View Full Version : Virtumonde
ShatteredScream
2009-01-12, 21:56
My girlfriend downloaded a fake antivirus program onto my computer.
It constantly pops up with fake scans with random viruses. It informs me that I have to pay to have then removed. The program has also disabled Windows' automatic updates. I get random ad popups and it has tried to change my Firefox homepage.
I have tried running AVG 8.0 and Spybot. This has seemed to fix the ad popups and the homepage change issues. Virtumonde still shows up and Windows Security update is still locked.
Thanks in advance.
Here is my HJT logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:39 PM, on 1/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://video.sympatico.msn.com/v/en-ca/v.htm?g=b24d37a2-4d56-46a3-b293-674fabb8ce1b&f=imbot_en-ca&fg=rss
O2 - BHO: {80accf1a-b245-8c0a-0044-66f6385a8080} - {0808a583-6f66-4400-a0c8-542ba1fcca08} - C:\WINDOWS\system32\gxiyzh.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7590C4C2-60BA-42F0-9EF5-672140B7E5FF} - C:\WINDOWS\system\ilbc.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A3B39343-5C4F-420E-9026-9E4EA11685DC} - C:\WINDOWS\system32\yayxurqR.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Sound] svdhost.exe
O4 - HKLM\..\RunServices: [Windows Sound] svdhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179352002265
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://shattersph34r.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll gxiyzh.dll
O20 - Winlogon Notify: ilbc - C:\WINDOWS\system\ilbc.dll (file missing)
O20 - Winlogon Notify: jkkIXPjJ - jkkIXPjJ.dll (file missing)
O20 - Winlogon Notify: winoja32 - winoja32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
--
End of file - 9430 bytes
Hi and welcome
My girlfriend downloaded a fake antivirus program onto my computer. Sure did, along with a bunch of other junk.
Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.
O2 - BHO: {80accf1a-b245-8c0a-0044-66f6385a8080} - {0808a583-6f66-4400-a0c8-542ba1fcca08} - C:\WINDOWS\system32\gxiyzh.dll (file missing)
O2 - BHO: (no name) - {7590C4C2-60BA-42F0-9EF5-672140B7E5FF} - C:\WINDOWS\system\ilbc.dll (file missing)
O2 - BHO: (no name) - {A3B39343-5C4F-420E-9026-9E4EA11685DC} - C:\WINDOWS\system32\yayxurqR.dll (file missing)
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
O4 - HKLM\..\Run: [Windows Sound] svdhost.exe
O4 - HKLM\..\RunServices: [Windows Sound] svdhost.exe
O20 - AppInit_DLLs: avgrsstx.dll gxiyzh.dll
O20 - Winlogon Notify: ilbc - C:\WINDOWS\system\ilbc.dll (file missing)
O20 - Winlogon Notify: jkkIXPjJ - jkkIXPjJ.dll (file missing)
O20 - Winlogon Notify: winoja32 - winoja32.dll (file missing)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) or from Here (http://download.bleepingcomputer.com/andymanchesta/SDFix.exe) and save it to your Desktop
Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following
:
Restart your computer
After hearing your computer beep once during startup, but before the Windows
icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load
your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the
forum).
Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log
NEXT**
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
No Validation is required.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt and a new HJT log in your next reply.
In your next reply post:
SDFix report.txt
ComboFix.txt
New HJT log
You may need several replies to post the requested logs, otherwise they might get cut off.
