PDA

View Full Version : Virtumonde infection also



screamineagle
2008-12-13, 04:05
This is a nasty bit of work. I have spent 4 times as long as it would've taken to reformat just trying to clean my daughters machine because she has no backups. I bet that changes in the future! After reading the read me first post, the only thing it looks like i have done wrong so far is to turn off Windows restore( part of a "fix" I found earlier in the week from McAfee) . Sure hope you can help.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:18 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: tqxaqo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 8430 bytes

Thanks,

Kevin

Shaba
2008-12-17, 12:04
Hi screamineagle

Rename HijackThis.exe to screamineagle.exe and post back a fresh HijackThis log, please :)

screamineagle
2008-12-17, 14:33
Here it is. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:27 AM, on 12/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: tqxaqo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 8404 bytes

Shaba
2008-12-17, 14:43
Unfortunately it didn't go right.

Rename HijackThis.exe to screamineagle.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to screamineagle.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.

screamineagle
2008-12-17, 14:51
Sorry about that. I must have just renamed the shortcut. How's this?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:31 AM, on 12/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\screamineagle.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: {aaca5798-3313-5a6a-e2f4-e40d706fbc62} - {26cbf607-d04e-4f2e-a6a5-31338975acaa} - C:\WINDOWS\system32\xdrgtd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A1B87B36-B7CA-498B-9D3C-4E1D729C6E6E} - C:\WINDOWS\system32\geBstqRH.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: tqxaqo.dll xdrgtd.dll
O20 - Winlogon Notify: urqPFwwt - urqPFwwt.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 9062 bytes

Shaba
2008-12-17, 15:15
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

screamineagle
2008-12-17, 15:44
I'm having some trouble with the recovery console install.

Setup cannot continue because the version of Windows on your computer is newer than the version on the CD.

Warning: If you decide to delete the newer version of Windows that is currently installed on your computer, the files and settings cannot be recovered.

Still checking ....

screamineagle
2008-12-17, 16:25
Phew !!! I hope I did this right.

Thanks for all your help,

Kevin



ComboFix 08-12-16.03 - Breanna Lynn 2008-12-17 8:07:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.580 [GMT -6:00]
Running from: c:\documents and settings\Breanna Lynn\Desktop\ComboFix1.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Breanna Lynn\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Breanna Lynn\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Breanna Lynn\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\djeskugk.dll
c:\windows\system32\geBstqRH.dll
c:\windows\system32\HRqtsBeg.ini
c:\windows\system32\HRqtsBeg.ini2
c:\windows\system32\ieolknxt.dll
c:\windows\system32\qiiwffid.dll
c:\windows\system32\tvqsravc.ini
c:\windows\system32\txnkloei.ini
c:\windows\system32\udxlmcbk.ini
c:\windows\system32\xdrgtd.dll
c:\windows\Tasks\ljjmaofe.job
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-12 21:18 . 2008-12-12 21:18 95 --a------ c:\windows\wininit.ini
2008-12-12 19:42 . 2008-12-12 19:42 <DIR> d-------- c:\program files\Microsoft IntelliPoint
2008-12-12 19:41 . 2008-12-12 19:41 <DIR> d-------- c:\program files\Microsoft IntelliPoint 5.2
2008-12-12 16:40 . 2008-12-12 16:40 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 16:39 . 2008-12-12 17:20 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-12 16:39 . 2008-12-12 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-10 16:28 . 2008-12-10 16:31 <DIR> d-------- c:\documents and settings\Eric\Application Data\U3
2008-12-08 18:00 . 2008-12-17 07:38 <DIR> d-------- C:\QUARANTINE
2008-12-08 17:54 . 2008-12-08 17:54 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2008-12-08 17:54 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2008-12-08 17:54 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2008-12-08 17:53 . 2007-10-16 20:50 171,272 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-08 17:53 . 2007-10-16 20:50 72,680 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-08 17:53 . 2007-10-16 20:50 64,168 --a------ c:\windows\system32\drivers\mfeapfk.sys
2008-12-08 17:53 . 2007-10-16 20:50 51,944 --a------ c:\windows\system32\drivers\mfetdik.sys
2008-12-08 17:53 . 2007-10-16 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-08 17:52 . 2008-12-08 17:54 <DIR> d-------- c:\program files\McAfee
2008-12-08 17:52 . 2008-12-08 17:52 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-08 16:47 . 2008-12-08 16:47 <DIR> d-------- c:\program files\Compapps
2008-12-08 16:47 . 2008-12-08 17:52 1,755 --a------ c:\windows\mvs0854w.mif
2008-12-08 16:46 . 2008-12-08 16:46 <DIR> d-------- c:\program files\selfheal
2008-12-07 21:58 . 2008-12-12 18:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-07 13:43 . 2008-12-08 19:47 <DIR> d-------- c:\program files\Webtools
2008-12-07 12:07 . 2008-12-07 13:33 <DIR> d-------- c:\program files\CyberDefender
2008-11-20 15:55 . 2008-11-20 15:55 <DIR> d-------- c:\program files\Microsoft Works
2008-11-20 15:51 . 2008-11-20 15:51 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-20 15:46 . 2008-11-20 21:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-20 15:45 . 2008-11-20 15:45 <DIR> dr-h----- C:\MSOCache
2008-11-20 15:16 . 2008-11-20 15:54 <DIR> d-------- c:\documents and settings\Breanna Lynn\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 00:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-13 00:50 --------- d-----w c:\program files\Atari
2008-12-13 00:47 --------- d-----w c:\program files\RegVac
2008-12-13 00:43 --------- d-----w c:\program files\Common Files\Adobe
2008-12-12 22:42 --------- d-----w c:\documents and settings\Breanna Lynn\Application Data\U3
2008-12-12 21:10 --------- d-----w c:\documents and settings\Breanna Lynn\Application Data\InstallShield
2008-12-08 23:54 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-08 12:21 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-08 03:19 --------- d-----w c:\program files\Google
2008-12-08 03:12 --------- d-----w c:\program files\Viewpoint
2008-12-08 03:12 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-08 03:11 --------- d-----w c:\program files\Trillian
2008-12-08 03:10 --------- d-----w c:\documents and settings\All Users\Application Data\zed3
2008-12-07 19:33 --------- d-----w c:\documents and settings\Breanna Lynn\Application Data\Atari
2008-12-07 19:33 --------- d-----w c:\documents and settings\Breanna Lynn\Application Data\Apple Computer
2008-12-07 19:33 --------- d-----w c:\documents and settings\Breanna Lynn\Application Data\AdobeUM
2008-12-07 05:18 --------- d-----w c:\documents and settings\Breanna Lynn\Application Data\Creative
2008-12-07 05:18 --------- d-----w c:\documents and settings\Breanna Lynn\Application Data\acccore
2008-11-30 04:57 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-11-24 23:21 --------- d-----w c:\documents and settings\Breanna Lynn\Application Data\Move Networks
2008-11-15 20:52 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-11-09 16:38 --------- d-----w c:\program files\Samsung
2008-11-09 16:21 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-26 03:37 --------- d-----w c:\program files\iTunes
2008-10-26 03:37 --------- d-----w c:\program files\iPod
2008-10-26 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-26 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-26 03:35 --------- d-----w c:\program files\QuickTime
2008-10-26 03:28 --------- d-----w c:\program files\Apple Software Update
2008-10-26 03:27 --------- d-----w c:\program files\Common Files\Apple
2008-10-26 03:27 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-07-01 21:16 0 ----a-w c:\documents and settings\Eric\jagex_runescape_preferences.dat
2008-05-18 13:36 18,704 ----a-w c:\documents and settings\Breanna Lynn\Application Data\GDIPFONTCACHEV1.DAT
2007-03-14 23:41 92,064 ----a-w c:\documents and settings\Breanna Lynn\mqdmmdm.sys
2007-03-14 23:41 9,232 ----a-w c:\documents and settings\Breanna Lynn\mqdmmdfl.sys
2007-03-14 23:41 79,328 ----a-w c:\documents and settings\Breanna Lynn\mqdmserd.sys
2007-03-14 23:41 66,656 ----a-w c:\documents and settings\Breanna Lynn\mqdmbus.sys
2007-03-14 23:41 6,208 ----a-w c:\documents and settings\Breanna Lynn\mqdmcmnt.sys
2007-03-14 23:41 5,936 ----a-w c:\documents and settings\Breanna Lynn\mqdmwhnt.sys
2007-03-14 23:41 4,048 ----a-w c:\documents and settings\Breanna Lynn\mqdmcr.sys
2007-03-14 23:41 25,600 ----a-w c:\documents and settings\Breanna Lynn\usbsermptxp.sys
2007-03-14 23:41 22,768 ----a-w c:\documents and settings\Breanna Lynn\usbsermpt.sys
2008-09-01 15:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080902\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-04-27 50736]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 1409024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1139091886\ee\AOLSoftware.exe" [2006-05-09 50760]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-04-26 237568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-03 185632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\Breanna Lynn\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-05-15 479232]
PowerReg Scheduler V3.exe [2006-12-23 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=tqxaqo.dll xdrgtd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139091886\\ee\\aim6.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139091886\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2003-06-03 123957]
R0 YPN30F;YPN30F;c:\windows\system32\drivers\YPN30F.sys [2006-05-14 12958]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2003-06-03 46900]
S3 ypn30s;ypn30s;c:\windows\system32\DRIVERS\ypn30s.sys [2006-05-14 52398]
S3 ypn30u;Samsung YP-N30 Audio Player Control Driver;c:\windows\system32\Drivers\ypn30u.sys [2006-05-14 36579]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{26cbf607-d04e-4f2e-a6a5-31338975acaa} - c:\windows\system32\xdrgtd.dll
BHO-{924D5A6D-4BD0-4A9C-92DB-E82BCB29B0C7} - c:\windows\system32\geBstqRH.dll
HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
Notify-urqPFwwt - urqPFwwt.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Breanna Lynn\Application Data\Mozilla\Firefox\Profiles\eohemz8i.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.partner=sbc&.intl=us&.done=http%3A%2F%2Fus.mg201.mail.yahoo.com%2Fdc%2Flaunch%3F.partner%3Dsbc%26.gx%3D1%26.rand%3Dequv8k2h393jk|http://www.google.com/|http://aumha.net/viewtopic.php?f=30&t=37250|http://forums.spybot.info/forumdisplay.php?f=22
FF - plugin: c:\documents and settings\Breanna Lynn\Application Data\Mozilla\Firefox\Profiles\eohemz8i.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 08:14:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-17 8:19:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-17 14:19:17

