-27 08:39:27
Pre-Run: 13,451,456,512 bytes free
Post-Run: 13,415,940,096 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
335 --- E O F --- 2008-11-12 07:24:02
Latest HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50, on 2008-11-27
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPAware.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://http://proxy.umontreal.ca:443/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Update Assistant] C:\WINDOWS\system32\HPAware.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 10294 bytes
other logs i put that might not be relevent to analysis:
Quoobox Quarantined files
2008-11-22 01:12:20 A------- 59,904 C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJYopqP.dll.vir
2008-11-22 01:12:23 A------- 300 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\wudtxogp.job.vir
2008-11-22 01:17:23 A------- 307,200 C:\Qoobox\Quarantine\C\WINDOWS\system32\ddcCUkkk.dll.vir
2008-11-22 01:17:30 A------- 599,389 C:\Qoobox\Quarantine\C\WINDOWS\system32\kkkUCcdd.ini.vir
2008-11-22 01:19:00 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\nbvlonbb.dll.vir
2008-11-22 01:19:02 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\doqyjn.dll.vir
2008-11-22 01:34:48 A------- 88,704 C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
2008-11-22 01:34:48 A------- 240,240 C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2008-11-22 01:34:49 A------- 42,512 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir
2008-11-22 18:40:29 A------- 62,464 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
2008-11-22 22:09:49 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\ycdbjroc.dll.vir
2008-11-22 22:09:53 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\dopkfs.dll.vir
2008-11-22 22:11:32 A------- 75,776 C:\Qoobox\Quarantine\C\WINDOWS\system32\tkxstipi.dll.vir
2008-11-23 02:34:52 A------- 599,389 C:\Qoobox\Quarantine\C\WINDOWS\system32\kkkUCcdd.ini2.vir
2008-11-23 03:10:46 A------- 2,935 C:\Qoobox\Quarantine\C\WINDOWS\k.txt.vir
2008-11-23 17:24:07 A------- 60,416 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpxst.sys.vir
2008-11-23 17:24:18 A------- 35,840 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoitt.dll.vir
2008-11-23 17:24:48 A------- 527 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSmtve.dat.vir
2008-11-23 17:24:52 A------- 29,696 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSarxx.dll.vir
2008-11-23 17:24:54 A------- 31,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSvoqm.dll.vir
2008-11-23 17:24:56 A------- 73,728 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnvuo.dll.vir
2008-11-23 17:25:02 A------- 2,271 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSdxcp.dll.vir
2008-11-23 17:25:02 A------- 89,614 C:\Qoobox\Quarantine\C\WINDOWS\system32\av.dat.vir
2008-11-23 17:27:00 A------- 75,264 C:\Qoobox\Quarantine\C\WINDOWS\system32\cuiidlrc.dll.vir
2008-11-23 17:27:06 A------- 120 C:\Qoobox\Quarantine\C\WINDOWS\system32\crldiiuc.ini.vir
2008-11-23 17:29:55 A------- 120,320 C:\Qoobox\Quarantine\C\WINDOWS\system32\ovastfsf.dll.vir
2008-11-23 17:29:57 A------- 120,320 C:\Qoobox\Quarantine\C\WINDOWS\system32\hoyvxj.dll.vir
2008-11-23 17:30:10 A------- 14,848 C:\Qoobox\Quarantine\C\WINDOWS\system32\getfn32.dll.vir
2008-11-23 17:30:13 A------- 63,488 C:\Qoobox\Quarantine\C\WINDOWS\system32\smwin32.dll.vir
2008-11-23 17:30:24 A------- 4,446 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSkkao.log.vir
2008-11-27 01:43:52 A------- 120 C:\Qoobox\Quarantine\C\WINDOWS\system32\pxeeqaul.ini.vir
2008-11-27 01:46:48 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\odkkakek.dll.vir
2008-11-27 01:46:49 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\rnvffg.dll.vir
2008-11-27 01:55:46 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\jylttrpn.dll.vir
2008-11-27 01:55:47 A------- 120,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\kbtglm.dll.vir
2008-11-27 01:55:48 A------- 75,776 C:\Qoobox\Quarantine\C\WINDOWS\system32\hrnpauyh.dll.vir
2008-11-27 01:55:49 A------- 120 C:\Qoobox\Quarantine\C\WINDOWS\system32\hyuapnrh.ini.vir
2008-11-27 02:45:47 A------- 162 C:\Qoobox\Quarantine\catchme.log
2008-11-27 03:05:40 A------- 1,123 C:\Qoobox\Quarantine\Registry_backups\Service_TDSSSERV.SYS.reg.dat
2008-11-27 03:17:27 A------- 7,813 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-27 03:19:00 A------- 2,036 C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2008-11-27 03:28:25 A------- 200,704 C:\Qoobox\Quarantine\C\WINDOWS\SysNotifier.exe.vir
