View Full Version : Virtuemonde probs here too
rpohlman
2008-12-29, 00:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:42 PM, on 12/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\tintinyproxyy\tinyproxy.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\PanelICON.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Wistron\AVManager\AVManager.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AVManager] "C:\Program Files\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA9544] command /c del "c:\resycled\boot.com"
O4 - HKLM\..\RunOnce: [SpybotDeletingC691] cmd /c del "c:\resycled\boot.com"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3049] command /c del "c:\resycled\boot.com"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1201] cmd /c del "c:\resycled\boot.com"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c18.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O20 - AppInit_DLLs: txjgpc.dll zbvzdh.dll gbucjv.dll lkrdpm.dll gfrtbm.dll dyyyrt.dll xunnef.dll klmqdc.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Ati HotKey Poller (Ati HotKey Poller) - Unknown owner - C:\Program Files\tintinyproxyy\tinyproxy.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
rpohlman
2009-01-01, 22:49
ComboFix 08-12-31.01 - Owner 2009-01-01 14:09:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.294 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\program files\tintinyproxyy\tinyproxy.exe
C:\resycled
c:\winnt\system32\aibyqhen.dll
c:\winnt\system32\anfiovmw.dll
c:\winnt\system32\aqheqhxf.dll
c:\winnt\system32\BIRXGjjl.ini
c:\winnt\system32\BIRXGjjl.ini2
c:\winnt\system32\cbXrpNHB.dll
c:\winnt\system32\ctjcjslq.dll
c:\winnt\system32\drivers\msqpdxcaiclfwr.sys
c:\winnt\system32\drivers\msqpdxihigvxce.sys
c:\winnt\system32\drivers\msqpdxoboxuwba.sys
c:\winnt\system32\drivers\msqpdxpppshaij.sys
c:\winnt\system32\drivers\msqpdxsunpugxo.sys
c:\winnt\system32\drivers\msqpdxugsffyyn.sys
c:\winnt\system32\dyyyrt.dll
c:\winnt\system32\eystueby.dll
c:\winnt\system32\fukjared.dll
c:\winnt\system32\gbucjv.dll
c:\winnt\system32\gfrtbm.dll
c:\winnt\system32\hcsrmcvp.dll
c:\winnt\system32\htvvgwtc.dll
c:\winnt\system32\iqikpw.dll
c:\winnt\system32\klmqdc.dll
c:\winnt\system32\kqheqw.dll
c:\winnt\system32\ljjGXRIB.dll
c:\winnt\system32\lkrdpm.dll
c:\winnt\system32\luqigiao.dll
c:\winnt\system32\mcrh.tmp
c:\winnt\system32\msqpdxrrndpqjn.dll
c:\winnt\system32\msxml71.dll
c:\winnt\system32\opbswlgq.ini
c:\winnt\system32\opnkKCtr.dll
c:\winnt\system32\ovwysvlp.dll
c:\winnt\system32\pduiamst.dll
c:\winnt\system32\pvxeiyef.dll
c:\winnt\system32\qglwsbpo.dll
c:\winnt\system32\srdpdqvd.dll
c:\winnt\system32\srpnvcgn.dll
c:\winnt\system32\sxnfei.dll
c:\winnt\system32\sygnlaec.dll
c:\winnt\system32\twhrfskt.dll
c:\winnt\system32\txjgpc.dll
c:\winnt\system32\uapepsnu.dll
c:\winnt\system32\vqtkntgr.dll
c:\winnt\system32\vwfgogql.dll
c:\winnt\system32\wfvrnh.dll
c:\winnt\system32\xlogybnh.dll
c:\winnt\system32\xunnef.dll
c:\winnt\system32\yajqhfau.dll
c:\winnt\system32\ygrgufwg.dll
c:\winnt\system32\yjxlgigc.dll
c:\winnt\system32\zbvzdh.dll
c:\winnt\Tasks\htrujhey.job
c:\winnt\wiaserviv.log
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_MSQPDXSERV.SYS
-------\Legacy_ATI_HOTKEY_POLLER_(ATI_HOTKEY_POLLER)_
-------\Service_Ati HotKey Poller (Ati HotKey Poller)
((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))
.
2008-12-25 16:40 . 2009-01-01 14:18 <DIR> d-------- c:\program files\tintinyproxyy
2008-12-25 11:43 . 2004-08-04 01:56 24,576 --a------ c:\winnt\system32\stu2.exe
2008-12-18 16:43 . 2008-12-18 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-16 16:18 . 2008-12-16 16:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\Twain
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 03:54 --------- d-----w c:\program files\Common Files\Adobe
2008-12-30 03:54 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-28 17:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 17:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 14:23 --------- d-----w c:\program files\Yahoo!
2008-12-18 22:43 --------- d-----w c:\program files\Lavasoft
2008-12-18 22:42 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-30 16:32 --------- d-----w c:\program files\Smartparts
2004-07-20 05:11 88 -c--a-w c:\program files\ClearSearchcsie_usb_rules.dat
2004-07-20 05:11 8 -c--a-w c:\program files\ClearSearchcsie_dictionary.dat
2004-07-20 05:11 43,872 -c--a-w c:\program files\ClearSearchcsie_usb_patterns.dat
2004-07-20 05:11 419 -c--a-w c:\program files\ClearSearchcsie_checks.dat
2004-07-20 05:11 3,296 -c--a-w c:\program files\ClearSearchcsie_usb_campaigns.dat
2004-07-20 05:11 2,976 -c--a-w c:\program files\ClearSearchcsie_tsb_patterns.dat
2004-07-20 05:11 2,560 -c--a-w c:\program files\ClearSearchcsie_tsb_edomains.dat
2004-07-20 05:11 136 -c--a-w c:\program files\ClearSearchcsie_tsb_campaigns.dat
2004-07-20 05:11 104 -c--a-w c:\program files\ClearSearchcsie_tsb_rules.dat
.
