View Full Version : Help to remove virtumonde
Hello,
Please help me to remove Virtumonde.
I tried using Spybot Search & Destroy but I did not
had success only with it.
Thank you
Here is my hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:28 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {023355B5-8010-438F-B85D-B53CB89D9CC5} - (no file)
O2 - BHO: (no name) - {044C328C-0F4F-4C46-A981-F848C82E5824} - (no file)
O2 - BHO: (no name) - {0AE25593-C6C4-4572-A2D2-51A79B781FE9} - (no file)
O2 - BHO: (no name) - {1776AE03-2E7B-4CDD-84EE-12E1F9BCD692} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1C871E9E-29CA-4D18-B095-1BA1BF695155} - (no file)
O2 - BHO: (no name) - {20C1146F-1473-4359-90B2-9E1E2FD27CFE} - (no file)
O2 - BHO: (no name) - {21ACBC45-996C-45A8-9739-4E4929845234} - (no file)
O2 - BHO: (no name) - {259D9EB4-F992-4ECF-96A1-D4534A73F646} - (no file)
O2 - BHO: (no name) - {29A9043C-6209-42DC-B3CC-9BE6141287FB} - (no file)
O2 - BHO: (no name) - {30A3FB8B-420B-44D6-A5DD-44F0968E532B} - (no file)
O2 - BHO: (no name) - {4E3F6556-7C95-4048-8E94-2BCE6B7CFAA2} - (no file)
O2 - BHO: (no name) - {5011EB47-C262-482C-8ABC-DE927AB0422E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56A54763-10C7-4559-8C90-0771DBCECFFD} - (no file)
O2 - BHO: (no name) - {57C16270-0830-4B4E-B2E6-96BA94D4598F} - (no file)
O2 - BHO: (no name) - {680fa8c0-fee2-4659-88ba-3f8f1b7a336d} - C:\WINDOWS\system32\vobuturi.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\fccaBQGx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {761A1BB3-CEB5-4EFC-8BF7-1224A696DBB5} - (no file)
O2 - BHO: (no name) - {7CCDFE30-5242-4B78-ABFE-1E417EB2392D} - (no file)
O2 - BHO: (no name) - {7E1C4084-F179-4C19-88AC-CC6C6FF46D0B} - (no file)
O2 - BHO: (no name) - {81D88FE2-3401-4F39-8371-F3FD7EA4B11D} - (no file)
O2 - BHO: (no name) - {8FC08C72-B28E-4E20-B3A0-2FBCBD584055} - (no file)
O2 - BHO: (no name) - {96681604-D119-4AC7-B6B8-375ED03B89C2} - C:\WINDOWS\system32\ddcYpnLe.dll
O2 - BHO: (no name) - {9B24C16F-EEE1-4DCB-9807-F4D8FF4F77BA} - (no file)
O2 - BHO: (no name) - {A8CB2E88-FEA9-457D-9B76-A1DD74CF944D} - (no file)
O2 - BHO: (no name) - {B151D869-0196-4169-A2A4-17F3F90CB6F3} - (no file)
O2 - BHO: (no name) - {B433AE95-7C5B-4461-8E4D-C0B4EE7B959E} - (no file)
O2 - BHO: (no name) - {C7B8F961-0481-4948-9781-F43FADE5B14F} - (no file)
O2 - BHO: (no name) - {CBF09826-AA74-4069-9895-C9EB36C3BA59} - (no file)
O2 - BHO: (no name) - {D238271A-6D98-4C3D-BA19-DEBE98BB63E8} - (no file)
O2 - BHO: (no name) - {D537DD43-DCE0-453D-9A29-03099D714895} - (no file)
O2 - BHO: (no name) - {D58B4483-94E4-47BA-9BF8-8D74AE381818} - (no file)
O2 - BHO: (no name) - {D951AB60-FBAE-432E-A307-F072C66A0E49} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {DDCB5C1A-F447-451E-AD60-C083D692888D} - (no file)
O2 - BHO: (no name) - {E257CC17-01CD-494B-BB39-A3CE7A665430} - C:\DOCUME~1\Cosmin\LOCALS~1\Temp\vtUnlLCv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {EBA21B27-193F-4DD4-A4B7-28BE8C5604B2} - (no file)
O2 - BHO: (no name) - {EE629F8F-CC4E-437A-A6CA-0EC783329B0B} - (no file)
O2 - BHO: (no name) - {F3B0B213-B7E7-4802-BB24-5C68F73336C2} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [tegegohato] Rundll32.exe "C:\WINDOWS\system32\hajigira.dll",s
O4 - HKLM\..\Run: [cc793c48] rundll32.exe "C:\WINDOWS\system32\ylkvcrdj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [tegegohato] Rundll32.exe "C:\WINDOWS\system32\hajigira.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tegegohato] Rundll32.exe "C:\WINDOWS\system32\hajigira.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227445898478
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\jegulufo.dll
O20 - Winlogon Notify: fccaBQGx - C:\WINDOWS\SYSTEM32\fccaBQGx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
--
End of file - 8930 bytes
pskelley
2009-01-07, 22:25
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.