Pre-Run: 45,531,828,224 bytes free
Post-Run: 45,465,448,448 bytes free

247 --- E O F --- 2008-11-21 03:21:30


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:44 AM, on 12/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\screamineagle.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: tqxaqo.dll xdrgtd.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 8620 bytes

Shaba
2008-12-17, 17:04
I'd like you to check some files for malware.

Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)


c:\windows\system32\epoPGPsdk.dll
c:\windows\system32\epoPGPsdk.dll.sig
c:\windows\mvs0854w.mif

Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Save the complete results in a Notepad/Word document on your desktop.
Repeat for all files on the list.
Post back results here, please.

screamineagle
2008-12-17, 17:33
They did not appear to find anything. :bigthumb:


File epoPGPsdk.dll received on 12.17.2008 16:15:26 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.12.17.3 2008.12.17 -
AntiVir 7.9.0.45 2008.12.17 -
Authentium 5.1.0.4 2008.12.17 -
Avast 4.8.1281.0 2008.12.17 -
AVG 8.0.0.199 2008.12.17 -
BitDefender 7.2 2008.12.17 -
CAT-QuickHeal 10.00 2008.12.17 -
ClamAV 0.94.1 2008.12.17 -
Comodo 771 2008.12.17 -
DrWeb 4.44.0.09170 2008.12.17 -
eSafe 7.0.17.0 2008.12.17 -
eTrust-Vet 31.6.6265 2008.12.17 -
Ewido 4.0 2008.12.17 -
F-Prot 4.4.4.56 2008.12.17 -
F-Secure 8.0.14332.0 2008.12.17 -
Fortinet 3.117.0.0 2008.12.17 -
GData 19 2008.12.17 -
Ikarus T3.1.1.45.0 2008.12.17 -
K7AntiVirus 7.10.556 2008.12.17 -
Kaspersky 7.0.0.125 2008.12.17 -
McAfee 5466 2008.12.16 -
McAfee+Artemis 5466 2008.12.16 -
Microsoft 1.4205 2008.12.17 -
NOD32 3699 2008.12.17 -
Norman 5.80.02 2008.12.16 -
Panda 9.0.0.4 2008.12.17 -
PCTools 4.4.2.0 2008.12.17 -
Prevx1 V2 2008.12.17 -
Rising 21.08.22.00 2008.12.17 -
SecureWeb-Gateway 6.7.6 2008.12.17 -
Sophos 4.37.0 2008.12.17 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.17 -
TheHacker 6.3.1.4.190 2008.12.17 -
TrendMicro 8.700.0.1004 2008.12.17 -
VBA32 3.12.8.10 2008.12.16 -
ViRobot 2008.12.17.1523 2008.12.17 -
VirusBuster 4.5.11.0 2008.12.17 -
Additional information
File size: 1495552 bytes
MD5...: 9e1bb090d2d8dbf73d9042b4fae99a6b
SHA1..: d24097d1f3345bea213051addaca5e624546dc45
SHA256: d03e0bbc6f38ac68717943125427f1f0d0af62a19b5e8b37622008969d1c78dc
SHA512: f615b91bc43960732244b392e5c9307434e0ea37f8f5d405b44b168f999fc687
691f0b9bd6656eed2fff3bcd9f432f1a13c0f554a10183039d07e0c05990d533
ssdeep: 24576:WPIjT00CtpQ+9mpBUBXCCwgRgSbZkLiVGKfm39l9zxPMBLcrD/rFwdSuge
2zgums:WPI00cDD6Wgl9z1MBLcrD/rFwd2QsJQe
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10115cdd
timedatestamp.....: 0x4373d0af (Thu Nov 10 22:58:55 2005)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1217ed 0x121800 6.56 8fcc8d8ed2026e77ccda79f4092fa872
.rdata 0x123000 0x3cde6 0x3ce00 6.89 f9898dd51c9d2f72303d8a202fccd3ca
.data 0x160000 0xa6e8 0x6800 4.88 4926357484dc32cdc02d55a82718a9f3
.rsrc 0x16b000 0x440 0x600 2.58 ddba1f9f3bcda1e83d54db9251ec5e4d
.reloc 0x16c000 0x78ac 0x7a00 5.98 65aa2b4626a800e28c06e49929a52fb4