------- Sigcheck -------
2003-03-31 05:00 22016 e931e0a2b8bf0019db902e98d03662cb c:\winnt\$NtServicePackUninstall$\userinit.exe
2004-08-04 01:56 24576 39b1ffb03c2296323832acbae50d2aff c:\winnt\ServicePackFiles\i386\userinit.exe
2008-04-13 18:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\winnt\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-12-25 11:43 8704 93849ab2d7b9c8c81f20a99d16c8ab36 c:\winnt\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-24 303180]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-07-01 71280]
"NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 610304]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-04-28 184320]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2003-05-12 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2003-09-24 40960]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrPanelICON"="c:\program files\Launch Manager\PanelICON.exe" [2003-09-24 36864]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2003-09-12 65536]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-07-07 100056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-09 282624]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-12-12 118784]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\winnt\system32\Ati2mdxx.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 c:\winnt\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 c:\winnt\AGRSMMSG.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
PalStart.lnk - c:\program files\Paltalk Messenger\palstart.exe [2007-05-25 45568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\winnt\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=c:\winnt\pss\PalStart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\winnt\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-12-12 17:55 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-12-12 17:55 118784 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 c:\winnt\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-08-09 08:12 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-04-21 14:51 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a--c--- 2008-03-27 00:35 36352 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zilla Popup Killer]
--a--c--- 2000-05-09 15:04 536576 c:\program files\Zilla Popup Killer\ZillaPop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R1 Hotkey;Hotkey;c:\winnt\system32\drivers\Hotkey.sys [2003-10-07 9867]
R2 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\Drivers\BBFat.sys [2002-08-19 7808]
S1 mailKmd;mailKmd; []
S1 Wbutton;Wbutton;c:\winnt\system32\drivers\Wbutton.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-12-20 c:\winnt\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-12-04 17:22]
2009-01-01 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]
.
- - - - ORPHANS REMOVED - - - -
BHO-{051FA81D-E844-45AD-91AA-A4D30B445F8B} - (no file)
BHO-{0709DD58-03F0-4375-A080-726BC790961B} - (no file)
BHO-{42562a34-79bb-4e61-a980-05951de917ef} - c:\winnt\system32\klmqdc.dll
BHO-{644DFA61-DB3B-4019-8CCC-D51B130243BE} - (no file)
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\winnt\system32\opnkKCtr.dll
BHO-{6EE3C368-3654-4FC6-91F6-4125AFA57CB9} - (no file)
BHO-{87D72EF7-00A1-4ECB-B4A5-8B6945CB8718} - c:\winnt\system32\ljjGXRIB.dll
BHO-{8AFE0117-7E14-4410-B1E4-3EFAF026F12C} - (no file)
BHO-{9DFEA25D-9ECF-4188-BE5A-02B050AE55A6} - (no file)
BHO-{A36FC388-44E5-4A4C-9ECD-1F378208B808} - (no file)
BHO-{ABFB5FE6-2E8D-4FC7-B58C-B9F2DCABCC6C} - (no file)
BHO-{AE66149D-CE88-49E9-B4B8-F7B514D97C2C} - (no file)
BHO-{BFF1718F-089B-4805-85DA-79B24B1B81CC} - (no file)
BHO-{D5FDD9DA-F314-4705-98C2-BB09CBAC88A4} - (no file)
BHO-{E8CD221A-D099-451B-AB75-658AED1DD6CF} - (no file)
BHO-{F114BA1B-DD7B-47D7-B7AB-A71E005038FA} - (no file)
BHO-{F4947583-0C36-4347-87D7-D268184570E7} - (no file)
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\winnt\system32\opnkKCtr.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search - ?p=ZU
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\Paltalk Messenger\Paltalk.exe
c:\winnt\Downloaded Program Files\MediaGatewayX.dll - O16 -: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
hxxp://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c18.cab
O16 -: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
c:\winnt\Downloaded Program Files\counter.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jbodhqj5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 9090
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrch.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 14:27:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-367768924-3279092438-3500024551-1003
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\S-1-5-21-367768924-3279092438-3500024551-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-367768924-3279092438-3500024551-1003
@Allowed: (Full) (S-1-5-21-367768924-3279092438-3500024551-1003)
@Allowed: (Full) (S-1-5-21-367768924-3279092438-3500024551-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004
[HKEY_USERS\S-1-5-21-367768924-3279092438-3500024551-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-367768924-3279092438-3500024551-1003
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\€*NULL*À8>*NULL*]
@Security="Inherited"
"DisplayName"="??"
"DeviceDesc"="??"
"ProviderName"="???\13?\1f?\13??"
"MFG"="????"
"ReinstallString"="c:\\WINNT\\System32\\ReinstallBackups\\???\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"x:\\roni\\m505\\drivers\\new\\9525229\\9525229g1\\7.91 - logo\\driver\\2kxp_inf\\cx_09924.inf\00"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\winnt\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\winnt\system32\RioMSC.exe
c:\winnt\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\winnt\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-01 14:39:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-01 20:38:04
Pre-Run: 22,811,394,048 bytes free
Post-Run: 22,867,341,312 bytes free
326 --- E O F --- 2008-12-13 01:09:46
here is hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:54 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\PanelICON.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c18.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9357 bytes
Hi
You gonna need to update your Norton. If license is expired then either renew it or uninstall and get one of these great free options:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Start hjt, do a system scan, check (if found):
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...bridge-c18.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
Close browsers and fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
mailKmd
File::
c:\counter.cab
Folder::
c:\program files\tintinyproxyy
c:\documents and settings\Owner\Application Data\Twain
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 11 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
rpohlman
2009-01-02, 17:53
ComboFix 09-01-01.02 - Owner 2009-01-02 8:52:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.275 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\counter.cab
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\Twain
c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\program files\tintinyproxyy
C:\resycled
c:\resycled\boot.com
c:\winnt\system32\678R1T14.exe.a_a
c:\winnt\system32\drivers\msqpdxhgosqjym.sys
c:\winnt\system32\msqpdxowloariq.dll
c:\winnt\system32\msxml71.dll
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com
----- BITS: Possible infected sites -----
hxxp://turboplayer.net
hxxp://b9n.org
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_MSQPDXSERV.SYS
-------\Service_mailKmd
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.
2009-01-02 09:01 . 2009-01-02 09:01 <DIR> d-------- c:\program files\tintinyproxyy
2009-01-02 08:51 . 2009-01-02 08:51 73,728 --a------ c:\winnt\system32\678R1T14.exe
2008-12-25 11:43 . 2004-08-04 01:56 24,576 --a------ c:\winnt\system32\stu2.exe
2008-12-18 16:43 . 2008-12-18 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 03:54 --------- d-----w c:\program files\Common Files\Adobe
2008-12-30 03:54 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-28 17:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 17:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 14:23 --------- d-----w c:\program files\Yahoo!