You are not even running an antivirus program on the computer? It's a waste of your time and mine to clean a computer if you are not going to try to keep it secure! If you need a free program, here are three to choose from. Install only one, update it and scan the complete system, removing what it finds. Then post a new HJT log. Make sure you read and follow all instructions in "Before you Post".
http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
Thanks
Thank you for your reply and for your time.
I installed avast antivirus, scaned and removed everything it found.
Here is the new hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:26 PM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CardDetector\ICON225\CardDetector.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {023355B5-8010-438F-B85D-B53CB89D9CC5} - (no file)
O2 - BHO: (no name) - {044C328C-0F4F-4C46-A981-F848C82E5824} - (no file)
O2 - BHO: (no name) - {0AE25593-C6C4-4572-A2D2-51A79B781FE9} - (no file)
O2 - BHO: (no name) - {0AE61FBA-5D71-456C-BFA1-A68A7EC9C60E} - C:\DOCUME~1\Cosmin\LOCALS~1\Temp\vtUnlLCv.dll
O2 - BHO: (no name) - {1776AE03-2E7B-4CDD-84EE-12E1F9BCD692} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1C871E9E-29CA-4D18-B095-1BA1BF695155} - (no file)
O2 - BHO: (no name) - {20C1146F-1473-4359-90B2-9E1E2FD27CFE} - (no file)
O2 - BHO: (no name) - {21ACBC45-996C-45A8-9739-4E4929845234} - (no file)
O2 - BHO: (no name) - {259D9EB4-F992-4ECF-96A1-D4534A73F646} - (no file)
O2 - BHO: (no name) - {29A9043C-6209-42DC-B3CC-9BE6141287FB} - (no file)
O2 - BHO: (no name) - {30A3FB8B-420B-44D6-A5DD-44F0968E532B} - (no file)
O2 - BHO: (no name) - {4E3F6556-7C95-4048-8E94-2BCE6B7CFAA2} - (no file)
O2 - BHO: (no name) - {5011EB47-C262-482C-8ABC-DE927AB0422E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56A54763-10C7-4559-8C90-0771DBCECFFD} - (no file)
O2 - BHO: (no name) - {57C16270-0830-4B4E-B2E6-96BA94D4598F} - (no file)
O2 - BHO: (no name) - {680fa8c0-fee2-4659-88ba-3f8f1b7a336d} - C:\WINDOWS\system32\fojawuka.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\fccaBQGx.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {761A1BB3-CEB5-4EFC-8BF7-1224A696DBB5} - (no file)
O2 - BHO: (no name) - {7CCDFE30-5242-4B78-ABFE-1E417EB2392D} - (no file)
O2 - BHO: (no name) - {7E1C4084-F179-4C19-88AC-CC6C6FF46D0B} - (no file)
O2 - BHO: (no name) - {81D88FE2-3401-4F39-8371-F3FD7EA4B11D} - (no file)
O2 - BHO: (no name) - {8FC08C72-B28E-4E20-B3A0-2FBCBD584055} - (no file)
O2 - BHO: (no name) - {9B24C16F-EEE1-4DCB-9807-F4D8FF4F77BA} - (no file)
O2 - BHO: (no name) - {A3BB8642-931A-4D63-8A6D-9346F3F2B1F6} - C:\WINDOWS\system32\ddcYpnLe.dll (file missing)
O2 - BHO: (no name) - {A8CB2E88-FEA9-457D-9B76-A1DD74CF944D} - (no file)