2008-11-27 03:37:47 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-11-27 03:37:47 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-11-27 03:37:47 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-11-27 03:37:50 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{085B7C17-AA40-4E5F-9050-F66E81609E27}.reg.dat
2008-11-27 03:37:52 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{5485ac49-5205-4658-866f-c250218936cc}.reg.dat
2008-11-27 03:37:55 A------- 157 C:\Qoobox\Quarantine\Registry_backups\BHO-{5909D70A-46D2-4CBE-91A6-6E63224990DB}.reg.dat
2008-11-27 03:37:55 A------- 157 C:\Qoobox\Quarantine\Registry_backups\BHO-{77D3C578-229D-4640-99FE-C12E5588FD6F}.reg.dat
2008-11-27 03:37:56 A------- 785 C:\Qoobox\Quarantine\Registry_backups\BHO-{8495DD20-CB51-46BE-9B63-CB2F76E45C96}.reg.dat
2008-11-27 03:37:58 A------- 416 C:\Qoobox\Quarantine\Registry_backups\BHO-{8fb7436d-9322-4c7d-adc8-b638f4dfc8f6}.reg.dat
2008-11-27 03:37:59 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{E9681C1C-C1DF-4970-97BB-86C3E716AFA3}.reg.dat
2008-11-27 03:38:04 A------- 245 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}.reg.dat
2008-11-27 03:38:10 A------- 151 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-bofameneki.reg.dat
2008-11-27 03:38:10 A------- 160 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NBKeyScan.reg.dat
2008-11-27 03:38:11 A------- 102 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-StandardInstall.reg.dat
2008-11-27 03:38:29 A------- 363 C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{E9681C1C-C1DF-4970-97BB-86C3E716AFA3}.reg.dat
Add-Remove Programs Log:
ABBYY FineReader 5.0 Sprint Plus
Acoustica Effects Pack
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
AOL (Choose which version to remove)
AOL Connectivity Services
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
Archiveur WinRAR
ArcSoft PhotoImpression 5
Assistant Internet
Audacity 1.2.6
AutoUpdate
Azureus
Barre d'outils Outlook de Windows Live (Windows Live Toolbar)
Bloqueur de fenêtres pop-up (Windows Live Toolbar)
Creative WebCam Center
Creative WebCam Instant Driver (1.01.02.0729)
Dell Driver Reset Tool
Dell Photo AIO Printer 922
Dell Picture Studio v3.0
Dell Support Center
Dell System Restore
DellSupport
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
Extension de Windows Live Toolbar (Windows Live Toolbar)
EZCam
FileASSASSIN
Google Video Player
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Installer Yahoo! Messenger
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-09-23
iPod for Windows 2006-01-10
iPod for Windows 2006-03-23
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Last.fm 1.5.1.30182
Learn2 Player (Uninstall Only)
LimeWire 4.18.8
Live 6.0.1
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Manuel d'utilisation de Creative WebCam Instant (Français)
McAfee Personal Firewall Plus
McAfee SecurityCenter
McAfee VirusScan
Menus intelligents (Windows Live Toolbar)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Internet Explorer Administration Kit 5
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Resource Kit
Microsoft Picture It! Library 10
Microsoft Picture It! Premium 10
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets and Trips 2005
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox (3.0.4)
MP3 Repair Tool v1.5.2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
muvee autoProducer 6.1
Nero Fast CD-Burning Plug-in
neroxml
OneCare Advisor (Windows Live Toolbar)
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
PowerDVD 5.5
QuickTime
RealPlayer
Roxio PhotoSuite 5
Safari
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shareaza version 2.2.5.0
Shockwave
SHOUTcast Source DSP 1.9.0 (remove only)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SonicStage 3.0
Sony Picture Utility
Sony USB Driver
SoulSeek 157 NS 13
SoulSeek Client 156c
SUPER © Version 2008.bld.33 (Sep 2, 2008)
UltraMixer 2.2.1
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VCRedistSetup
VeohTV BETA
VideoLAN VLC media player 0.8.4a
Viewpoint Media Player
Virtual DJ - Atomix Productions
WebCyberCoach 3.2 Dell
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live Favorites pour Windows Live Toolbar
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Works Upgrade
The computer actually seems like its running normal, it feels like i've exorcised it, and hopefully it will stay out of harms way and there arent any leftovers, i dont know how many hours i've spent on this :spider:
You did very well but still a bit more to do.