2008-12-18 22:43 --------- d-----w c:\program files\Lavasoft
2008-12-18 22:42 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-30 16:32 --------- d-----w c:\program files\Smartparts
2004-07-20 05:11 88 -c--a-w c:\program files\ClearSearchcsie_usb_rules.dat
2004-07-20 05:11 8 -c--a-w c:\program files\ClearSearchcsie_dictionary.dat
2004-07-20 05:11 43,872 -c--a-w c:\program files\ClearSearchcsie_usb_patterns.dat
2004-07-20 05:11 419 -c--a-w c:\program files\ClearSearchcsie_checks.dat
2004-07-20 05:11 3,296 -c--a-w c:\program files\ClearSearchcsie_usb_campaigns.dat
2004-07-20 05:11 2,976 -c--a-w c:\program files\ClearSearchcsie_tsb_patterns.dat
2004-07-20 05:11 2,560 -c--a-w c:\program files\ClearSearchcsie_tsb_edomains.dat
2004-07-20 05:11 136 -c--a-w c:\program files\ClearSearchcsie_tsb_campaigns.dat
2004-07-20 05:11 104 -c--a-w c:\program files\ClearSearchcsie_tsb_rules.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-01_14.36.14.94 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 10:37:05 3,059,712 ------w c:\winnt\system32\dllcache\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ------w c:\winnt\system32\dllcache\mshtml.dll
- 2008-10-16 10:37:05 3,059,712 ----a-w c:\winnt\system32\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ----a-w c:\winnt\system32\mshtml.dll
- 2007-07-27 15:41:40 16,760 ----a-w c:\winnt\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\winnt\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-24 303180]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-07-01 71280]
"NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 610304]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-04-28 184320]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2003-05-12 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2003-09-24 40960]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrPanelICON"="c:\program files\Launch Manager\PanelICON.exe" [2003-09-24 36864]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2003-09-12 65536]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-07-07 100056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-09 282624]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-12-12 118784]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\winnt\system32\Ati2mdxx.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 c:\winnt\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 c:\winnt\AGRSMMSG.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
PalStart.lnk - c:\program files\Paltalk Messenger\palstart.exe [2007-05-25 45568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\winnt\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=c:\winnt\pss\PalStart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-12-12 17:55 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-12-12 17:55 118784 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 c:\winnt\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-08-09 08:12 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-04-21 14:51 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a--c--- 2008-03-27 00:35 36352 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zilla Popup Killer]
--a--c--- 2000-05-09 15:04 536576 c:\program files\Zilla Popup Killer\ZillaPop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\tintinyproxyy\\tinyproxy.exe"=
R1 Hotkey;Hotkey;c:\winnt\system32\drivers\Hotkey.sys [2003-10-07 9867]
R2 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\Drivers\BBFat.sys [2002-08-19 7808]
R2 HID Input Service (HidServ) ;HID Input Service (HidServ) ;c:\program files\tintinyproxyy\tinyproxy.exe [2009-01-02 8960]
S1 Wbutton;Wbutton;c:\winnt\system32\drivers\Wbutton.sys []
*Newly Created Service* - HID_INPUT_SERVICE_(HIDSERV)_
.
Contents of the 'Scheduled Tasks' folder
2008-12-20 c:\winnt\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-12-04 17:22]
2009-01-02 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]
.
- - - - ORPHANS REMOVED - - - -
BHO-{500BCA15-57A7-4eaf-8143-8C619470B13D} - c:\winnt\system32\msxml71.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search - ?p=ZU
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\Paltalk Messenger\Paltalk.exe
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jbodhqj5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 9090
FF - prefs.js: network.proxy.type - 4
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrch.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 09:01:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\winnt\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\winnt\system32\RioMSC.exe
c:\winnt\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\winnt\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-02 9:10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 15:09:48
ComboFix2.txt 2009-01-01 20:39:02
Pre-Run: 22,717,366,272 bytes free
Post-Run: 22,716,608,512 bytes free
222 --- E O F --- 2009-01-02 04:43:43
rpohlman
2009-01-02, 18:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:36 AM, on 1/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\PanelICON.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\tintinyproxyy\tinyproxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\Program Files\tintinyproxyy\tinyproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9335 bytes
rpohlman
2009-01-02, 18:06
had issues with kapersky, but it is scanning now... will give report when finished
rpohlman
2009-01-03, 00:19
kapersky was unable to run, i scanned with Antvir, here is the report:
Avira AntiVir Personal
Report file date: Friday, January 02, 2009 15:18
Scanning for 1038808 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: RICH
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 23:57:13
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 23:16:47
ANTIVIR3.VDF : 7.1.0.97 45056 Bytes 11/17/2008 23:38:59
Engineversion : 8.2.0.31
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/11/2008 21:00:07
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/7/2008 22:06:41
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/7/2008 22:06:41
AEHELP.DLL : 8.1.1.3 119157 Bytes 11/7/2008 22:06:41
AEGEN.DLL : 8.1.1.0 319859 Bytes 11/7/2008 22:06:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 11/7/2008 22:06:41
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Friday, January 02, 2009 15:18
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'WLLoginProxy.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process '678R1T14.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process '~tmpd.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'palstart.exe' - '1' Module(s) have been scanned
Scan process '~tmpb.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Scan process 'a.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe'
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'mm_tray.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'WButton.exe' - '1' Module(s) have been scanned
Scan process 'PanelICON.exe' - '1' Module(s) have been scanned
Scan process 'HotkeyApp.exe' - '1' Module(s) have been scanned
Scan process 'LaunchAp.exe' - '1' Module(s) have been scanned
Scan process 'ltmoh.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'GWInkMonitor.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RioMSC.exe' - '1' Module(s) have been scanned
Scan process 'tinyproxy.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\tintinyproxyy\tinyproxy.exe'
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'a.exe' has been terminated
Process 'tinyproxy.exe' has been terminated
C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49c38503.qua'!
C:\Program Files\tintinyproxyy\tinyproxy.exe
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '49cc8541.qua'!