O2 - BHO: (no name) - {B151D869-0196-4169-A2A4-17F3F90CB6F3} - (no file)
O2 - BHO: (no name) - {B433AE95-7C5B-4461-8E4D-C0B4EE7B959E} - (no file)
O2 - BHO: (no name) - {C7B8F961-0481-4948-9781-F43FADE5B14F} - (no file)
O2 - BHO: (no name) - {CBF09826-AA74-4069-9895-C9EB36C3BA59} - (no file)
O2 - BHO: (no name) - {D238271A-6D98-4C3D-BA19-DEBE98BB63E8} - (no file)
O2 - BHO: (no name) - {D537DD43-DCE0-453D-9A29-03099D714895} - (no file)
O2 - BHO: (no name) - {D58B4483-94E4-47BA-9BF8-8D74AE381818} - (no file)
O2 - BHO: (no name) - {D951AB60-FBAE-432E-A307-F072C66A0E49} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {DDCB5C1A-F447-451E-AD60-C083D692888D} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {EBA21B27-193F-4DD4-A4B7-28BE8C5604B2} - (no file)
O2 - BHO: (no name) - {EE629F8F-CC4E-437A-A6CA-0EC783329B0B} - (no file)
O2 - BHO: (no name) - {F3B0B213-B7E7-4802-BB24-5C68F73336C2} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CardDetectorICON225] C:\Program Files\CardDetector\ICON225\CardDetector.exe
O4 - HKLM\..\Run: [BEWINTERNET-ROSessionManager] C:\Program Files\OrangeBS\BEWInternetRO\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [cc793c48] rundll32.exe "C:\WINDOWS\system32\jusirodo.dll",b
O4 - HKLM\..\Run: [tegegohato] Rundll32.exe "C:\WINDOWS\system32\hikepohe.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [tegegohato] Rundll32.exe "C:\WINDOWS\system32\hikepohe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tegegohato] Rundll32.exe "C:\WINDOWS\system32\hikepohe.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227445898478
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\nazoduhi.dll
O20 - Winlogon Notify: fccaBQGx - fccaBQGx.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
--
End of file - 10219 bytes
pskelley
2009-01-08, 19:57
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
Done. Following the required logs:
ComboFix 09-01-08.01 - Admin 2009-01-08 21:11:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1622 [GMT 2:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090108-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\agetegat.ini
c:\windows\system32\ddcdeefE.dll
c:\windows\system32\eLnpYcdd.ini
c:\windows\system32\eLnpYcdd.ini2
c:\windows\system32\etujutir.ini
c:\windows\system32\fojawuka.dll
c:\windows\system32\fuhubuga.dll
c:\windows\system32\hikepohe.dll
c:\windows\system32\jdrcvkly.ini
c:\windows\system32\jusirodo.dll
c:\windows\system32\jusivefa.dll
c:\windows\system32\kjdndobd.dll
c:\windows\system32\memovovo.dll
c:\windows\system32\nazoduhi.dll
c:\windows\system32\odorisuj.ini
c:\windows\system32\tagetega.dll
c:\windows\system32\wemipipo.dll
c:\windows\system32\ylkvcrdj.dll
D:\resycled
d:\resycled\boot.com
.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.