( 5 imports )
> RPCRT4.dll: RpcBindingReset, RpcStringBindingComposeA, RpcBindingFromStringBindingA, RpcBindingSetAuthInfoA, RpcBindingFree, NdrConformantArrayBufferSize, NdrConformantArrayMarshall, NdrSimpleStructUnmarshall, NdrClientInitializeNew, NdrGetBuffer, NdrSendReceive, NdrConvert, NdrFreeBuffer, NdrMapCommAndFaultStatus, RpcRaiseException
> KERNEL32.dll: GetFullPathNameA, SetStdHandle, GetStartupInfoA, GetStdHandle, SetHandleCount, WriteFile, lstrcpyA, CreateEventA, CloseHandle, WaitForSingleObject, ReleaseMutex, SetEvent, GetCurrentThreadId, GetWindowsDirectoryA, FreeLibrary, lstrcatA, LoadLibraryA, lstrcmpA, GetLastError, FindClose, lstrcmpiA, CreateFileA, GetVersionExA, VirtualLock, DeviceIoControl, VirtualUnlock, VirtualAlloc, VirtualFree, GetTickCount, CreateMutexA, CreateDirectoryA, GetFileAttributesA, GetSystemTime, GetCurrentDirectoryA, GetModuleHandleA, Sleep, GetCurrentProcessId, ReleaseSemaphore, GetModuleFileNameA, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, OpenProcess, FlushFileBuffers, FlushViewOfFile, MapViewOfFile, UnmapViewOfFile, BackupSeek, BackupRead, CreateFileMappingA, GetSystemInfo, CompareStringA, GetSystemDirectoryA, InterlockedExchange, SetLastError, SetEnvironmentVariableA, RaiseException, HeapSize, InitializeCriticalSection, GetOEMCP, GetACP, ReadFile, GetLocaleInfoA, VirtualProtect, VirtualQuery, UnhandledExceptionFilter, GetTimeZoneInformation, SetFileTime, LocalFileTimeToFileTime, SystemTimeToFileTime, QueryPerformanceCounter, SetFileAttributesA, GetStringTypeA, GetEnvironmentStrings, HeapAlloc, HeapReAlloc, HeapFree, GetSystemTimeAsFileTime, ExitProcess, SetFilePointer, FileTimeToSystemTime, FileTimeToLocalFileTime, GetFileInformationByHandle, PeekNamedPipe, GetFileType, GetDriveTypeA, FindFirstFileA, SetEndOfFile, RtlUnwind, ExitThread, CreateThread, TerminateProcess, GetCurrentProcess, GetTimeFormatA, GetDateFormatA, GetCommandLineA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapDestroy, HeapCreate, LCMapStringA, FreeEnvironmentStringsA
> USER32.dll: MessageBoxA, PostThreadMessageA, RegisterWindowMessageA, PeekMessageA, MsgWaitForMultipleObjects, GetMessageA, SetTimer, CharPrevA, CharNextA, wsprintfA
> ADVAPI32.dll: OpenSCManagerA, OpenServiceA, CloseServiceHandle, QueryServiceStatus, CryptGenRandom, CryptReleaseContext, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
> SHELL32.dll: SHGetDesktopFolder, SHGetMalloc