56 processes with 54 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '1471' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49c7858b.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp2.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49c7858e.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\portal[2].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d085c5.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[10].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185c0.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[11].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185c3.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185c9.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[2].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48a551aa.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[3].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185cb.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[4].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48a551ac.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[5].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185ca.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[6].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48a551ab.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[7].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185cc.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4BOVAZG1\result[9].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48a551ad.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\67A58HMF\go[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49b985d7.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\67A58HMF\result[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185ce.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\67A58HMF\result[2].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185cf.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\67A58HMF\result[3].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48a551b0.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\promote[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49cd85e0.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\result[10].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185d3.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\result[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185d4.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\result[3].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48a551b5.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\result[4].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185d6.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\result[5].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48a551b7.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\result[6].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185d8.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\result[7].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185d5.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\result[8].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48a551b6.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\result[9].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185d7.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJQBKPGP\smartsearch[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49bf85de.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLE7SXAN\myport[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49ce85ed.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLE7SXAN\promote[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49cd85e6.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLE7SXAN\promote[2].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48b95187.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLE7SXAN\promote[3].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49cd85e8.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLE7SXAN\promote[4].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49cd85e7.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLE7SXAN\promote[5].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48b95188.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLE7SXAN\result[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185da.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLE7SXAN\result[3].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '49d185db.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLE7SXAN\result[4].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48a551bc.qua'!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\0\3928a900-60880386
[0] Archive type: ZIP
--> BaaaaBaa.class
[DETECTION] Is the TR/Java.Downloader.Gen Trojan
--> VaaaaaaaBaa.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.FA Java virus
--> Dvnny.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.By.A.2 Java virus
--> Baaaaa.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.By.A.1 Java virus
--> Dex.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GC Java virus
--> Dix.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GD Java virus
--> Dux.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GE Java virus
[NOTE] The file was moved to '499085df.qua'!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\0\3928a900-61e83669
[0] Archive type: ZIP
--> BaaaaBaa.class
[DETECTION] Is the TR/Java.Downloader.Gen Trojan
--> VaaaaaaaBaa.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.FA Java virus
--> Dvnny.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.By.A.2 Java virus
--> Baaaaa.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.By.A.1 Java virus
--> Dex.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GC Java virus
--> Dix.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GD Java virus
--> Dux.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GE Java virus
[NOTE] The file was moved to '499085e0.qua'!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\2b07381c-210b3400
[0] Archive type: ZIP
--> BaaaaBaa.class
[DETECTION] Is the TR/Java.Downloader.Gen Trojan
--> VaaaaaaaBaa.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.FA Java virus
--> Dvnny.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.By.A.2 Java virus
--> Baaaaa.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.By.A.1 Java virus
--> Dex.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GC Java virus
--> Dix.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GD Java virus
--> Dux.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GE Java virus
[NOTE] The file was moved to '498e8639.qua'!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\2b07381c-46f128fa
[0] Archive type: ZIP
--> BaaaaBaa.class
[DETECTION] Is the TR/Java.Downloader.Gen Trojan
--> VaaaaaaaBaa.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.FA Java virus
--> Dvnny.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.By.A.2 Java virus
--> Baaaaa.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.By.A.1 Java virus
--> Dex.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GC Java virus
--> Dix.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GD Java virus
--> Dux.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GE Java virus
[NOTE] The file was moved to '498e863a.qua'!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\62\70a93cfe-5528735d
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A exploit
[NOTE] The file was moved to '49bf8647.qua'!
C:\Documents and Settings\Owner\Local Settings\temp\b.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49c386ac.qua'!
C:\Documents and Settings\Owner\Local Settings\temp\tmp80.tmp
[DETECTION] Is the TR/Patched.CL Trojan
[NOTE] The file was moved to '49ce86ec.qua'!
C:\Program Files\ProSiteFinder\zdt0tjhh.DLL
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Ruledor.I back-door program
[NOTE] The file was moved to '49d28bca.qua'!
C:\Qoobox\Quarantine\C\Program Files\tintinyproxyy\tinyproxy.exe.vir
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '49cc8c97.qua'!
C:\Qoobox\Quarantine\C\WINNT\system32\msxml71.dll.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49d68ca4.qua'!
C:\WINNT\inf\alchem.inf
[DETECTION] Is the TR/Dldr.Alchemic.B Trojan
[NOTE] The file was moved to '49c18e97.qua'!
Begin scan in 'D:\' <DATA>
End of the scan: Friday, January 02, 2009 16:09
Used time: 50:21 Minute(s)
The scan has been done completely.
11236 Scanning directories
263552 Files were scanned
46 viruses and/or unwanted programs were found
30 Files were classified as suspicious:
0 files were deleted
0 files were repaired
50 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
263474 Files not concerned
6712 Archives were scanned
2 Warnings
50 Notes
Hi
Antivir report looks ok (infections were treated). Please run ComboFix again and post its log & a fresh hjt log back here.
rpohlman
2009-01-03, 14:18
got KASPERSKY to work
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 02, 2009 22:55:44
Records in database: 1550312
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 87834
Threat name: 13
Infected objects: 17
Suspicious objects: 1
Duration of the scan: 02:14:03
File name / Threat name / Threats count
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Mozilla Firefox\plugins\NPMySrch.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Program Files\ProSiteFinder\ffcc6by5.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ah 1
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\iamfamous.dll.vir Infected: Trojan.Win32.Agent.avjo 1
C:\Qoobox\Quarantine\C\WINNT\system32\aibyqhen.dll.vir Infected: Trojan.Win32.Monder.adys 1
C:\Qoobox\Quarantine\C\WINNT\system32\cbXrpNHB.dll.vir Infected: Trojan-Downloader.Win32.Agent.aubk 1
C:\Qoobox\Quarantine\C\WINNT\system32\eystueby.dll.vir Infected: Trojan.Win32.Agent.bahn 1
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxowloariq.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ivf 1
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxrrggcigp.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ivf 1
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxrrndpqjn.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ivf 1
C:\Qoobox\Quarantine\C\WINNT\system32\opnkKCtr.dll.vir Infected: Trojan-Downloader.Win32.Injecter.bel 1
C:\Qoobox\Quarantine\C\WINNT\system32\pduiamst.dll.vir Infected: Trojan.Win32.Monder.acop 1
C:\Qoobox\Quarantine\C\WINNT\system32\pvxeiyef.dll.vir Infected: Trojan.Win32.Monder.aghz 1
C:\Qoobox\Quarantine\C\WINNT\system32\srpnvcgn.dll.vir Infected: Trojan.Win32.Monder.adyt 1
C:\Qoobox\Quarantine\C\WINNT\system32\txjgpc.dll.vir Infected: Trojan.Win32.Monder.adyt 1
C:\System Volume Information\_restore{8002FAC4-987A-423F-A02F-FD2F3B3F135B}\RP493\A0209800.dll Infected: not-a-virus:AdWare.Win32.Agent.ivf 1
C:\System Volume Information\_restore{8002FAC4-987A-423F-A02F-FD2F3B3F135B}\RP493\A0209815.dll Infected: Trojan.Win32.Agent.avjo 1
C:\WINNT\system32\userinit.exe Infected: Trojan-Downloader.Win32.Agent.auff 1
The selected area was scanned.