2009-01-08 19:47 . 2009-01-08 19:47 <DIR> d-------- c:\program files\Alwil Software
2009-01-08 19:45 . 2009-01-08 19:45 29,775,112 --a------ C:\setupeng.exe
2009-01-07 21:33 . 2008-11-22 16:48 17,034,222 --a------ c:\temp\QuickPwn22-1.exe
2009-01-06 21:40 . 2009-01-06 21:40 <DIR> d-------- c:\program files\OrangeBS
2009-01-06 21:40 . 2007-10-11 14:32 94,208 --a------ c:\windows\system32\w32n50.dll
2009-01-06 21:40 . 2007-10-11 14:32 34,688 --a------ c:\windows\system32\pcampr5.sys
2009-01-06 21:40 . 2007-10-11 14:32 32,128 --a------ c:\windows\system32\pcandis5.sys
2009-01-06 21:36 . 2009-01-06 21:36 <DIR> d-------- c:\program files\Common Files\France Telecom
2009-01-06 21:35 . 2007-11-14 00:29 95,744 -ra------ c:\windows\system32\drivers\Gt51Ip.sys
2009-01-06 21:35 . 2007-11-14 00:29 51,968 -ra------ c:\windows\system32\drivers\gt72ubus.sys
2009-01-06 21:35 . 2007-11-14 00:29 8,064 -ra------ c:\windows\system32\drivers\gtptser.sys
2009-01-06 21:34 . 2009-01-06 21:34 <DIR> d-------- c:\program files\CardDetector
2009-01-06 21:33 . 2009-01-06 21:33 <DIR> d-------- c:\documents and settings\Admin\Application Data\Notepad++
2009-01-06 21:31 . 2009-01-06 21:31 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\PC Suite
2009-01-04 14:09 . 2009-01-04 14:09 <DIR> d-------- c:\program files\Trend Micro
2009-01-04 14:00 . 2009-01-04 14:00 153 --a------ c:\windows\wininit.ini
2009-01-03 19:52 . 2009-01-03 19:52 1,648,264 --ahs---- c:\windows\system32\dklyqiax.tmp
2008-12-27 23:57 . 2009-01-04 13:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\yukufepo
2008-12-27 23:57 . 2008-12-27 23:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\tavimega
2008-12-27 23:57 . 2009-01-04 13:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\hiduhozo
2008-12-27 23:57 . 2008-12-27 23:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\gajeviki
2008-12-27 23:57 . 2008-12-27 23:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\davafuhu
2008-12-27 23:41 . 2008-12-28 02:07 600 --a------ c:\windows\PUTTY.RND
2008-12-27 23:10 . 2008-12-27 23:11 4 --a------ C:\google5df285f6b6c5b7ea.html
2008-12-27 17:43 . 2008-12-27 17:43 <DIR> d-------- c:\program files\MySQL GUI Tools 5.0
2008-12-27 17:43 . 2008-12-27 17:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MySQL
2008-12-27 17:19 . 2008-12-27 17:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2008-12-27 16:54 . 2008-12-27 16:54 <DIR> d-------- c:\program files\mysql-connector-java-5.1.7
2008-12-27 11:57 . 2008-12-27 23:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\ravezula
2008-12-27 11:57 . 2008-12-27 23:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\palozora
2008-12-27 11:57 . 2008-12-27 11:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\hamohive
2008-12-27 11:57 . 2008-12-27 23:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\firugoti
2008-12-27 11:57 . 2008-12-27 11:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\begajetu
2008-12-26 23:56 . 2008-12-26 23:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\jazukimo
2008-12-26 11:56 . 2008-12-27 11:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\sirifiwi
2008-12-26 11:56 . 2008-12-27 11:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\rojisabo
2008-12-26 11:56 . 2008-12-26 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\pulovuwi
2008-12-26 11:56 . 2008-12-26 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\losamine
2008-12-26 11:56 . 2008-12-26 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\dugiwise
2008-12-25 23:05 . 2008-12-26 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\bogiviza
2008-12-25 15:20 . 2008-12-25 15:20 <DIR> d-------- c:\program files\GSpot