ShatteredScream
2009-01-15, 23:05
Here is the SDfix report:
SDFix: Version 1.240
Run by Administrator on Thu 01/15/2009 at 12:21 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\admintxt.txt - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 12:46:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d5,a1,08,30,4f,ec,31,69,29,79,d0,c8,6a,79,3d,c6,8d,e8,ee,c3,12,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d5,a1,08,30,4f,ec,31,69,29,79,d0,c8,6a,79,3d,c6,8d,e8,ee,c3,12,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"="C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe:*:Enabled:Rio Music Manager"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Documents and Settings\\Compaq_Administrator\\My Documents\\My Setup Files\\UTorrent\\utorrent.exe"="C:\\Documents and Settings\\Compaq_Administrator\\My Documents\\My Setup Files\\UTorrent\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\WINDOWS\\ehome\\ehshell.exe"="C:\\WINDOWS\\ehome\\ehshell.exe:LocalSubNet:Enabled:Media Center"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 31 Jul 2006 211 A.SHR --- "C:\BOOT.BAK"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Wed 3 Jan 2007 1,712,068 A.SH. --- "C:\WINDOWS\system\cbli.bak2"
Wed 20 Dec 2006 1,220,453 A.SH. --- "C:\WINDOWS\system\cbli.bak1"
Thu 21 Sep 2006 759,218 ..SH. --- "C:\WINDOWS\system32\bcbeg.tmp"
Sun 13 May 2007 1,185,589 ..SH. --- "C:\WINDOWS\system32\lqkqivxp.tmp"
Fri 18 Aug 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 13 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Fri 13 Jun 2008 63,147,230 A..H. --- "C:\Pr0n\c\DDG_Videos-Kyla Cole[www.PCTorrent.com\30006_dsl.zip"
Fri 27 Feb 2004 233,472 A..H. --- "C:\Program Files\Image-Line\FL Studio 7\REX Shared Library.dll"
Fri 18 Aug 2006 4,348 A..H. --- "C:\Documents and Settings\Compaq_Administrator\My Documents\My Music\License Backup\drmv1key.bak"
Wed 20 Sep 2006 20 A..H. --- "C:\Documents and Settings\Compaq_Administrator\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 31 Jul 2006 312 A.SH. --- "C:\Documents and Settings\Compaq_Administrator\My Documents\My Music\License Backup\drmv2key.bak"
Fri 16 Feb 2007 152,799,818 A..H. --- "C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\Virtual.Hottie.2.PC-Game.XXX-TT\VH2.XXX-TT\vh202.exe"
Fri 16 Feb 2007 143,360 A..H. --- "C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\Virtual.Hottie.2.PC-Game.XXX-TT\VH2.XXX-TT\Channels\vh202.DLL"
Finished!
ShatteredScream
2009-01-15, 23:06
Here is the Combofix log:
ComboFix 09-01-13.04 - Compaq_Administrator 2009-01-15 13:00:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.521 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files\{3C3CC~1
c:\windows\BM5f0ff510.txt
c:\windows\BM5f0ff510.xml
c:\windows\IE4 Error Log.txt
c:\windows\system32\ddelrvsj.ini
c:\windows\system32\drivers\npf.sys
c:\windows\system32\eguojilb.ini
c:\windows\system32\icuglkaw.ini
c:\windows\system32\lqkqivxp.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\packet.dll
c:\windows\system32\rbkkidnf.ini
c:\windows\system32\U3L35MEA.exe.a_a
c:\windows\system32\UpMedia
c:\windows\system32\wpcap.dll
c:\windows\Tasks\lfczsnay.job
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.
2009-01-15 12:15 . 2009-01-15 12:16 <DIR> d-------- c:\windows\ERUNT
2009-01-15 12:05 . 2009-01-15 12:50 <DIR> d-------- C:\SDFix
2009-01-15 09:58 . 2005-08-14 15:56 <DIR> d-------- c:\documents and settings\MCX1\WINDOWS
2009-01-15 09:58 . 2006-07-29 10:27 <DIR> d-------- c:\documents and settings\MCX1\Application Data\Talkback
2009-01-15 09:58 . 2005-08-14 16:13 <DIR> d-------- c:\documents and settings\MCX1\Application Data\Symantec
2009-01-15 09:58 . 2005-08-14 15:59 <DIR> d-------- c:\documents and settings\MCX1\Application Data\SampleView
2009-01-15 09:58 . 2005-08-14 15:57 <DIR> d-------- c:\documents and settings\MCX1\Application Data\Intuit
2009-01-15 09:58 . 2005-08-14 15:55 <DIR> d-------- c:\documents and settings\MCX1\Application Data\Apple Computer
2009-01-15 09:58 . 2009-01-15 09:58 <DIR> d-------- c:\documents and settings\MCX1
2009-01-15 09:36 . 2009-01-15 09:36 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-12 19:08 . 2005-06-28 16:43 46,592 --------- c:\windows\system32\drivers\irbus.sys
2009-01-12 19:08 . 2005-06-28 16:43 19,200 --------- c:\windows\system32\drivers\hidir.sys
2009-01-12 12:01 . 2009-01-12 12:01 <DIR> d-------- c:\program files\Trend Micro
2008-12-22 23:35 . 2008-12-22 23:35 <DIR> d-------- c:\documents and settings\Compaq_Administrator\Application Data\dvdcss
2008-12-15 15:13 . 2003-03-16 00:15 90,112 --a------ c:\windows\unvise32.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 18:35 --------- d-----w c:\documents and settings\Compaq_Administrator\Application Data\uTorrent
2009-01-15 16:21 --------- d-----w c:\program files\Winamp Remote
2009-01-15 01:08 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-12 18:05 --------- d-----w c:\program files\LimeWire
2009-01-12 18:04 --------- d-----w c:\program files\GibbageDemo
2009-01-12 18:04 --------- d-----w c:\program files\Full Tilt Poker
2009-01-12 18:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-15 22:02 --------- d-----w c:\program files\DreamCatcher
2008-12-14 19:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 18:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-13 07:09 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-12-09 19:59 --------- d-----w c:\program files\Java
2008-12-06 02:03 3,532 ----a-w C:\drmHeader.bin
2008-12-05 11:27 --------- d-----w c:\program files\FireStarter
2008-12-05 11:25 --------- d-----w c:\program files\Steam
2008-12-05 11:23 --------- d-----w c:\program files\Psychotoxic
2008-12-04 05:00 --------- d-----w c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2008-12-02 19:38 --------- d-----w c:\documents and settings\Compaq_Administrator\Application Data\AVGTOOLBAR
2008-11-28 21:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-28 21:02 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-28 21:02 --------- d-----w c:\program files\AVG
2008-11-28 21:02 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-26 00:44 --------- d-----w c:\program files\Virtual Hottie 2
2008-05-21 23:22 2,190 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\wklnhst.dat
2007-12-01 09:05 374 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\internaldb6334.dat
2007-12-01 08:41 555 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\internaldb8467.dat
2007-12-01 08:41 18,432 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\internaldb41.dat
2006-12-20 19:03 1,220,453 --sha-w c:\windows\system\cbli.bak1