( 675 exports )
IsdGetCapability, IsdGetRandomNumber, IsdGetStatistic, IsdTestRandomGenerator, PGPAddAttributeUserID, PGPAddItemToGroup, PGPAddJobOptions, PGPAddKey, PGPAddKeyOptions, PGPAddKeys, PGPAddUserID, PGPAddUserIDU16, PGPAddUserIDU8, PGPAppendOptionList, PGPAssignBigNum, PGPBigNumAdd, PGPBigNumAddQ, PGPBigNumCompare, PGPBigNumCompareQ, PGPBigNumDivide, PGPBigNumDoubleExpMod, PGPBigNumExpMod, PGPBigNumExtractBigEndianBytes, PGPBigNumExtractLittleEndianBytes, PGPBigNumGCD, PGPBigNumGetLSWord, PGPBigNumGetSignificantBits, PGPBigNumInsertBigEndianBytes, PGPBigNumInsertLittleEndianBytes, PGPBigNumInv, PGPBigNumLeftShift, PGPBigNumMakeOdd, PGPBigNumMod, PGPBigNumModQ, PGPBigNumMultiply, PGPBigNumMultiplyQ, PGPBigNumRightShift, PGPBigNumSetQ, PGPBigNumSquare, PGPBigNumSubtract, PGPBigNumSubtractQ, PGPBigNumTwoExpMod, PGPBuildOptionList, PGPCBCDecrypt, PGPCBCEncrypt, PGPCBCGetSymmetricCipher, PGPCFBDecrypt, PGPCFBEncrypt, PGPCFBGetRandom, PGPCFBGetSymmetricCipher, PGPCFBRandomCycle, PGPCFBRandomWash, PGPCFBSync, PGPCacheKeyDB, PGPCalculateTrust, PGPCertifyUserID, PGPChangePassphrase, PGPCheckKeyRingSigs, PGPCleanSignatures, PGPCombineShares, PGPCompareKeyIDs, PGPCompareKeys, PGPCompareShareIDs, PGPCompareUserIDStrings, PGPCompareUserIDStringsU16, PGPCompareUserIDStringsU8, PGPContextGetRandomBytes, PGPContextReserveRandomBytes, PGPContinueHMAC, PGPContinueHash, PGPCopyBigNum, PGPCopyCBCContext, PGPCopyCFBContext, PGPCopyFileSpec, PGPCopyGroupSet, PGPCopyHashContext, PGPCopyKeyDBObj, PGPCopyKeyIter, PGPCopyKeys, PGPCopyOptionList, PGPCopySharesFromFile, PGPCopySharesToFile, PGPCopySymmetricCipherContext, PGPCountAdditionalRecipientRequests, PGPCountCachedPassphrases, PGPCountGroupItems, PGPCountGroupsInSet, PGPCountKeys, PGPCountKeysInKeyDB, PGPCountNotations, PGPCountObjsInTARCache, PGPCountPublicKeyAlgorithms, PGPCountRevocationKeys, PGPCountSymmetricCiphers, PGPCountTokens, PGPCreateDistinguishedName, PGPCreateDistinguishedNameU16, PGPCreateDistinguishedNameU8, PGPCreateSelfSignedX509Certificate, PGPCreateShares, PGPCreateX509CRL, PGPCreateX509Certificate, PGPCreateX509CertificateFromRequest, PGPDSAKeyVerifyRaw, PGPDSAVSTest, PGPDecode, PGPDeleteFile, PGPDeleteGroup, PGPDeleteIndItemFromGroup, PGPDeleteItemFromGroup, PGPDeleteKeyDBObj, PGPDeleteKeyDBObjOnToken, PGPDeleteKeyOnToken, PGPDeleteKeys, PGPDeleteTARCacheObj, PGPDiscreteLogExponentBits, PGPDump, PGPECCreate2mContext, PGPECFreeContext, PGPECGetBufferSize, PGPECPointAdd, PGPECPointAssignContext, PGPECPointCompress, PGPECPointCreate, PGPECPointDecompress, PGPECPointExtractBytes, PGPECPointExtractXYBytes, PGPECPointFree, PGPECPointInsertBytes, PGPECPointIsConsistent, PGPECPointIsZero, PGPECPointMul, PGPECPointPrefBasis, PGPECPointSetZero, PGPECScalarCreate, PGPECScalarFree, PGPECScalarInsertBytes, PGPECSetEC2mParamA, PGPECSetEC2mParamAInt, PGPECSetEC2mParamB, PGPECSetEC2mParamBInt, PGPEnableFIPSMode, PGPEncode, PGPExport, PGPExportGroupSetToBuffer, PGPExportTARCacheObj, PGPFilterChildObjects, PGPFilterKeyDB, PGPFilterKeySet, PGPFinalizeHMAC, PGPFinalizeHash, PGPFindKeyByKeyID, PGPFlushKeyDB, PGPFormatToken, PGPFreeBigNum, PGPFreeCBCContext, PGPFreeCFBContext, PGPFreeContext, PGPFreeData, PGPFreeFileSpec, PGPFreeFilter, PGPFreeGroupItemIter, PGPFreeGroupSet, PGPFreeHMACContext, PGPFreeHashContext, PGPFreeKeyDB, PGPFreeKeyIter, PGPFreeKeyList, PGPFreeKeySet, PGPFreeMemoryMgr, PGPFreeOptionList, PGPFreePrivateKeyContext, PGPFreePublicKeyContext, PGPFreeShareFile, PGPFreeShares, PGPFreeSymmetricCipherContext, PGPFreeTARCache, PGPFreeTARCacheIter, PGPFreeWipePatternContext, PGPGenerateKey, PGPGenerateSubKey, PGPGetAdditionalRecipientRequests, PGPGetCRLDistributionPoints, PGPGetCRLDistributionPointsPrintable, PGPGetContextUserValue, PGPGetDefaultMemoryMgr, PGPGetErrorString, PGPGetErrorStringU16, PGPGetErrorStringU8, PGPGetFeatureFlags, PGPGetFullPathFromFileSpec, PGPGetFullPathFromFileSpecU16, PGPGetFullPathFromFileSpecU8, PGPGetGroupInfo, PGPGetGroupLowestValidity, PGPGetGroupSetContext, PGPGetHashSize, PGPGetHashWordString, PGPGetHashWordStringU16, PGPGetHashWordStringU8, PGPGetIndGroupID, PGPGetIndGroupItem, PGPGetIndexedAdditionalRecipientRequestKey, PGPGetIndexedAllocatedNotation, PGPGetIndexedNotation, PGPGetIndexedPublicKeyAlgorithmInfo, PGPGetIndexedRevocationKey, PGPGetIndexedSymmetricCipherInfo, PGPGetKeyDBObjAllocatedDataProperty, PGPGetKeyDBObjAllocatedDataPropertyU16, PGPGetKeyDBObjAllocatedDataPropertyU8, PGPGetKeyDBObjBooleanProperty, PGPGetKeyDBObjDataProperty, PGPGetKeyDBObjDataPropertyU16, PGPGetKeyDBObjDataPropertyU8, PGPGetKeyDBObjNumericProperty, PGPGetKeyDBObjTimeProperty, PGPGetKeyDBObjUserValue, PGPGetKeyEntropyNeeded, PGPGetKeyForUsage, PGPGetKeyID, PGPGetKeyIDAlgorithm, PGPGetKeyIDBytes, PGPGetKeyIDFromShares, PGPGetKeyIDString, PGPGetKeyIDStringU16, PGPGetKeyIDStringU8, PGPGetKnownX509CAs, PGPGetMemoryMgrCustomValue, PGPGetMemoryMgrDataInfo, PGPGetNumSharesInFile, PGPGetNumberOfShares, PGPGetPGPTimeFromStdTime, PGPGetPGPsdkAPIVersion, PGPGetPGPsdkVersion, PGPGetPGPsdkVersionString, PGPGetPGPsdkVersionStringU16, PGPGetPGPsdkVersionStringU8, PGPGetPasskeyBuffer, PGPGetPasskeyFromShares, PGPGetPrimaryAttributeUserID, PGPGetPrimaryUserID, PGPGetPrimaryUserIDName, PGPGetPrimaryUserIDNameU16, PGPGetPrimaryUserIDNameU8, PGPGetPrimaryUserIDValidity, PGPGetPrivateKeyOperationSizes, PGPGetPublicKeyOperationSizes, PGPGetRevocationKeys, PGPGetSDKErrorState, PGPGetShareFileMemoryMgr, PGPGetShareFileOwnerFingerprint, PGPGetShareFileOwnerKeyID, PGPGetShareFileShareID, PGPGetShareFileSharedKeyID, PGPGetShareFileSpec, PGPGetShareFileUserID, PGPGetShareFileUserIDU16, PGPGetShareFileUserIDU8, PGPGetShareID, PGPGetShareThreshold, PGPGetShareThresholdInFile, PGPGetSigCertifierKey, PGPGetSigX509CertifierSig, PGPGetSigX509TopSig, PGPGetStdTimeFromPGPTime, PGPGetSymmetricCipherSizes, PGPGetTARCacheObjAllocatedDataProperty, PGPGetTARCacheObjDataProperty, PGPGetTARCacheObjDataPropertyU16, PGPGetTARCacheObjDataPropertyU8, PGPGetTARCacheObjNumericProperty, PGPGetTARCacheObjTimeProperty, PGPGetTARCacheScanProgress, PGPGetTime, PGPGetTokenInfo, PGPGetTokenInfoBooleanProperty, PGPGetTokenInfoDataProperty, PGPGetTokenInfoDataPropertyU16, PGPGetTokenInfoDataPropertyU8, PGPGetTokenInfoNumericProperty, PGPGetTotalNumberOfShares, PGPGetYMDFromPGPTime, PGPGlobalRandomPoolAddKeystroke, PGPGlobalRandomPoolAddMouse, PGPGlobalRandomPoolAddSystemState, PGPGlobalRandomPoolGetEntropy, PGPGlobalRandomPoolGetMinimumEntropy, PGPGlobalRandomPoolGetSize, PGPGlobalRandomPoolHasIntelRNG, PGPGlobalRandomPoolHasMinimumEntropy, PGPGlobalRandomPoolMouseMoved, PGPGroupItemIterNext, PGPGroupSetNeedsCommit, PGPHKSQueryFromFilter, PGPHKSQueryFromFilterU16, PGPHKSQueryFromFilterU8, PGPImport, PGPImportGroupSetFromBuffer, PGPImportTARCacheObj, PGPIncFilterRefCount, PGPIncKeyDBRefCount, PGPIncKeyListRefCount, PGPIncKeySetRefCount, PGPInitCBC, PGPInitCFB, PGPInitSymmetricCipher, PGPIntersectFilters, PGPIsSameShares, PGPIsSameSharesInFiles, PGPKeyDBIsMutable, PGPKeyDBIsUpdated, PGPKeyIterGetKeyDBObj, PGPKeyIterIndex, PGPKeyIterMove, PGPKeyIterNextKeyDBObj, PGPKeyIterPrevKeyDBObj, PGPKeyIterRewind, PGPKeyIterSeek, PGPKeySetIsMember, PGPLDAPQueryFromFilter, PGPLDAPQueryFromFilterU16, PGPLDAPQueryFromFilterU8, PGPLDAPX509QueryFromFilter, PGPLDAPX509QueryFromFilterU16, PGPLDAPX509QueryFromFilterU8, PGPMacBinaryToLocal, PGPMergeGroupIntoDifferentSet, PGPMergeGroupSets, PGPNegateFilter, PGPNetToolsCAHTTPQueryFromFilter, PGPNetToolsCAHTTPQueryFromFilterU16, PGPNetToolsCAHTTPQueryFromFilterU8, PGPNewBigNum, PGPNewCBCContext, PGPNewCFBContext, PGPNewContext, PGPNewContextCustom, PGPNewData, PGPNewEmptyInclusiveKeySet, PGPNewEmptyKeySet, PGPNewFileSpecFromFullPath, PGPNewFileSpecFromFullPathU16, PGPNewFileSpecFromFullPathU8, PGPNewFlattenedGroupFromGroup, PGPNewGroup, PGPNewGroupItemIter, PGPNewGroupSet, PGPNewGroupSetFromFile, PGPNewHMACContext, PGPNewHashContext, PGPNewKeyDB, PGPNewKeyDBObjBooleanFilter, PGPNewKeyDBObjDataFilter, PGPNewKeyDBObjDataFilterU16, PGPNewKeyDBObjDataFilterU8, PGPNewKeyDBObjNumericFilter, PGPNewKeyDBObjTimeFilter, PGPNewKeyID, PGPNewKeyIDFromString, PGPNewKeyIDFromStringU16, PGPNewKeyIDFromStringU8, PGPNewKeyIter, PGPNewKeyIterFromKeyDB, PGPNewKeyIterFromKeySet, PGPNewKeySet, PGPNewKeySetFromGroup, PGPNewMemoryMgr, PGPNewMemoryMgrCustom, PGPNewOneInclusiveKeySet, PGPNewOneKeySet, PGPNewOptionList, PGPNewPrivateKeyContext, PGPNewPublicKeyContext, PGPNewSecureData, PGPNewShareFile, PGPNewSymmetricCipherContext, PGPNewTARCacheIter, PGPNewWipePatternContext, PGPOAdditionalRecipientRequestKeySet, PGPOAllocatedOutputBuffer, PGPOAllocatedOutputKeyContainer, PGPOAllowBareESKs, PGPOAppendOutput, PGPOArmorOutput, PGPOAskUserForEntropy, PGPOAttributeValue, PGPOCachePassphrase, PGPOCipherAlgorithm, PGPOCleanSignatures, PGPOClearSign, PGPOCommentString, PGPOCommentStringU16, PGPOCommentStringU8, PGPOCompression, PGPOCompressionAlgorithm, PGPOConventionalEncrypt, PGPOCreationDate, PGPODataIsASCII, PGPODetachedSig, PGPODiscardOutput, PGPOEncryptToKeyDBObj, PGPOEncryptToKeySet, PGPOEventHandler, PGPOExpiration, PGPOExportFormat, PGPOExportKeyDBObj, PGPOExportKeySet, PGPOExportPrivateKeys, PGPOExportPrivateSubkeys, PGPOExportable, PGPOFailBelowValidity, PGPOFileNameString, PGPOFileNameStringU16, PGPOFileNameStringU8, PGPOForYourEyesOnly, PGPOHashAlgorithm, PGPOImportKeysTo, PGPOInputBuffer, PGPOInputFile, PGPOInputFormat, PGPOInputTARCache, PGPOIntegrityProtection, PGPOKeyContainer, PGPOKeyDBRef, PGPOKeyFeatures, PGPOKeyFlags, PGPOKeyGenFast, PGPOKeyGenMasterKey, PGPOKeyGenName, PGPOKeyGenNameU16, PGPOKeyGenNameU8, PGPOKeyGenOnToken, PGPOKeyGenParams, PGPOKeyGenUseExistingEntropy, PGPOKeyServerPreferences, PGPOLastOption, PGPOLocalEncoding, PGPONotationData, PGPONullOption, PGPOObfuscateRecipients, PGPOOmitMIMEVersion, PGPOOutputBuffer, PGPOOutputDirectory, PGPOOutputFile, PGPOOutputFormat, PGPOOutputLineEndType, PGPOOutputTARCache, PGPOOutputToken, PGPOPGPMIMEEncoding, PGPOPGPMIMEEncodingU16, PGPOPGPMIMEEncodingU8, PGPOPassThroughClearSigned, PGPOPassThroughIfUnrecognized, PGPOPassThroughKeys, PGPOPasskeyBuffer, PGPOPassphrase, PGPOPassphraseBuffer, PGPOPassphraseBufferU16, PGPOPassphraseBufferU8, PGPOPassphraseU16, PGPOPassphraseU8, PGPOPreferredAlgorithms, PGPOPreferredCompressionAlgorithms, PGPOPreferredEmailEncoding, PGPOPreferredHashAlgorithms, PGPOPreferredKeyServer, PGPOPreferredKeyServerU16, PGPOPreferredKeyServerU8, PGPORawPGPInput, PGPORecursivelyDecode, PGPORelativePath, PGPORevocationKeySet, PGPORootPath, PGPOSMIMEMatchCriterion, PGPOSMIMESigner, PGPOSendEventIfKeyFound, PGPOSendNullEvents, PGPOSessionKey, PGPOSigRegularExpression, PGPOSigRegularExpressionU16, PGPOSigRegularExpressionU8, PGPOSigTrust, PGPOSignWithKey, PGPOSignedHash, PGPOTokenNumber, PGPOVersionString, PGPOVersionStringU16, PGPOVersionStringU8, PGPOWarnBelowValidity, PGPOX509Encoding, PGPOpenKeyDBFile, PGPOpenShareFile, PGPOpenTARCacheFile, PGPOrderKeySet, PGPPassphraseIsValid, PGPPeekContextMemoryMgr, PGPPeekKeyDBContext, PGPPeekKeyDBObjContext, PGPPeekKeyDBObjKey, PGPPeekKeyDBObjKeyDB, PGPPeekKeyDBObjUserID, PGPPeekKeyDBRootKeySet, PGPPeekKeyIterContext, PGPPeekKeyListContext, PGPPeekKeySetContext, PGPPeekKeySetKeyDB, PGPPrivateKeyDecrypt, PGPPrivateKeySign, PGPPrivateKeySignRaw, PGPPublicKeyEncrypt, PGPPublicKeyVerifyRaw, PGPPublicKeyVerifySignature, PGPPurgeKeyDBCache, PGPPurgePassphraseCache, PGPRSAVSTest, PGPReallocData, PGPRemoveKeyOptions, PGPRenameFile, PGPRenameFileU16, PGPRenameFileU8, PGPResetHMAC, PGPResetHash, PGPResetSDKErrorState, PGPRevoke, PGPRevokeSig, PGPRunAllSDKSelfTests, PGPRunSDKSelfTest, PGPSaveGroupSetToFile, PGPSaveShareFile, PGPSecretReconstructData, PGPSecretShareData, PGPSetContextUserValue, PGPSetDefaultMemoryMgr, PGPSetGroupDescription, PGPSetGroupName, PGPSetGroupUserValue, PGPSetIndGroupItemUserValue, PGPSetKeyAxiomatic, PGPSetKeyDBObjUserValue, PGPSetKeyEnabled, PGPSetKeyTrust, PGPSetMemoryMgrCustomValue, PGPSetNotificationCallback, PGPSetPKCS11DrvFile, PGPSetPKCS11DrvFileU16, PGPSetPKCS11DrvFileU8, PGPSetPrimaryUserID, PGPSetRandSeedFile, PGPSetShareFileOwnerFingerprint, PGPSetShareFileOwnerKeyID, PGPSetShareFileUserID, PGPSetShareFileUserIDU16, PGPSetShareFileUserIDU8, PGPSetTARCacheObjDataProperty, PGPSetTARCacheObjNumericProperty, PGPSetTARCacheObjTimeProperty, PGPSortGroupItems, PGPSortGroupSet, PGPSortGroupSetStd, PGPSplitShares, PGPSwapBigNum, PGPSymmetricCipherDecrypt, PGPSymmetricCipherEncrypt, PGPSymmetricCipherRollback, PGPSyncTokenKeys, PGPTARCacheIterGetTARCacheObj, PGPTARCacheIterIndex, PGPTARCacheIterMove, PGPTARCacheIterNextTARCacheObj, PGPTARCacheIterPrevTARCacheObj, PGPTARCacheIterRewind, PGPTokenAuthIsValid, PGPTokenPassphraseIsValid, PGPUnionFilters, PGPUpdateKeyOptions, PGPValidateMemoryMgr, PGPVerifyX509CertificateChain, PGPWashSymmetricCipher, PGPWipeFile, PGPWipePatternNext, PGPWipePatternRewind, PGPWipeSymmetricCipher, PGPWipeToken, PGPX509MatchNetworkName, PGPsdkCleanup, PGPsdkInit, PGPsdkReconnect, PGPsdkSetLanguage, pgpAddKeyOptions_back, pgpAddUserID_back, pgpCacheKeyDB_back, pgpCertifyPrimaryUserID_back, pgpCertifyUserID_back, pgpCheckKeyRingSigs_back, pgpCheckSig_back, pgpContextGetEnvironment, pgpContextIsValid, pgpContextMemAlloc, pgpContextMemFree, pgpContextMemRealloc, pgpContextSetConnectRef, pgpCopyKeyToToken_back, pgpCopyKeys_back, pgpCountCachedPassphrases_back, pgpCountTokens_back, pgpCreateKeypair_back, pgpCreateShares, pgpCreateSubkeypair_back, pgpDeleteKeyDBObjOnToken_back, pgpDoChangePassphrase_back, pgpDoGenerateKey_back, pgpEventKeyServer, pgpEventKeyServerSign, pgpEventKeyServerTLS, pgpExpireKeyDBCache, pgpExpirePassphraseCache, pgpFetchKeyInfo_back, pgpFetchObjectData_back, pgpFingerprint20HashBuf, pgpFormatToken_back, pgpFreeKeyDB_back, pgpGetKeyByKeyID_back, pgpGetPasskeyBuffer_back, pgpGetRevocationsOrADKs_back, pgpGetShareData, pgpGetTokenInfo_back, pgpGlobalRandomPoolAddState_back, pgpGlobalRandomPoolGetInfo_back, pgpImportKeyBinary_back, pgpKeyDBAddObject_back, pgpKeyDBArray_back, pgpKeyDBFindKey20n, pgpKeyDBFlush_back, pgpKeyDBRemoveObject_back, pgpKeyDecrypt_back, pgpKeyEncrypt_back, pgpKeyMaxSizes_back, pgpKeySign_back, pgpKeyVerify_back, pgpNewKeyDB_back, pgpOpenKeyDBFile_back, pgpPassphraseCacheAddClient, pgpPassphraseCacheRemoveClient, pgpPassphraseIsValid_back, pgpPrepareToCheckKeyRingSigs_back, pgpPropagateTrust_back, pgpPurgeKeyDBCache_back, pgpPurgePassphraseCache_back, pgpRandomAddBytes_back, pgpRandomGetBytesEntropy_back, pgpRandomStir_back, pgpRevokeKey_back, pgpRevokeSig_back, pgpSaveGlobalRandomPool, pgpSecPassphraseOK_back, pgpSecProperties_back, pgpSetKeyAxiomatic_back, pgpSetKeyEnabled_back, pgpSetKeyTrust_back, pgpSetPKCS11DrvFile_back, pgpSetRandSeedFile_back, pgpSyncTokenKeys_back, pgpTokenGetKeyContainer_back, pgpTokenImportX509_back, pgpTokenPassphraseIsValid_back, pgpTokenPutKeyContainer_back, pgpUnloadTCL, pgpUpdateKeyDB_back, pgpUpdateKeyOptions_back, pgpWipeToken_back, pgpenvGetCString, pgpenvGetInt, pgpenvSetInt, pgpenvSetString