Hi
Please run ComboFix again and post back its report and a fresh hjt log first. I'll then give further instructions covering those Kaspersky findings too :)
rpohlman
2009-01-03, 23:23
ComboFix 09-01-02.01 - Owner 2009-01-03 14:59:08.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.177 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\GetModule
c:\documents and settings\Owner\Application Data\GetModule\dicik.gz
c:\documents and settings\Owner\Application Data\GetModule\kwdik.gz
c:\documents and settings\Owner\Application Data\GetModule\ofadik.gz
c:\program files\GetModule
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack26.exe
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\winnt\system32\~.exe
c:\winnt\system32\CKmUBcdd.ini
c:\winnt\system32\CKmUBcdd.ini2
c:\winnt\system32\ddcBUmKC.dll
c:\winnt\system32\gcixtnoy.dll
c:\winnt\system32\lakxmtvh.dll
c:\winnt\system32\mcrh.tmp
c:\winnt\system32\rcwyew.dll
c:\winnt\system32\ssqRLETK.dll
c:\winnt\system32\yfnepx.dll
c:\winnt\system32\yjnpnxmc.dll
c:\winnt\system32\yontxicg.ini
c:\winnt\wiaserviv.log
----- BITS: Possible infected sites -----
hxxp://b9n.org
.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.
2009-01-03 05:49 . 2009-01-03 05:49 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-01-02 17:15 . 2001-08-17 22:36 8,704 --a------ c:\winnt\system32\kbdjpn.dll
2009-01-02 17:15 . 2001-08-17 22:36 8,704 --a------ c:\winnt\system32\dllcache\kbdjpn.dll
2009-01-02 17:15 . 2001-08-17 22:36 8,192 --a------ c:\winnt\system32\kbdkor.dll
2009-01-02 17:15 . 2001-08-17 22:36 8,192 --a------ c:\winnt\system32\dllcache\kbdkor.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\kbd106.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\kbd101c.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\kbd101b.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\dllcache\kbd106.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\dllcache\kbd101c.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\dllcache\kbd101b.dll
2009-01-02 17:15 . 2001-08-17 14:55 5,632 --a------ c:\winnt\system32\kbd103.dll
2009-01-02 17:15 . 2001-08-17 14:55 5,632 --a------ c:\winnt\system32\dllcache\kbd103.dll
2009-01-02 16:32 . 2009-01-02 16:33 1,085,440 --a------ c:\winnt\system32\rn.tmp
2009-01-02 15:01 . 2009-01-02 15:01 <DIR> d-------- c:\program files\Avira
2009-01-02 15:01 . 2009-01-02 15:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-02 09:19 . 2009-01-02 09:36 <DIR> d-------- c:\documents and settings\Owner\.SunDownloadManager
2009-01-02 09:01 . 2009-01-02 15:19 <DIR> d-------- c:\program files\tintinyproxyy
2009-01-02 08:51 . 2009-01-02 13:32 73,728 --a------ c:\winnt\system32\678R1T14.exe
2008-12-25 11:43 . 2004-08-04 01:56 24,576 --a------ c:\winnt\system32\stu2.exe
2008-12-18 16:43 . 2008-12-18 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 21:47 --------- d-----w c:\program files\ProSiteFinder
2009-01-02 20:58 --------- d-----w c:\program files\Symantec
2009-01-02 20:58 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-02 20:49 --------- d-----w c:\program files\Norton AntiVirus
2009-01-02 20:49 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-02 15:30 --------- d-----w c:\program files\Java
2008-12-30 03:54 --------- d-----w c:\program files\Common Files\Adobe
2008-12-30 03:54 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-28 17:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 17:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 14:23 --------- d-----w c:\program files\Yahoo!
2008-12-18 22:43 --------- d-----w c:\program files\Lavasoft
2008-12-18 22:42 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-30 16:32 --------- d-----w c:\program files\Smartparts
2004-07-20 05:11 88 -c--a-w c:\program files\ClearSearchcsie_usb_rules.dat
2004-07-20 05:11 8 -c--a-w c:\program files\ClearSearchcsie_dictionary.dat
2004-07-20 05:11 43,872 -c--a-w c:\program files\ClearSearchcsie_usb_patterns.dat
2004-07-20 05:11 419 -c--a-w c:\program files\ClearSearchcsie_checks.dat
2004-07-20 05:11 3,296 -c--a-w c:\program files\ClearSearchcsie_usb_campaigns.dat
2004-07-20 05:11 2,976 -c--a-w c:\program files\ClearSearchcsie_tsb_patterns.dat
2004-07-20 05:11 2,560 -c--a-w c:\program files\ClearSearchcsie_tsb_edomains.dat
2004-07-20 05:11 136 -c--a-w c:\program files\ClearSearchcsie_tsb_campaigns.dat
2004-07-20 05:11 104 -c--a-w c:\program files\ClearSearchcsie_tsb_rules.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-01_14.36.14.94 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 10:37:05 3,059,712 ------w c:\winnt\system32\dllcache\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ------w c:\winnt\system32\dllcache\mshtml.dll
+ 2004-08-04 07:56:57 24,576 ----a-w c:\winnt\system32\dllcache\userinit.exe
+ 2008-05-09 18:15:51 45,376 ----a-w c:\winnt\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28 22,336 ----a-w c:\winnt\system32\drivers\avgntmgr.sys
+ 2008-10-30 16:21:03 75,072 ----a-w c:\winnt\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w c:\winnt\system32\drivers\ssmdrv.sys
- 2008-10-16 10:37:05 3,059,712 ----a-w c:\winnt\system32\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ----a-w c:\winnt\system32\mshtml.dll
- 2007-07-27 15:41:40 16,760 ----a-w c:\winnt\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\winnt\system32\spmsg.dll
- 2008-12-25 17:43:16 8,704 ----a-w c:\winnt\system32\userinit.exe
+ 2004-08-04 07:56:57 24,576 ----a-w c:\winnt\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-24 303180]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 610304]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-04-28 184320]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2003-05-12 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2003-09-24 40960]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrPanelICON"="c:\program files\Launch Manager\PanelICON.exe" [2003-09-24 36864]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2003-09-12 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-09 282624]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-12-12 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\winnt\system32\Ati2mdxx.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 c:\winnt\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 c:\winnt\AGRSMMSG.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
PalStart.lnk - c:\program files\Paltalk Messenger\palstart.exe [2007-05-25 45568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=yfnepx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\winnt\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=c:\winnt\pss\PalStart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-12-12 17:55 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-12-12 17:55 118784 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 c:\winnt\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-08-09 08:12 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-04-21 14:51 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a--c--- 2008-03-27 00:35 36352 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zilla Popup Killer]
--a--c--- 2000-05-09 15:04 536576 c:\program files\Zilla Popup Killer\ZillaPop.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R1 Hotkey;Hotkey;c:\winnt\system32\drivers\HOTKEY.sys [2003-10-07 9867]
R4 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\drivers\BBFat.sys [2002-08-19 7808]
S1 Wbutton;Wbutton;c:\winnt\system32\drivers\Wbutton.sys --> c:\winnt\system32\drivers\Wbutton.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\winnt\Tasks\At1.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At10.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At11.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At12.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At13.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At14.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At15.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At16.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At17.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At18.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At19.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At2.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At20.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At21.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At22.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At23.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At24.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At25.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At26.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At27.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At28.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At29.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At3.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At30.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At31.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At32.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At33.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At34.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At35.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At36.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At37.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At38.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At39.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At4.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At40.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At41.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At42.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At43.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At44.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At45.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At46.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At47.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At48.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At5.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At6.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\At7.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At8.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-02 c:\winnt\Tasks\At9.job
- c:\winnt\system32\678R1T14.exe [2009-01-02 13:32]
2009-01-03 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]
.