2007-01-04 00:06 1,712,068 --sha-w c:\windows\system\cbli.bak2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-13 409600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-23 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-16 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-16 113664]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VP31"= vp31vfw.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\My Setup Files\\UTorrent\\utorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-28 97928]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-28 231704]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2006-07-31 79616]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\windows\Tasks\At1.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At10.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At11.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At12.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At13.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At14.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At15.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At16.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-13 c:\windows\Tasks\At17.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At18.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At19.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-03 c:\windows\Tasks\At2.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At20.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At21.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-13 c:\windows\Tasks\At22.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At23.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At24.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-03 c:\windows\Tasks\At25.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-03 c:\windows\Tasks\At26.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At27.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At28.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At29.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At3.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At30.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At31.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At32.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At33.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At34.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At35.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At36.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At37.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At38.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At39.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At4.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At40.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-13 c:\windows\Tasks\At41.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At42.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At43.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At44.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At45.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-13 c:\windows\Tasks\At46.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At47.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At48.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-03 c:\windows\Tasks\At49.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At5.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-03 c:\windows\Tasks\At50.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At51.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At52.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At53.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At54.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At55.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At56.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At57.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At58.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At59.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At6.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At60.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At61.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At62.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At63.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At64.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-13 c:\windows\Tasks\At65.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At66.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At67.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At68.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\At69.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At7.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-13 c:\windows\Tasks\At70.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At71.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-14 c:\windows\Tasks\At72.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At8.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-02 c:\windows\Tasks\At9.job
- c:\windows\system32\U3L35MEA.exe []
2009-01-15 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Steam - (no file)
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-PCDrProfiler - (no file)
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
IE: &Search - ?p=ZKfox000
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\sknqgd0h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divxb&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divxb&p=
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\sknqgd0h.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampPlayer.dll
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\sknqgd0h.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 13:08:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\RMSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Winamp Remote\bin\Orb.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-01-15 13:14:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-15 20:13:54
Pre-Run: 1,076,068,352 bytes free
Post-Run: 1,642,168,320 bytes free
350 --- E O F --- 2008-07-30 09:04:16
ShatteredScream
2009-01-15, 23:07
And finally a new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:48 PM, on 1/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://video.sympatico.msn.com/v/en-ca/v.htm?g=b24d37a2-4d56-46a3-b293-674fabb8ce1b&f=imbot_en-ca&fg=rss
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179352002265
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://shattersph34r.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
--
End of file - 8345 bytes
Welcome back
Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.
Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
Click on this link Here (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.
File::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
C:\WINDOWS\system\cbli.bak2
C:\WINDOWS\system\cbli.bak1
C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\lqkqivxp.tmp
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please download ATF Cleaner by Atribune From Here (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================
NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.
Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400
Other available links
Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.
Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif
(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419
In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run
You may need several replies to post the requested logs, otherwise they might get cut off.
Also, please give mean update on how the computer is at the moment.
ShatteredScream
2009-01-16, 11:12
Just a quick update on the status of my computer, the fake antivirus isn't showing up with the popups anymore, the browser redirects have quit, and most importantly Windows Automatic Update is working properly now!
Thank you!
Down to business, here is Combofix.txt:
ComboFix 09-01-13.04 - Compaq_Administrator 2009-01-15 17:40:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.509 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\Wes' Malware Tools\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system\cbli.bak1
c:\windows\system\cbli.bak2
c:\windows\system32\bcbeg.tmp
c:\windows\system32\lqkqivxp.tmp
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system\cbli.bak1
c:\windows\system\cbli.bak2
c:\windows\system32\bcbeg.tmp
c:\windows\system32\lqkqivxp.tmp
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.
2009-01-15 13:58 . 2009-01-15 14:07 <DIR> d-------- c:\windows\LastGood
2009-01-15 12:15 . 2009-01-15 12:16 <DIR> d-------- c:\windows\ERUNT
2009-01-15 12:05 . 2009-01-15 17:35 <DIR> d-------- C:\SDFix
2009-01-15 09:58 . 2005-08-14 15:56 <DIR> d-------- c:\documents and settings\MCX1\WINDOWS
2009-01-15 09:58 . 2006-07-29 10:27 <DIR> d-------- c:\documents and settings\MCX1\Application Data\Talkback
2009-01-15 09:58 . 2005-08-14 16:13 <DIR> d-------- c:\documents and settings\MCX1\Application Data\Symantec
2009-01-15 09:58 . 2005-08-14 15:59 <DIR> d-------- c:\documents and settings\MCX1\Application Data\SampleView
2009-01-15 09:58 . 2005-08-14 15:57 <DIR> d-------- c:\documents and settings\MCX1\Application Data\Intuit
2009-01-15 09:58 . 2005-08-14 15:55 <DIR> d-------- c:\documents and settings\MCX1\Application Data\Apple Computer
2009-01-15 09:58 . 2009-01-15 09:58 <DIR> d-------- c:\documents and settings\MCX1
2009-01-15 09:36 . 2009-01-15 09:36 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-12 19:08 . 2005-06-28 16:43 46,592 --------- c:\windows\system32\drivers\irbus.sys
2009-01-12 19:08 . 2005-06-28 16:43 19,200 --------- c:\windows\system32\drivers\hidir.sys
2009-01-12 12:01 . 2009-01-12 12:01 <DIR> d-------- c:\program files\Trend Micro
2008-12-22 23:35 . 2008-12-22 23:35 <DIR> d-------- c:\documents and settings\Compaq_Administrator\Application Data\dvdcss
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 18:35 --------- d-----w c:\documents and settings\Compaq_Administrator\Application Data\uTorrent
2009-01-15 16:21 --------- d-----w c:\program files\Winamp Remote
2009-01-15 01:08 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-13 02:21 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-01-13 02:21 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-01-13 02:21 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-01-13 02:21 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-01-13 02:21 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-01-13 02:21 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-01-13 02:21 287,310 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll
2009-01-13 02:21 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-01-12 18:05 --------- d-----w c:\program files\LimeWire
2009-01-12 18:04 --------- d-----w c:\program files\GibbageDemo
2009-01-12 18:04 --------- d-----w c:\program files\Full Tilt Poker
2009-01-12 18:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-15 22:02 --------- d-----w c:\program files\DreamCatcher
2008-12-14 19:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 18:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-13 07:09 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-12-09 20:00 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-09 19:59 --------- d-----w c:\program files\Java
2008-12-06 02:03 3,532 ----a-w C:\drmHeader.bin
2008-12-05 11:27 --------- d-----w c:\program files\FireStarter
2008-12-05 11:25 --------- d-----w c:\program files\Steam
2008-12-05 11:23 --------- d-----w c:\program files\Psychotoxic
2008-12-04 05:00 --------- d-----w c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2008-12-02 19:38 --------- d-----w c:\documents and settings\Compaq_Administrator\Application Data\AVGTOOLBAR
2008-11-28 21:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-28 21:02 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-28 21:02 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-11-28 21:02 --------- d-----w c:\program files\AVG
2008-11-28 21:02 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-26 00:44 --------- d-----w c:\program files\Virtual Hottie 2
2008-11-22 22:17 2,855 ----a-w c:\windows\PIF\Setup.PIF
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 21:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:12 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 21:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-05-21 23:22 2,190 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\wklnhst.dat
2007-12-01 09:05 374 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\internaldb6334.dat
2007-12-01 08:41 555 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\internaldb8467.dat
2007-12-01 08:41 18,432 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\internaldb41.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-15_13.12.41.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-31 02:19:20 92,504 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2007-07-31 01:19:10 271,224 ----a-w c:\windows\LastGood\system32\mucltui.dll
+ 2007-07-31 01:19:04 207,736 ----a-w c:\windows\LastGood\system32\muweb.dll
+ 2007-07-31 02:19:36 549,720 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2007-07-31 02:19:16 53,080 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2007-07-31 02:19:42 1,712,984 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2007-07-31 02:19:32 325,976 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2007-07-31 02:18:40 33,624 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2007-07-31 02:19:12 43,352 ----a-w c:\windows\LastGood\system32\wups2.dll
+ 2007-07-31 02:19:28 203,096 ----a-w c:\windows\LastGood\system32\wuweb.dll
- 2008-05-29 23:35:11 17,486,968 ----a-w c:\windows\system32\MRT.exe
+ 2008-06-25 16:15:46 17,972,344 ----a-w c:\windows\system32\MRT.exe
+ 2008-10-16 21:12:20 561,688 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.2.6001.788\wuapi.dll
+ 2008-10-16 21:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 21:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-13 409600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-23 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-16 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-16 113664]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\My Setup Files\\UTorrent\\utorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-28 97928]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-28 231704]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2006-07-31 79616]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - WUAUSERV
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder
2009-01-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -
BHO-{0808a583-6f66-4400-a0c8-542ba1fcca08} - (no file)
BHO-{7590C4C2-60BA-42F0-9EF5-672140B7E5FF} - (no file)
BHO-{A3B39343-5C4F-420E-9026-9E4EA11685DC} - (no file)
Notify-ilbc - (no file)
Notify-jkkIXPjJ - (no file)
Notify-winoja32 - (no file)
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
IE: &Search - ?p=ZKfox000
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\sknqgd0h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divxb&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divxb&p=
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\sknqgd0h.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampPlayer.dll
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\sknqgd0h.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 17:44:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-15 17:46:49
ComboFix-quarantined-files.txt 2009-01-16 00:46:00
ComboFix2.txt 2009-01-15 20:14:11
Pre-Run: 1,326,088,192 bytes free
Post-Run: 1,310,191,616 bytes free
368 --- E O F --- 2009-01-15 21:02:58
ShatteredScream
2009-01-16, 11:15
And the Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 16, 2009 02:06:27
Records in database: 1628582
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\
Scan statistics:
Files scanned: 141276
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 05:39:27
File name / Threat name / Threats count
C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\Music\Tim McGraw - Greatest Hits\Tim Mcgraw - Greatest Hits - 05 - Just To See You Smile.mp3 Infected: Trojan-Downloader.WMA.GetCodec.i 1
C:\Documents and Settings\Compaq_Administrator\My Documents\My Music\05 Track 5.wma Infected: Trojan-Downloader.WMA.Wimad.o 1
C:\Documents and Settings\Compaq_Administrator\My Documents\{40B2FD92-F761-4E4D-8C02-8BBBE3411998}\My Pictures\Events -08\WebfettiSetup2.3.50.19.ZKfox000.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.cw 1
D:\I386\Apps\APP05550\src\HPSummer2005.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1
The selected area was scanned.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
And finally the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:22 AM, on 1/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://video.sympatico.msn.com/v/en-ca/v.htm?g=b24d37a2-4d56-46a3-b293-674fabb8ce1b&f=imbot_en-ca&fg=rss
O2 - BHO: (no name) - {0808a583-6f66-4400-a0c8-542ba1fcca08} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7590C4C2-60BA-42F0-9EF5-672140B7E5FF} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A3B39343-5C4F-420E-9026-9E4EA11685DC} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [Windows Sound] svdhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232053093953
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://shattersph34r.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: ilbc - C:\WINDOWS\
O20 - Winlogon Notify: jkkIXPjJ - C:\WINDOWS\
O20 - Winlogon Notify: winoja32 - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
--
End of file - 8648 bytes
Just a quick update on the status of my computer, the fake antivirus isn't showing up with the popups anymore, the browser redirects have quit, and most importantly Windows Automatic Update is working properly now!