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.



File epoPGPsdk.dll.sig received on 12.17.2008 16:20:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/34 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.12.17.3 2008.12.17 -
AntiVir 7.9.0.45 2008.12.17 -
Authentium 5.1.0.4 2008.12.17 -
Avast 4.8.1281.0 2008.12.17 -
AVG 8.0.0.199 2008.12.17 -
CAT-QuickHeal 10.00 2008.12.17 -
ClamAV 0.94.1 2008.12.17 -
Comodo 771 2008.12.17 -
DrWeb 4.44.0.09170 2008.12.17 -
eSafe 7.0.17.0 2008.12.17 -
eTrust-Vet 31.6.6265 2008.12.17 -
Ewido 4.0 2008.12.17 -
F-Prot 4.4.4.56 2008.12.17 -
Fortinet 3.117.0.0 2008.12.17 -
GData 19 2008.12.17 -
Ikarus T3.1.1.45.0 2008.12.17 -
K7AntiVirus 7.10.556 2008.12.17 -
Kaspersky 7.0.0.125 2008.12.17 -
McAfee 5466 2008.12.16 -
McAfee+Artemis 5466 2008.12.16 -
Microsoft 1.4205 2008.12.17 -
NOD32 3698 2008.12.17 -
Norman 5.80.02 2008.12.16 -
Panda 9.0.0.4 2008.12.17 -
PCTools 4.4.2.0 2008.12.17 -
Rising 21.08.22.00 2008.12.17 -
SecureWeb-Gateway 6.7.6 2008.12.17 -
Sophos 4.37.0 2008.12.17 -
Sunbelt 3.2.1801.2 2008.12.10 -
Symantec 10 2008.12.17 -
TheHacker 6.3.1.4.190 2008.12.17 -
TrendMicro 8.700.0.1004 2008.12.17 -
ViRobot 2008.12.17.1523 2008.12.17 -
VirusBuster 4.5.11.0 2008.12.17 -
Additional information
File size: 280 bytes
MD5...: d5b2b9bad0ef37bbbb85065d0720cbc6
SHA1..: 5cc1c7bc194db5c4493230dcdc80421b7fdcf345
SHA256: 87788d75a80d2dd80ea1dc3511d95fbb433246a2da35a668e9be684e848ac0c7
SHA512: 95ca535bd5e35728b2835f9fd4706591e904efcdd1692339f66225215757d32a
7215bd7924feeb14c1b9545b70f1981b22dea251386e93ae05be31999d8b95a4
ssdeep: 6:Clfcm4u7oY3rtUb9zpxkxm49SHPzbFlO5bM63ymy825cMQPW70Kh:5K7npUb91
y19Sbbm593yO25cu7n
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.