Remove these with HJT
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://http://proxy.umontreal.ca:443/
O4 - HKLM\..\Run: [HP Update Assistant] C:\WINDOWS\system32\HPAware.exe
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\windows\system32\dllcache\winlz.dll
C:\WINDOWS\system32\HPAware.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
JohnnyJon
2008-11-28, 23:47
i did the last changes,here are the results
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:07, on 2008-11-28
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.umontreal.ca:443/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 10734 bytes
Combofix Log:
ComboFix 08-11-26.05 - Jonathan 2008-11-28 16:25:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.184 [GMT -5:00]
Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe.exe
Command switches used :: c:\documents and settings\Jonathan\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
FILE ::
c:\windows\system32\dllcache\winlz.dll
c:\windows\system32\HPAware.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\HPAware.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.
2008-11-27 03:42 . 2008-11-27 03:42 <DIR> d-------- c:\documents and settings\Jonathan\Application Data\Malwarebytes
2008-11-27 02:47 . 2008-11-27 02:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-27 02:47 . 2008-11-27 02:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-27 02:47 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-27 02:47 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-27 02:32 . 2008-11-27 02:32 <DIR> d-------- c:\documents and settings\Administrator
2008-11-23 20:02 . 2008-11-23 20:56 <DIR> d-------- C:\SmitfraudFix
2008-11-23 20:02 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-23 20:02 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-23 20:02 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-23 20:02 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-23 20:02 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-23 20:02 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-23 20:02 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-23 20:02 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-23 20:02 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-23 20:02 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-23 19:46 . 2008-11-23 19:47 1,581,247 --a------ C:\SmitfraudFix.exe
2008-11-23 19:24 . 2008-11-23 19:25 1,734 --a------ C:\HJTInstaller.lnk
2008-11-23 19:23 . 2008-11-23 19:23 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 18:56 . 2008-11-23 18:56 812,344 --a------ C:\HijackThis.exe
2008-11-23 17:48 . 2008-11-23 17:48 <DIR> d-------- c:\program files\FileASSASSIN
2008-11-22 21:58 . 2008-11-22 21:58 955 --a------ C:\Spybot - Search & Destroy (for blind users).lnk
2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-22 19:05 . 2008-11-22 19:05 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-11-22 19:05 . 2008-11-14 11:58 23,096 --a------ c:\windows\system32\drivers\SndTAudio.sys
2008-11-22 19:05 . 2008-11-14 11:58 3,768 --a------ c:\windows\system32\drivers\SndTVideo.sys
2008-11-22 18:17 . 2008-11-23 19:01 <DIR> d-------- c:\program files\Power MP3 WMA Converter
2008-11-22 18:16 . 2008-11-22 18:16 <DIR> d-------- c:\program files\Common Files\Ahead
2008-11-22 18:16 . 2008-11-22 18:16 <DIR> d-------- c:\program files\Ahead
2008-11-22 18:16 . 2004-03-22 16:59 1,798,144 --------- c:\windows\UnWMPBurn.exe
2008-11-22 18:16 . 2004-03-23 13:43 33,951 --------- c:\windows\UnWMPBurn.cfg
2008-11-22 02:44 . 2008-11-22 02:44 <DIR> d-------- c:\windows\system32\Logs
2008-11-22 00:32 . 2008-11-22 00:32 <DIR> d-------- c:\program files\RapidSolution
2008-11-22 00:32 . 2008-11-22 01:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\RapidSolution
2008-11-21 23:58 . 2008-11-21 23:58 2 --a------ c:\windows\system32\RICHTX.DEP
2008-11-21 23:57 . 2008-11-22 00:02 <DIR> d-------- c:\program files\MP3 WAV Converter
2008-11-12 00:30 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 00:29 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-10 16:19 . 2008-11-25 16:14 <DIR> d-------- c:\program files\SpiralFrog
2008-10-29 15:17 . 2007-02-16 10:31 227,328 --a------ c:\program files\mpTrim.exe
2008-10-29 15:11 . 2007-04-27 13:41 64,512 --a------ c:\program files\mp3val.exe