Yes!
Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.
P2P software/programs are a major contributor to infections. I see you have Limewire and uTorrent. Not passing judgment on file-sharing, However will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page (http://p2p.malwareremoval.com/) will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
References for the risk of these programs can also be found
Here (http://www.microsoft.com/windows/ie/community/columns/protection.mspx ) and Here (http://www.internetworldstats.com/articles/art053.htm )
I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system.
Delete SDFix
C:\SDFix\backups <--this folder
I see a Symantec/Norton folder, is this from an incomplete uninstall?
HPSummer2005.exe.........Its nothing to be concerned with.
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
# Open Spybot Search & Destroy.
# In the Mode menu click "Advanced mode" if not already selected.
# Choose "Yes" at the Warning prompt.
# Expand the "Tools" menu.
# Click "Resident".
# Uncheck the "Resident "TeaTimer" (Protection of overall system settings)
active." box.
# In the File menu click "Exit" to exit Spybot Search & Destroy.
* See this link for a tutorial http://russelltexas.com/malware/teatimer.htm
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.
O2 - BHO: (no name) - {0808a583-6f66-4400-a0c8-542ba1fcca08} - (no file)
O2 - BHO: (no name) - {7590C4C2-60BA-42F0-9EF5-672140B7E5FF} - (no file)
O2 - BHO: (no name) - {A3B39343-5C4F-420E-9026-9E4EA11685DC} - (no file)
O4 - HKLM\..\RunServices: [Windows Sound] svdhost.exe
O20 - Winlogon Notify: ilbc - C:\WINDOWS\
O20 - Winlogon Notify: jkkIXPjJ - C:\WINDOWS\
O20 - Winlogon Notify: winoja32 - C:\WINDOWS\
Now we need to delete the infected items found by Kaspersky.
If any should resist deletion drop into safe mode and try again.
Go to My Computer->Tools->Folder Options->View tab:
Under the Hidden files and folders heading:
Select - Show hidden files and folders.
Uncheck- Hide protected operating system files (recommended) option.
Also, make sure there is no checkmark beside Hide file extensions for known file types.
Click OK. (Remember to Hide files and folders once done)
Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold
C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\Music\Tim McGraw - Greatest Hits\Tim Mcgraw - Greatest Hits - 05 - Just To See You Smile.mp3 <--delete this
C:\Documents and Settings\Compaq_Administrator\My Documents\My Music\05 Track 5.wma<--delete
C:\Documents and Settings\Compaq_Administrator\My Documents\{40B2FD92-F761-4E4D-8C02-8BBBE3411998}\My Pictures\Events -08\WebfettiSetup2.3.50.19.ZKfox000.exe <--delete
Now empty your recycle bin.
Reboot your computer <--Important.
Please post back once more and let me know what issues remain, I think we're ready for final clean up and preventive tips.
ShatteredScream
2009-01-17, 00:59
Yes, the Symantec folder is from an incomplete uninstall, same with the Limewire folder. Thanks for bringing these to my attention!
My computer is running really well now that the crap is gone. Thank you so much for your help!
Remove Norton AntiVirus:
Here is a guide for uninstalling Norton, including uninstallers. Be sure to use the uninstaller for the version of Norton/Symantec that was installed on your system. http://basconotw.mvps.org/SymRem.htm
Don't miss or skip this next step, this will remove bad files from quarantine and set a clean restore point.
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
Example below
http://www.forospyware.com/images/adv/CF_Cleanup.png
Your good to go, good job!
Please take the time to read over a few of my preventive tips.
Please navigate to Microsoft Windows Updates (http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us) and download all the "Critical Updates" for Windows.
Firefox 2.0 (http://www.mozilla.com/en-US/firefox/all-older.html )
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
How to prevent Malware: Created by Miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Read this article 'Safe Computing Practices'.
So how did I get infected in the first place. (http://www.spywareinfoforum.com/index.php?showtopic=60955)
Secure My Computer: A Layered Approach (http://www.dslreports.com/faq/8463)
Strong passwords: How to create and use them (http://www.microsoft.com/protect/yourself/password/create.mspx)
Free Antivirus-AntiSpyware-Firewall Software (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.
Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif
Since this issue appears resolved ... this Topic is closed.