- - - - ORPHANS REMOVED - - - -
BHO-{20758BB7-CB3E-4789-8C3C-A5C8AA75D465} - c:\winnt\system32\ddcBUmKC.dll
BHO-{ccf06fa3-b771-4f28-a137-7273dd2283d0} - c:\winnt\system32\yfnepx.dll
HKCU-Run-GetModule32 - c:\program files\GetModule\GetModule32.exe
HKCU-Run-GetPack26 - c:\program files\GetPack\GetPack26.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search - ?p=ZU
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jbodhqj5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 9090
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrch.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 15:12:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\winnt\system32\ati2evxx.exe
c:\winnt\system32\RioMSC.exe
c:\winnt\system32\wdfmgr.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\winnt\system32\wscntfy.exe
c:\program files\Java\jre1.6.0_01\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-01-03 15:20:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 21:19:48
ComboFix2.txt 2009-01-02 22:55:50
ComboFix3.txt 2009-01-02 15:10:53
ComboFix4.txt 2009-01-01 20:39:02
Pre-Run: 23,605,760,000 bytes free
Post-Run: 23,824,654,336 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
354 --- E O F --- 2009-01-02 04:43:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:01 PM, on 1/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINNT\system32\RioMSC.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\PanelICON.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O20 - AppInit_DLLs: yfnepx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 7828 bytes
Hi
Upload following files to http://www.virustotal.com and post back the scanning results:
c:\winnt\system32\rn.tmp
c:\winnt\system32\stu2.exe
Creating & executing batch file
-------------------------------
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File))
@echo off
del c:\winnt\Tasks\At*.job
Double-click on fixes.bat file to execute it.
Start hjt, do a system scan, check (if found):
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
Close browsers and fix checked.
Uninstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm).
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\winnt\system32\678R1T14.exe
Folder::
c:\program files\tintinyproxyy
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 11 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
rpohlman
2009-01-05, 03:41
Unsure if u can read this, but Prevx1 - V2 has Malicious Software. this is the rn.tmp.
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.04 -
AhnLab-V3 2008.12.31.0 2009.01.04 -
AntiVir 7.9.0.45 2009.01.04 -
Authentium 5.1.0.4 2009.01.04 -
Avast 4.8.1281.0 2009.01.04 -
AVG 8.0.0.199 2009.01.04 -
BitDefender 7.2 2009.01.05 -
CAT-QuickHeal 10.00 2009.01.03 -
ClamAV 0.94.1 2009.01.04 -
Comodo 874 2009.01.04 -
DrWeb 4.44.0.09170 2009.01.04 -
eTrust-Vet 31.6.6289 2009.01.02 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.04 -
F-Secure 8.0.14470.0 2009.01.05 -
Fortinet 3.117.0.0 2009.01.04 -
GData 19 2009.01.05 -
Ikarus T3.1.1.45.0 2009.01.03 -
K7AntiVirus 7.10.575 2009.01.03 -
Kaspersky 7.0.0.125 2009.01.05 -
McAfee 5484 2009.01.04 -
McAfee+Artemis 5484 2009.01.04 -
Microsoft 1.4205 2009.01.05 -
NOD32 3735 2009.01.04 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.04 -
PCTools 4.4.2.0 2009.01.04 -
Prevx1 V2 2009.01.05 Malicious Software
Rising 21.10.62.00 2009.01.04 -
SecureWeb-Gateway 6.7.6 2009.01.04 -
Sophos 4.37.0 2009.01.04 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.05 -
TheHacker 6.3.1.4.205 2009.01.05 -
TrendMicro 8.700.0.1004 2009.01.04 -
VBA32 3.12.8.10 2009.01.04 -
ViRobot 2009.1.3.1541 2009.01.03 -
VirusBuster 4.5.11.0 2009.01.04 -
Additional information
File size: 1085440 bytes
MD5...: f28933534e0af3cfd4f58b9e4e70df5a
SHA1..: 737e0d5db2df7072a3c4f413f8035443d347cf49
SHA256: 40d0b4a794aa610234850453fd340b5e798c98817d08c1a4576adf3cf34c8d2c
SHA512: 9b83780df57a4c07fcfc96a6812e3e48923fcc8a9977a6de8333ba3c77f9d18f<br>3520f8fdd2893ee9ce4556b28135602184d2c7b2fea0575df424bb68c445c84c<br>
ssdeep: 24576:nVPiDLbRzXNLY59dZRpsWXzUksYr++0Zwm530jpIuW:nhifpXaBZRpsWjZ<br>sYf0ZjKSp<br>
PEiD..: Armadillo v1.71
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>VXD Driver (0.1%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4012c5<br>timedatestamp.....: 0x495ae8a3 (Wed Dec 31 03:36:03 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 7 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x46694 0x1a600 8.00 dd62f39a2f1100dcca29d75c92408e33<br>.data 0x48000 0x9aa0 0x4800 7.99 3a5167cc7b04bd3f7e206ef7f322b4e9<br>.rdata 0x52000 0x132de8 0xd4a00 8.00 643598b6452aae0b3b205a1e83ac0e3d<br>.bss 0x185000 0x6730 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x18c000 0xfd4 0x800 7.26 b176f79c3c2d69724eeb752284e5b757<br>.rsrc 0x18d000 0x3cb0 0x3e00 3.46 811f5e8a28d9038cc0873c18b49a700e<br>.adata 0x191000 0x1ca40 0x10e00 8.00 81aabb4cadf19978f5cd6d4626c951e3<br><br>( 4 imports ) <br>> kernel32.dll: GetModuleHandleA, HeapFree, GetProcAddress, RtlUnwind, HeapAlloc, LoadLibraryA<br>> user32.dll: wsprintfA, CharLowerBuffA, SetWindowLongA, CreateWindowExA<br>> advapi32.dll: RegSetValueA, RegCloseKey, RegDeleteValueA, RegCreateKeyA<br>> ole32.dll: CoCreateInstance, CoInitialize, CoGetClassObject<br><br>( 0 exports ) <br>
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=f28933534e0af3cfd4f58b9e4e70df5a' target='_blank'>http://www.threatexpert.com/report.aspx?md5=f28933534e0af3cfd4f58b9e4e70df5a</a>
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=E845BE1200808F38900510CC84083000E9E94767' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=E845BE1200808F38900510CC84083000E9E94767</a>
rpohlman
2009-01-05, 03:46
stu2. was clean
rpohlman
2009-01-05, 04:10
ComboFix 09-01-02.01 - Owner 2009-01-04 19:56:49.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.205 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\winnt\system32\678R1T14.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\tintinyproxyy
c:\winnt\system32\678R1T14.exe
.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.