2008-12-25 11:05 . 2008-12-26 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\yosimanu
2008-12-25 11:05 . 2008-12-26 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\polelure
2008-12-25 11:05 . 2008-12-25 11:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\kegovahe
2008-12-25 11:05 . 2008-12-25 11:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\jikonidi
2008-12-25 11:05 . 2008-12-25 11:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\fumupofo
2008-12-22 23:15 . 2008-12-23 05:38 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-22 23:15 . 2008-12-23 01:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 21:05 . 2008-12-22 21:05 <DIR> d-------- c:\documents and settings\Admin\Application Data\OpenOffice.org
2008-12-22 19:41 . 2008-12-22 19:41 98,304 --a------ c:\windows\system32\CmdLineExt.dll
2008-12-22 19:39 . 2009-01-07 21:33 <DIR> d-------- C:\temp
2008-12-22 19:39 . 2006-04-19 20:35 45,568 --a------ c:\temp\asr.exe
2008-12-22 19:36 . 2008-12-22 19:36 <DIR> d-------- c:\windows\USB Vibration
2008-12-22 19:36 . 2008-12-22 19:36 <DIR> d-------- c:\program files\USB Vibration
2008-12-22 19:36 . 2008-04-21 14:06 75,776 --a------ c:\windows\system32\USBMAX.cpl
2008-12-22 19:36 . 2008-05-19 10:38 41,024 --a------ c:\windows\system32\drivers\Hid3331.sys
2008-12-22 19:36 . 2008-05-19 10:41 8,100 --a------ c:\windows\system32\drivers\hid3331.cat
2008-12-22 19:30 . 2008-12-22 19:30 <DIR> d-------- c:\program files\THQ
2008-12-22 19:28 . 2008-12-22 19:28 <DIR> d-------- c:\documents and settings\Admin\Application Data\DAEMON Tools Pro
2008-12-22 19:28 . 2008-12-22 19:28 <DIR> d-------- c:\documents and settings\Admin\Application Data\DAEMON Tools
2008-12-22 19:27 . 2008-12-22 19:27 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-12-22 19:27 . 2008-12-22 19:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-22 19:24 . 2008-12-22 19:24 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-12-22 19:23 . 2008-12-22 19:29 <DIR> d-------- c:\documents and settings\Admin\Application Data\DAEMON Tools Lite
2008-12-22 19:10 . 2008-04-13 20:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-22 19:10 . 2008-04-13 20:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-22 11:05 . 2008-12-22 11:12 116 --a------ c:\windows\NeroDigital.ini
2008-12-22 10:59 . 2008-12-22 10:59 <DIR> d-------- c:\program files\ratDVD
2008-12-22 10:01 . 2008-04-14 02:12 151,552 --a------ c:\windows\system32\irftp.exe
2008-12-22 10:01 . 2008-04-14 02:12 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-12-22 10:01 . 2008-04-14 02:11 28,160 --a------ c:\windows\system32\irmon.dll
2008-12-22 10:01 . 2008-04-14 02:11 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2008-12-22 10:01 . 2008-04-14 02:12 8,192 --a------ c:\windows\system32\wshirda.dll
2008-12-22 10:01 . 2008-04-14 02:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-12-22 10:00 . 2008-12-22 10:03 <DIR> d-------- c:\documents and settings\Cosmin\Application Data\PC Suite
2008-12-22 10:00 . 2008-12-22 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-12-22 10:00 . 2008-12-22 10:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Nokia
2008-12-22 09:55 . 2008-12-22 09:55 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-12-22 09:55 . 2008-12-22 09:55 <DIR> d-------- c:\program files\Common Files\Nokia
2008-12-22 09:54 . 2008-12-22 09:54 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-22 09:54 . 2008-12-22 09:55 <DIR> d-------- c:\program files\Nokia
2008-12-22 09:54 . 2008-12-22 09:54 <DIR> d-------- c:\program files\DIFX
2008-12-22 09:54 . 2008-09-15 07:56 91,136 --a------ c:\windows\system32\nmwcdcls.dll