File mvs0854w.mif received on 12.17.2008 16:27:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.12.17.3 2008.12.17 -
AntiVir 7.9.0.45 2008.12.17 -
Authentium 5.1.0.4 2008.12.17 -
Avast 4.8.1281.0 2008.12.17 -
AVG 8.0.0.199 2008.12.17 -
BitDefender 7.2 2008.12.17 -
CAT-QuickHeal 10.00 2008.12.17 -
ClamAV 0.94.1 2008.12.17 -
Comodo 771 2008.12.17 -
DrWeb 4.44.0.09170 2008.12.17 -
eSafe 7.0.17.0 2008.12.17 -
eTrust-Vet 31.6.6265 2008.12.17 -
Ewido 4.0 2008.12.17 -
F-Prot 4.4.4.56 2008.12.17 -
F-Secure 8.0.14332.0 2008.12.17 -
Fortinet 3.117.0.0 2008.12.17 -
GData 19 2008.12.17 -
Ikarus T3.1.1.45.0 2008.12.17 -
K7AntiVirus 7.10.556 2008.12.17 -
Kaspersky 7.0.0.125 2008.12.17 -
McAfee 5466 2008.12.16 -
McAfee+Artemis 5466 2008.12.16 -
Microsoft 1.4205 2008.12.17 -
NOD32 3698 2008.12.17 -
Norman 5.80.02 2008.12.16 -
Panda 9.0.0.4 2008.12.17 -
PCTools 4.4.2.0 2008.12.17 -
Prevx1 V2 2008.12.17 -
Rising 21.08.22.00 2008.12.17 -
SecureWeb-Gateway 6.7.6 2008.12.17 -
Sophos 4.37.0 2008.12.17 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.17 -
TheHacker 6.3.1.4.190 2008.12.17 -
TrendMicro 8.700.0.1004 2008.12.17 -
VBA32 3.12.8.10 2008.12.16 -
ViRobot 2008.12.17.1523 2008.12.17 -
VirusBuster 4.5.11.0 2008.12.17 -
Additional information
File size: 1755 bytes
MD5...: 3f06b479a774ff8954bf59a6f3a16592
SHA1..: 40c1df49d6f970192ca12b29306500e06104dcbc
SHA256: 5ea8435c7c7bd1568c346008ca2572c93de156c32ef3d105611984199297cfa8
SHA512: 253e066c1ffcfb3bf2dc77fe54006f8eaff730a70745981b26d3859dba14cf95
73700860a6abe65ab82881bfa29e2f519b8eae855eb91e3137f4372c3dea7473
ssdeep: 24:W/NLPEHQgm2g85CYgm2iRN8Tfgm2X8LGgm20w8Hugm2pA8ikQ3gm2+NHdM1Xp
TWX:Chay7yTsR+ZpRQmkduZTWOz7Q
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -

screamineagle
2008-12-18, 13:19
And her are the results from Jotti's


Service load:
0% 100%
File: epoPGPsdk.dll
Status:
OK
MD5: 9e1bb090d2d8dbf73d9042b4fae99a6b
Packers detected:
-
Scanner results
Scan taken on 18 Dec 2008 11:10:19 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Service load:
0% 100%
File: epoPGPsdk.dll.sig
Status:
OK
MD5: d5b2b9bad0ef37bbbb85065d0720cbc6
Packers detected:
-
Scanner results
Scan taken on 18 Dec 2008 11:14:13 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

ervice load:
0% 100%
File: mvs0854w.mif
Status:
OK
MD5: 3f06b479a774ff8954bf59a6f3a16592
Packers detected:
-
Scanner results
Scan taken on 18 Dec 2008 11:16:15 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing



Thanks ,
Kevin

Shaba
2008-12-18, 13:49
Yes looks like so :)

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

screamineagle
2008-12-18, 14:22
Thanks Shaba. The scan is running now. The settings button was grayed out and would not allow me to open it?

Also, one of the botched downloads of combofix, (I tried downloading it with mcafee enabled) created an empty (0 bytes) combofix.exe icon on my desktop that I can not delete. I get an error deleting file message that states it is being used by another person or program?

Thanks again for all your help


Kevin

screamineagle
2008-12-18, 14:30
I restarted Kaspersky and now have it running correctly.

Shaba
2008-12-18, 15:22
Thanks for update :)

screamineagle
2008-12-19, 00:37
Found one :sad:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 18, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 18, 2008 09:12:52
Records in database: 1475475
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 97232
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:19:22


File name / Threat name / Threats count
C:\Documents and Settings\Breanna Lynn\My Documents\Programs\install.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 2

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:26 PM, on 12/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Breanna Lynn\Local Settings\Temp\jkos-Breanna Lynn\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\screamineagle.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: tqxaqo.dll xdrgtd.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 7706 bytes

screamineagle
2008-12-19, 04:10
It looks like windows has this file blocked. Under properties, security, it said it came from another computer and it might be blocked.