2009-01-04 19:49 . 2009-01-04 19:49 <DIR> d-------- c:\program files\NOS
2009-01-04 19:49 . 2009-01-04 19:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-03 05:49 . 2009-01-03 05:49 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-01-02 17:15 . 2001-08-17 22:36 8,704 --a------ c:\winnt\system32\kbdjpn.dll
2009-01-02 17:15 . 2001-08-17 22:36 8,704 --a------ c:\winnt\system32\dllcache\kbdjpn.dll
2009-01-02 17:15 . 2001-08-17 22:36 8,192 --a------ c:\winnt\system32\kbdkor.dll
2009-01-02 17:15 . 2001-08-17 22:36 8,192 --a------ c:\winnt\system32\dllcache\kbdkor.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\kbd106.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\kbd101c.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\kbd101b.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\dllcache\kbd106.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\dllcache\kbd101c.dll
2009-01-02 17:15 . 2001-08-17 14:55 6,144 --a------ c:\winnt\system32\dllcache\kbd101b.dll
2009-01-02 17:15 . 2001-08-17 14:55 5,632 --a------ c:\winnt\system32\kbd103.dll
2009-01-02 17:15 . 2001-08-17 14:55 5,632 --a------ c:\winnt\system32\dllcache\kbd103.dll
2009-01-02 16:32 . 2009-01-02 16:33 1,085,440 --a------ c:\winnt\system32\rn.tmp
2009-01-02 15:01 . 2009-01-02 15:01 <DIR> d-------- c:\program files\Avira
2009-01-02 15:01 . 2009-01-02 15:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-02 09:19 . 2009-01-02 09:36 <DIR> d-------- c:\documents and settings\Owner\.SunDownloadManager
2008-12-25 11:43 . 2004-08-04 01:56 24,576 --a------ c:\winnt\system32\stu2.exe
2008-12-18 16:43 . 2008-12-18 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-17 15:52 . 2008-12-17 15:52 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 21:47 --------- d-----w c:\program files\ProSiteFinder
2009-01-02 20:58 --------- d-----w c:\program files\Symantec
2009-01-02 20:58 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-02 20:49 --------- d-----w c:\program files\Norton AntiVirus
2009-01-02 20:49 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-02 15:30 --------- d-----w c:\program files\Java
2008-12-30 03:54 --------- d-----w c:\program files\Common Files\Adobe
2008-12-30 03:54 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-28 17:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 17:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 14:23 --------- d-----w c:\program files\Yahoo!
2008-12-18 22:43 --------- d-----w c:\program files\Lavasoft
2008-12-18 22:42 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-12 17:33 3,060,224 ------w c:\winnt\system32\dllcache\mshtml.dll
2008-11-30 16:32 --------- d-----w c:\program files\Smartparts
2008-10-24 11:10 453,632 ------w c:\winnt\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\winnt\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\winnt\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\winnt\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\winnt\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\winnt\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\winnt\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\winnt\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\winnt\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\winnt\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\winnt\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\winnt\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\winnt\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\winnt\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\winnt\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\winnt\system32\dllcache\wups.dll
2008-10-15 09:45 18,432 ------w c:\winnt\system32\dllcache\iedw.exe
2004-07-20 05:11 88 -c--a-w c:\program files\ClearSearchcsie_usb_rules.dat
2004-07-20 05:11 8 -c--a-w c:\program files\ClearSearchcsie_dictionary.dat
2004-07-20 05:11 43,872 -c--a-w c:\program files\ClearSearchcsie_usb_patterns.dat
2004-07-20 05:11 419 -c--a-w c:\program files\ClearSearchcsie_checks.dat
2004-07-20 05:11 3,296 -c--a-w c:\program files\ClearSearchcsie_usb_campaigns.dat
2004-07-20 05:11 2,976 -c--a-w c:\program files\ClearSearchcsie_tsb_patterns.dat
2004-07-20 05:11 2,560 -c--a-w c:\program files\ClearSearchcsie_tsb_edomains.dat
2004-07-20 05:11 136 -c--a-w c:\program files\ClearSearchcsie_tsb_campaigns.dat
2004-07-20 05:11 104 -c--a-w c:\program files\ClearSearchcsie_tsb_rules.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-01_14.36.14.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:57 24,576 ----a-w c:\winnt\system32\dllcache\userinit.exe
+ 2008-05-09 18:15:51 45,376 ----a-w c:\winnt\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28 22,336 ----a-w c:\winnt\system32\drivers\avgntmgr.sys
+ 2008-10-30 16:21:03 75,072 ----a-w c:\winnt\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w c:\winnt\system32\drivers\ssmdrv.sys
- 2008-10-16 10:37:05 3,059,712 ----a-w c:\winnt\system32\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ----a-w c:\winnt\system32\mshtml.dll
- 2007-07-27 15:41:40 16,760 ----a-w c:\winnt\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\winnt\system32\spmsg.dll
- 2008-12-25 17:43:16 8,704 ----a-w c:\winnt\system32\userinit.exe
+ 2004-08-04 07:56:57 24,576 ----a-w c:\winnt\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-24 303180]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 610304]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-04-28 184320]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2003-05-12 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2003-09-24 40960]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrPanelICON"="c:\program files\Launch Manager\PanelICON.exe" [2003-09-24 36864]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2003-09-12 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-09 282624]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-12-12 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\winnt\system32\Ati2mdxx.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 c:\winnt\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 c:\winnt\AGRSMMSG.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
PalStart.lnk - c:\program files\Paltalk Messenger\palstart.exe [2007-05-25 45568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\winnt\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=c:\winnt\pss\PalStart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-12-12 17:55 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-12-12 17:55 118784 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 c:\winnt\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-08-09 08:12 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-04-21 14:51 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a--c--- 2008-03-27 00:35 36352 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zilla Popup Killer]
--a--c--- 2000-05-09 15:04 536576 c:\program files\Zilla Popup Killer\ZillaPop.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R1 Hotkey;Hotkey;c:\winnt\system32\drivers\HOTKEY.sys [2003-10-07 9867]
R4 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\drivers\BBFat.sys [2002-08-19 7808]
S1 Wbutton;Wbutton;c:\winnt\system32\drivers\Wbutton.sys --> c:\winnt\system32\drivers\Wbutton.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-04 33752]
*Newly Created Service* - GETPLUS(R)_HELPER
.