2008-12-22 09:54 . 2008-08-26 09:26 18,816 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2008-12-22 09:53 . 2008-12-22 09:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2008-12-21 16:44 . 2008-12-21 16:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\eMule
2008-12-20 21:52 . 2008-12-20 21:54 <DIR> d-------- c:\program files\Total Video Converter
2008-12-20 21:52 . 2000-05-22 22:58 608,448 --a------ c:\windows\system32\comctl32.ocx
2008-12-20 20:17 . 2008-12-20 20:18 <DIR> d-------- c:\program files\FFmpeg-svn-16043
2008-12-20 11:25 . 2008-12-25 16:29 <DIR> d-------- c:\documents and settings\Cosmin\Application Data\Apple Computer
2008-12-20 11:25 . 2008-04-13 20:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-20 11:25 . 2008-04-13 20:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-20 11:25 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-20 11:24 . 2008-04-14 02:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-19 22:16 . 2008-12-19 22:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-19 22:15 . 2008-12-19 22:15 <DIR> d-------- c:\program files\iTunes
2008-12-19 22:15 . 2008-12-19 22:15 <DIR> d-------- c:\program files\iPod
2008-12-19 22:15 . 2008-12-19 22:15 <DIR> d-------- c:\program files\Bonjour
2008-12-19 22:15 . 2008-12-19 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 22:15 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-19 22:15 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-19 22:14 . 2008-12-22 09:56 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-19 22:14 . 2008-12-19 22:15 <DIR> d-------- c:\program files\QuickTime
2008-12-19 22:14 . 2008-12-19 22:14 <DIR> d-------- c:\program files\Apple Software Update
2008-12-19 22:14 . 2008-12-19 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-19 22:14 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-12-19 22:13 . 2008-12-19 22:15 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-19 22:13 . 2008-12-19 22:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-16 01:49 . 2008-12-16 01:49 <DIR> d-------- c:\program files\Notepad++
2008-12-16 01:49 . 2008-12-16 01:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Notepad++
2008-12-16 01:48 . 2008-12-16 01:50 <DIR> d-------- c:\documents and settings\Cosmin\Application Data\Notepad++
2008-12-14 01:29 . 2008-12-14 01:29 <DIR> d-------- c:\program files\MPlayer-1.0rc2-gui
2008-12-13 12:40 . 2008-12-13 12:41 <DIR> d-------- c:\program files\WinMerge
2008-12-13 12:40 . 2008-07-04 10:23 1,047,552 --a------ c:\windows\system32\mfc71u.dll
2008-12-13 12:40 . 2008-07-04 10:23 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-12-13 12:40 . 2008-07-04 10:23 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-12-13 11:32 . 2008-12-13 11:32 <DIR> d-------- c:\documents and settings\Cosmin\Application Data\Subversion
2008-12-09 08:12 . 2008-12-09 08:12 <DIR> d-------- c:\documents and settings\Admin\Application Data\Thunderbird
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 19:34 --------- d-----w c:\documents and settings\Cosmin\Application Data\uTorrent
2009-01-05 17:51 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-26 18:38 --------- d-----w c:\documents and settings\Cosmin\Application Data\Skype
2008-12-26 18:34 --------- d-----w c:\documents and settings\Cosmin\Application Data\skypePM
2008-12-22 17:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 17:36 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-22 07:07 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2008-12-02 20:05 --------- d-----w c:\program files\Heavy Weapon Deluxe
2008-12-01 19:38 --------- d-----w c:\program files\totalcmd
2008-12-01 18:27 --------- d-----w c:\program files\Google
2008-11-29 21:24 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2008-11-29 21:23 56 ---ha-w c:\documents and settings\All Users\Application Data\ezsidmv.dat