File install.exe received on 12.19.2008 03:04:19 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 4/38 (10.53%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.12.19.0 2008.12.19 -
AntiVir 7.9.0.45 2008.12.18 -
Authentium 5.1.0.4 2008.12.18 -
Avast 4.8.1281.0 2008.12.18 -
AVG 8.0.0.199 2008.12.18 -
BitDefender 7.2 2008.12.19 Application.Adware.Savenow.G
CAT-QuickHeal 10.00 2008.12.18 -
ClamAV 0.94.1 2008.12.18 -
Comodo 771 2008.12.17 -
DrWeb 4.44.0.09170 2008.12.18 -
eSafe 7.0.17.0 2008.12.18 -
eTrust-Vet 31.6.6268 2008.12.18 -
Ewido 4.0 2008.12.18 -
F-Prot 4.4.4.56 2008.12.18 -
F-Secure 8.0.14332.0 2008.12.19 WebToolbar.Win32.WhenU.a
Fortinet 3.117.0.0 2008.12.18 -
GData 19 2008.12.19 Application.Adware.Savenow.G
Ikarus T3.1.1.45.0 2008.12.19 -
K7AntiVirus 7.10.557 2008.12.18 -
Kaspersky 7.0.0.125 2008.12.19 not-a-virus:WebToolbar.Win32.WhenU.a
McAfee 5468 2008.12.18 -
McAfee+Artemis 5468 2008.12.18 -
Microsoft 1.4205 2008.12.18 -
NOD32 3704 2008.12.18 -
Norman 5.80.02 2008.12.18 -
Panda 9.0.0.4 2008.12.18 -
PCTools 4.4.2.0 2008.12.18 -
Prevx1 V2 2008.12.19 -
Rising 21.08.32.00 2008.12.18 -
SecureWeb-Gateway 6.7.6 2008.12.18 -
Sophos 4.37.0 2008.12.19 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.18 -
TheHacker 6.3.1.4.191 2008.12.17 -
TrendMicro 8.700.0.1004 2008.12.18 -
VBA32 3.12.8.10 2008.12.18 -
ViRobot 2008.12.18.1525 2008.12.18 -
VirusBuster 4.5.11.0 2008.12.18 -
Additional information
File size: 1747789 bytes
MD5...: 4c5c3d569f9f777d7526d9ea559c3b69
SHA1..: d223d8f5eed65a5031ed3cd1a9d0a5a68d13a271
SHA256: ca1105261e753d39d480bd7120d011c6faf2ca41fa185c7c4f1100490bad4f4d
SHA512: d079c7932ed614d96ae35b94bfba3c81e4368a6c8b24c181dbb7db8c31e31636
232278852690b17a4d4c66c70944eea4628f91f7ec93f4e4c833fa9e77969e7f
ssdeep: 49152:k6dDjAelTCRsHMnI846A97U0zCo/swcKGXfVbv4p:zdDXVQAxFswcVVbc
PEiD..: Armadillo v1.71
TrID..: File type identification
Win64 Executable Generic (53.9%)
Win32 Executable MS Visual C++ (generic) (23.7%)
Windows Screen Saver (8.2%)
Win32 Executable Generic (5.3%)
Win32 Dynamic Link Library (generic) (4.7%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4017ea
timedatestamp.....: 0x43b016a9 (Mon Dec 26 16:13:29 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5010 0x6000 5.96 8e247fba2722cb869afa1f8175dd1dcc
.rdata 0x7000 0xa96 0x1000 4.04 bffa4808a3ed61da87bd68e8ef2cb73b
.data 0x8000 0x3f9c 0x3000 0.72 8531493431566f7d8fdfdfec794a52fa
.rsrc 0xc000 0x1390 0x2000 2.79 f9fa4e92ad792d735505696cab08593f

( 3 imports )
> KERNEL32.dll: lstrlenA, CreateProcessA, WaitForSingleObject, lstrcpyA, DeleteFileA, GetTempFileNameA, GetCurrentDirectoryA, CreateFileA, SetLastError, ReadFile, GetFileSize, GetModuleFileNameA, GetModuleHandleA, GetStringTypeW, GetStringTypeA, WriteFile, CloseHandle, CreateDirectoryA, GetTempPathA, GetLastError, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, VirtualAlloc, HeapReAlloc, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, GetProcAddress, LoadLibraryA, SetStdHandle, MultiByteToWideChar, LCMapStringA, LCMapStringW, FlushFileBuffers
> USER32.dll: MessageBoxA
> ADVAPI32.dll: RegCreateKeyA, RegSetValueExA, RegCloseKey, RegOpenKeyExA

( 0 exports )
packers (Kaspersky): PE_Patch





File: install.exe
Status:
INFECTED/MALWARE
MD5: 4c5c3d569f9f777d7526d9ea559c3b69
Packers detected:
PE_PATCH
Scanner results
Scan taken on 19 Dec 2008 02:03:20 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Application.Adware.Savenow.G
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found not-a-virus:WebToolbar.Win32.WhenU.a (6, 2, 615)
G DATA
Found Application.Adware.Savenow.G
Ikarus
Found not-a-virus:AdTool.Win32.WhenU.a
Kaspersky Anti-Virus
Found not-a-virus:WebToolbar.Win32.WhenU.a
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Shaba
2008-12-19, 11:37
Yes, that is WhenU adware program installer.

Feel free to delete it.

Open HijackThis, click do a system scan only and checkmark these:

O20 - AppInit_DLLs: tqxaqo.dll xdrgtd.dll

Close all windows including browser and press fix checked.

Reboot.

Post back a fresh HijackThis log and tell me if you have any problems left?

screamineagle
2008-12-19, 13:52
Here is the log. The machine seems to be running better than it has in a long time. The only question I have, is how do I delete the faulty combofix.exe icon on the desktop?

Many Thanks,

Kevin



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:08 AM, on 12/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\screamineagle.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 7985 bytes

Shaba
2008-12-19, 18:55
Let me know if you can delete it in safe mode.

screamineagle
2008-12-20, 00:42
Nope. Get the same error that it is in use????

Shaba
2008-12-20, 12:18
Then please tell me full file path and name check.

You can get that if you right-click that icon and choose properties.

screamineagle
2008-12-20, 19:31
C:\Documents and Settings\Breanna Lynn\Desktop

"C:\Documents and Settings\Breanna Lynn\Desktop\ComboFix.exe"

Shaba
2008-12-20, 19:36
Please download the OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe).

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



:files
C:\Documents and Settings\Breanna Lynn\Desktop\ComboFix.exe

:commands
[EmptyTemp]
[reboot]


Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

screamineagle
2008-12-20, 20:06
Your a genius! The icon is gone but I lost the text file from OT. Sorry.

Here is the latest HiJackThis log

The machine is running great. I can not thank you enough.

Kevin


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:05 AM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\screamineagle.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139091886\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 8556 bytes

Shaba
2008-12-20, 20:43
Great :)

Still some issues?

screamineagle
2008-12-21, 16:11
I think we're good here.

Thank you.

Kevin

Shaba
2008-12-21, 16:27
Glad to hear :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don''t have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft''s Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes'' Anti-Malware - Malwarebytes'' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes'' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)

Malwarebytes'' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

Shaba
2008-12-23, 12:29
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.