Contents of the 'Scheduled Tasks' folder
2009-01-05 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search - ?p=ZU
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jbodhqj5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 9090
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrch.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 20:01:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2009-01-04 20:05:02
ComboFix-quarantined-files.txt 2009-01-05 02:03:45
ComboFix2.txt 2009-01-03 21:20:06
ComboFix3.txt 2009-01-02 22:55:50
ComboFix4.txt 2009-01-02 15:10:53
ComboFix5.txt 2009-01-05 01:55:50
Pre-Run: 23,709,433,856 bytes free
Post-Run: 23,720,935,424 bytes free
225 --- E O F --- 2009-01-02 04:43:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:49 PM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\PanelICON.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 7955 bytes
rpohlman
2009-01-05, 07:10
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 05, 2009 01:18:46
Records in database: 1560717
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 77356
Threat name: 8
Infected objects: 11
Suspicious objects: 1
Duration of the scan: 01:59:52
File name / Threat name / Threats count
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Mozilla Firefox\plugins\NPMySrch.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Program Files\ProSiteFinder\ffcc6by5.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ah 1
C:\Qoobox\Quarantine\C\Program Files\GetPack\GetPack26.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.hzg 1
C:\Qoobox\Quarantine\C\WINNT\system32\eystueby.dll.vir Infected: Trojan.Win32.Agent.bahn 1
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxowloariq.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ivf 1
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxrrggcigp.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ivf 1
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxrrndpqjn.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ivf 1
C:\Qoobox\Quarantine\C\WINNT\system32\pvxeiyef.dll.vir Infected: Trojan.Win32.Monder.aghz 1
C:\System Volume Information\_restore{8002FAC4-987A-423F-A02F-FD2F3B3F135B}\RP493\A0209800.dll Infected: not-a-virus:AdWare.Win32.Agent.ivf 1
C:\System Volume Information\_restore{8002FAC4-987A-423F-A02F-FD2F3B3F135B}\RP494\A0209911.exe Infected: Trojan-Downloader.Win32.Agent.auff 1
C:\System Volume Information\_restore{8002FAC4-987A-423F-A02F-FD2F3B3F135B}\RP495\A0209957.exe Infected: not-a-virus:AdWare.Win32.Agent.hzg 1
The selected area was scanned.
Hi
Yes, results are readable enough :)
Seems like you didn't uninstall vulnerable Java versions and install the latest one. And same with Adobe Reader.
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 11 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Go thru email messages in C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst post archive and delete suspicious looking messages. Bad items in system restore will be cleaned later.
We need to execute an OTMoveIt3 script
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop.
Double click theOTMoveIt3 icon on your desktop.
Paste the following code under the Paste Fix Here area. Do not include the word
Code
.
:Files
c:\winnt\system32\rn.tmp
C:\Program Files\Mozilla Firefox\plugins\NPMySrch.dll
C:\Program Files\ProSiteFinder\ffcc6by5.DLL
C:\Qoobox\Quarantine\C\Program Files\GetPack\GetPack26.exe.vir
C:\Qoobox\Quarantine\C\WINNT\system32\eystueby.dll.vir
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxowloariq.dll.vir
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxrrggcigp.dll.vir
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxrrndpqjn.dll.vir
C:\Qoobox\Quarantine\C\WINNT\system32\pvxeiyef.dll.vir
Push the large MoveIt button.
OTMI3 may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the Results line here in your next reply with a fresh hjt log. How's the system running?
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
rpohlman
2009-01-06, 00:06
========== FILES ==========
c:\winnt\system32\rn.tmp moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Mozilla Firefox\plugins\NPMySrch.dll
C:\Program Files\Mozilla Firefox\plugins\NPMySrch.dll NOT unregistered.
C:\Program Files\Mozilla Firefox\plugins\NPMySrch.dll moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\ProSiteFinder\ffcc6by5.DLL
C:\Program Files\ProSiteFinder\ffcc6by5.DLL NOT unregistered.
C:\Program Files\ProSiteFinder\ffcc6by5.DLL moved successfully.
C:\Qoobox\Quarantine\C\Program Files\GetPack\GetPack26.exe.vir moved successfully.
C:\Qoobox\Quarantine\C\WINNT\system32\eystueby.dll.vir moved successfully.
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxowloariq.dll.vir moved successfully.
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxrrggcigp.dll.vir moved successfully.
C:\Qoobox\Quarantine\C\WINNT\system32\msqpdxrrndpqjn.dll.vir moved successfully.
C:\Qoobox\Quarantine\C\WINNT\system32\pvxeiyef.dll.vir moved successfully.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01052009_160015
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:34 PM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\PanelICON.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\OTMoveIt3.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 8346 bytes
I have been getting some popups and then once in a while i will hear a video playing in the background but a website doesn't display. Happened yesterday before i did the round of fixes before this one. I was sure i had the java and adobe fixed before, but must not of. Hope we are getting closer to solving this.
Hi
Do you still get those popups and other symptoms you described there?
rpohlman
2009-01-06, 11:33
No, they haven't. Ran Spybot and had Smithfraud-c. Fixed selected probs and scanned twice(spybot) in 8 hrs, and it was still clean.
Good. Then I think we're ready for final phase :)
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.