2008-11-29 21:17 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-29 19:14 --------- d-----w c:\documents and settings\Cosmin\Application Data\OpenOffice.org
2008-11-28 21:36 --------- d-----w c:\program files\OpenOffice.org 3
2008-11-25 20:22 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-25 20:20 --------- d-----w c:\program files\Common Files\Adobe
2008-11-24 20:30 --------- d-----w c:\program files\Common Files\Ahead
2008-11-24 20:30 --------- d-----w c:\program files\Ahead
2008-11-24 20:00 --------- d-----w c:\program files\Java
2008-11-23 20:31 --------- d-----w c:\program files\PuTTY
2008-11-23 20:22 --------- d-----w c:\program files\uTorrent
2008-11-23 18:24 --------- d-----w c:\program files\IrfanView
2008-11-23 14:35 --------- d-----w c:\program files\Windows Desktop Search
2008-11-23 14:31 --------- d-----w c:\program files\muBlinder
2008-11-23 14:31 --------- d-----w c:\documents and settings\Cosmin\Application Data\Windows Search
2008-11-23 14:26 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-23 14:24 --------- d-----w c:\documents and settings\Cosmin\Application Data\Thunderbird
2008-11-23 13:00 20,747 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-11-23 13:00 --------- d-----w c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2008-11-23 12:53 --------- d-----w c:\program files\Broadcom
2008-11-23 12:31 --------- d-----w c:\program files\microsoft frontpage
2008-09-25 09:00 63,735 --sha-w c:\windows\system32\zowirewa.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-24 136600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"CardDetectorICON225"="c:\program files\CardDetector\ICON225\CardDetector.exe" [2007-11-14 278528]
"BEWINTERNET-ROSessionManager"="c:\program files\OrangeBS\BEWInternetRO\SessionManager\SessionManager.exe" [2007-11-05 102400]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\nazoduhi.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Cosmin\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"=
"c:\\Program Files\\OrangeBS\\BEWInternetRO\\Connectivity\\ConnectivityManager.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-08 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-08 20560]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2009-01-06 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2009-01-06 51968]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2009-01-06 8064]
S3 h643331;h643331;c:\windows\system32\drivers\h643331.sys --> c:\windows\system32\drivers\h643331.sys [?]
S3 hid3331;hid3331;c:\windows\system32\drivers\Hid3331.sys [2008-12-22 41024]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40d97f82-dc28-11dd-9372-001d7e055b13}]
\Shell\AutoRun\command - I:\AutoRunCardDetector.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1229272821-839522115-1003.job
- c:\documents and settings\Cosmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-23 15:23]
2009-01-08 c:\windows\Tasks\hdyazuzl.job
- c:\windows\system32\rundll32.exe [2008-04-14 02:12]
2009-01-08 c:\windows\Tasks\leugwanw.job
- c:\windows\system32\rundll32.exe [2008-04-14 02:12]
.
- - - - ORPHANS REMOVED - - - -
BHO-{023355B5-8010-438F-B85D-B53CB89D9CC5} - (no file)
BHO-{044C328C-0F4F-4C46-A981-F848C82E5824} - (no file)
BHO-{0AE25593-C6C4-4572-A2D2-51A79B781FE9} - (no file)
BHO-{1776AE03-2E7B-4CDD-84EE-12E1F9BCD692} - (no file)
BHO-{1C871E9E-29CA-4D18-B095-1BA1BF695155} - (no file)
BHO-{20C1146F-1473-4359-90B2-9E1E2FD27CFE} - (no file)
BHO-{21ACBC45-996C-45A8-9739-4E4929845234} - (no file)
BHO-{259D9EB4-F992-4ECF-96A1-D4534A73F646} - (no file)
BHO-{29A9043C-6209-42DC-B3CC-9BE6141287FB} - (no file)
BHO-{30A3FB8B-420B-44D6-A5DD-44F0968E532B} - (no file)