2008-10-29 15:03 . 2008-10-29 15:03 <DIR> d-------- c:\program files\Aspect one
2008-10-29 15:02 . 2005-08-12 21:23 981,284 --a------ c:\program files\MP3RTSetup.exe
2008-10-29 15:00 . 2007-04-27 13:43 62,464 --a------ c:\program files\mp3val-frontend.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 21:14 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 20:43 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-27 19:12 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2008-11-26 19:20 38,906 ----a-w c:\documents and settings\Jonathan\Application Data\wklnhst.dat
2008-11-23 02:37 --------- d-----w c:\program files\Windows Live Toolbar
2008-11-23 02:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 02:27 --------- d-----w c:\program files\eBay
2008-11-23 00:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-11-22 22:38 --------- d-----w c:\program files\LimeWire
2008-11-22 08:26 --------- d-----w c:\documents and settings\Jonathan\Application Data\Azureus
2008-11-15 06:14 --------- d-----w c:\program files\Dl_cats
2008-10-29 20:13 85 ----a-w c:\program files\mp3val-frontend.ini
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 23:34 --------- d-----w c:\program files\AviSynth 2.5
2008-10-21 23:33 --------- d-----w c:\program files\eRightSoft
2008-10-21 23:25 --------- d-----w c:\program files\lame3.98.2
2008-10-18 02:17 --------- d-----w c:\program files\Apple Software Update
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-02-20 05:29 76,112 ----a-w c:\documents and settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2007-05-24 16:25 57 ----a-w c:\program files\What's new.txt
2007-04-27 18:34 201 ----a-w c:\program files\changelog.frontend.txt
2007-04-27 18:28 9,945 ----a-w c:\program files\manual.html
2007-04-27 18:27 1,126 ----a-w c:\program files\changelog.core.txt
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sha-r c:\windows\system32\nbDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2007-11-13 3411968]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"Motive SmartBridge"="c:\progra~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2004-10-22 393216]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-10-09 180269]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 245760]
"CTRegRun"="c:\windows\CTRegRun.EXE" [1999-10-10 41984]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\Jonathan\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-06-09 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\NetAssistant\\SmartBridge\\MotiveSB.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\WINDOWS\\system32\\fxssvc.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\McTskshd.exe"=
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2008-11-22 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\DRIVERS\SndTVideo.sys [2008-11-22 3768]
S3 SQTECH907B;EZCam(PID_907B_00);c:\windows\system32\Drivers\Capt907B.sys [2006-05-10 49963]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{921a073a-7695-11dc-ab1f-00038a000015}]
\Shell\AutoRun\command - E:\Installer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5668a08-4313-11dd-ad5a-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-28 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (JOHNNY_JON-Jonathan).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 17:18]
2008-11-28 c:\windows\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 14:54]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 16:30:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-28 16:34:32
ComboFix-quarantined-files.txt 2008-11-28 21:33:20
ComboFix2.txt 2008-11-27 08:39:43
Pre-Run: 13,157,015,552 bytes free
Post-Run: 13,145,182,208 bytes free
218 --- E O F --- 2008-11-12 07:24:02
Looking good :bigthumb:
You had or still have these two programs installed.
Soulseek
LimeWire
P2P (File Sharing Programs) have become the latest avenue of attack by malware writers . Read this please. I would strongly urge you to stay away from any programs like these
We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.
Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.
We do not ask you to do this without reason.
P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java SE Runtime Environment (JRE) 6 Update 10 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
How are things running now???