BHO-{4E3F6556-7C95-4048-8E94-2BCE6B7CFAA2} - (no file)
BHO-{5011EB47-C262-482C-8ABC-DE927AB0422E} - (no file)
BHO-{56A54763-10C7-4559-8C90-0771DBCECFFD} - (no file)
BHO-{57C16270-0830-4B4E-B2E6-96BA94D4598F} - (no file)
BHO-{680fa8c0-fee2-4659-88ba-3f8f1b7a336d} - c:\windows\system32\fojawuka.dll
BHO-{761A1BB3-CEB5-4EFC-8BF7-1224A696DBB5} - (no file)
BHO-{7CCDFE30-5242-4B78-ABFE-1E417EB2392D} - (no file)
BHO-{7E1C4084-F179-4C19-88AC-CC6C6FF46D0B} - (no file)
BHO-{81D88FE2-3401-4F39-8371-F3FD7EA4B11D} - (no file)
BHO-{8FC08C72-B28E-4E20-B3A0-2FBCBD584055} - (no file)
BHO-{9B24C16F-EEE1-4DCB-9807-F4D8FF4F77BA} - (no file)
BHO-{A3BB8642-931A-4D63-8A6D-9346F3F2B1F6} - c:\windows\system32\ddcYpnLe.dll
BHO-{A8CB2E88-FEA9-457D-9B76-A1DD74CF944D} - (no file)
BHO-{B151D869-0196-4169-A2A4-17F3F90CB6F3} - (no file)
BHO-{B433AE95-7C5B-4461-8E4D-C0B4EE7B959E} - (no file)
BHO-{C7B8F961-0481-4948-9781-F43FADE5B14F} - (no file)
BHO-{CBF09826-AA74-4069-9895-C9EB36C3BA59} - (no file)
BHO-{D238271A-6D98-4C3D-BA19-DEBE98BB63E8} - (no file)
BHO-{D537DD43-DCE0-453D-9A29-03099D714895} - (no file)
BHO-{D58B4483-94E4-47BA-9BF8-8D74AE381818} - (no file)
BHO-{D951AB60-FBAE-432E-A307-F072C66A0E49} - (no file)
BHO-{DDCB5C1A-F447-451E-AD60-C083D692888D} - (no file)
BHO-{EBA21B27-193F-4DD4-A4B7-28BE8C5604B2} - (no file)
BHO-{EE629F8F-CC4E-437A-A6CA-0EC783329B0B} - (no file)
BHO-{F3B0B213-B7E7-4802-BB24-5C68F73336C2} - (no file)
Notify-fccaBQGx - fccaBQGx.dll
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 21:16:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-08 21:20:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-08 19:20:19
Pre-Run: 28,451,856,384 bytes free
Post-Run: 28,796,899,328 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
329 --- E O F --- 2008-12-17 20:55:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:10 PM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CardDetector\ICON225\CardDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CardDetectorICON225] C:\Program Files\CardDetector\ICON225\CardDetector.exe
O4 - HKLM\..\Run: [BEWINTERNET-ROSessionManager] C:\Program Files\OrangeBS\BEWInternetRO\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227445898478
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
--
End of file - 6697 bytes
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Bonjour
Broadcom NetXtreme Ethernet Controller
Card Detector for Option Icon 225
Cars
Dezinstalare Business Everywhere
Google Talk (remove only)
Heavy Weapon Deluxe
HijackThis 2.0.2
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics 2 Driver
IrfanView (remove only)
iTunes
Java(TM) 6 Update 10
Linksys Wireless-G PCI Adapter
LS-USBMX 1/2/3 Steering Wheel W/Vibration
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
MSVC80_x86
Nero 6 Ultra Edition
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Notepad++
OpenOffice.org 3.0
PC Connectivity Solution
PuTTY version 0.60
QuickTime
ratDVD 0.78.1444
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Skype™ 3.8
Spybot - Search & Destroy
Total Commander (Remove or Repair)
Total Video Converter 3.12 080330
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Windows Driver Package - Nokia Modem (10/27/2008 3.9)
Windows Driver Package - Nokia Modem (10/27/2008 7.01.0.1)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Internet Explorer 7
Windows XP Service Pack 3
WinMerge 2.10.2.0
pskelley
2009-01-08, 20:45
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running now?
Thanks
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Java(TM) 6 Update 10 <<< needs and unpdate and uninstall the old version:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
pskelley
2009-01-16, 23:25
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.