View Full Version : Virtumonde has got me yet again
riderfam5
2009-03-06, 18:06
Somehow I keep getting tagged by virtumonde. I can also hear my hard disk grinding away all the time, like it's paging out memory constantly.
Here is my hjt file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:21 AM, on 3/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\Brmfrmps.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\BRMFRSMG.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
E:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Whatever.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {2365d1dc-d741-460d-b615-cad7b21796a2} - C:\WINNT\system32\hafasego.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: {857a356a-7c29-7f0b-bf74-ae0cfeff53fd} - {df35ffef-c0ea-47fb-b0f7-92c7a653a758} - C:\WINNT\system32\xkuvyb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ridosatidu] Rundll32.exe "C:\WINNT\system32\tenugizu.dll",s
O4 - HKLM\..\Run: [58a3301c] rundll32.exe "C:\WINNT\system32\mapatawa.dll",b
O4 - HKLM\..\Run: [CPM5b900380] Rundll32.exe "c:\winnt\system32\vokizofe.dll",a
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ridosatidu] Rundll32.exe "C:\WINNT\system32\tenugizu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ridosatidu] Rundll32.exe "C:\WINNT\system32\tenugizu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = E:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206769000921
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://96.236.65.17/Remote/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.2/ttinst.cab
O20 - AppInit_DLLs: C:\WINNT\system32\nusuzefa.dll yshjeu.dll kuhohx.dll xkuvyb.dll c:\winnt\system32\vokizofe.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\vokizofe.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\vokizofe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: USB2.0 TVBOX Service (StkSSrv) - Unknown owner - C:\WINNT\System32\StkSrv2K_.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11271 bytes
Any help is greatly appreciated!
Hi riderfam5
We will begin with ComboFix.
Please download ComboFix from one of these locations:
Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
riderfam5
2009-03-08, 01:13
Thanks. Here are the two logs:
ComboFix 09-03-06.02 - Administrator 2009-03-07 15:48:42.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.650 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Total Protection Service *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\system32\0FGRs5Se.exe.a_a
c:\winnt\system32\7ptcvBag.exe.a_a
c:\winnt\system32\awatapam.ini
c:\winnt\system32\junefare.dll
c:\winnt\system32\kibarofa.dll
c:\winnt\system32\varadosa.dll
c:\winnt\system32\verahuna.dll
c:\winnt\system32\xkuvyb.dll
.
((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.
2009-03-07 15:56 . 2009-03-07 15:57 1,806,762 ---hs---- c:\winnt\system32\awatapam.ini
2009-03-04 11:27 . 2009-03-04 11:27 47,616 --a------ c:\temp\OY4aAKa1.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 00:45 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-06 16:51 84,992 --sha-w c:\winnt\system32\vokizofe.dll
2009-03-06 16:51 79,872 --sha-w c:\winnt\system32\mapatawa.dll
2009-03-05 05:18 79,872 ------w c:\winnt\system32\fevubitu.dll
2009-03-04 17:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 17:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-03 22:45 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-16 00:45 --------- d-----w c:\program files\iTunes
2009-01-15 07:12 --------- d-----w c:\program files\iPod
2009-01-15 07:12 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-15 07:08 --------- d-----w c:\program files\QuickTime
2009-01-15 07:06 --------- d-----w c:\program files\Common Files\Apple
2009-01-14 06:54 --------- d-----w c:\program files\Google
2009-01-12 23:51 --------- d-----w c:\documents and settings\Administrator\Application Data\TaxCut
2009-01-07 17:23 --------- d-----w c:\program files\MSECache
2009-01-07 17:11 --------- d-----w c:\documents and settings\Administrator\Application Data\Microsoft Web Folders
2009-01-07 17:10 --------- d-----w c:\documents and settings\Administrator\Application Data\OfficeUpdate12
2008-12-20 23:15 826,368 ----a-w c:\winnt\system32\wininet.dll
2008-12-18 05:14 410,984 ----a-w c:\winnt\system32\deploytk.dll
2005-03-30 17:26 271 --sha-w c:\program files\desktop.ini
2005-03-30 17:26 21,952 ---ha-w c:\program files\folder.htt
2008-09-09 14:29 32,768 --sha-w c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090920080910\index.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 307,200 2005-08-18 19:49:06 c:\program files\Adobe\Acrobat 7.0\Acrobat\bak\AdobeUpdateManager.exe
----a-r 307,200 2005-08-18 19:49:06 c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
----a-w 483,328 2005-09-24 05:30:38 c:\program files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
----a-w 483,328 2005-09-24 05:30:38 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
----a-w 120,320 2006-10-15 02:54:23 c:\program files\Google\Google Desktop Search\bak\GoogleDesktop.exe
----a-w 49,152 2006-02-19 10:41:10 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 229,952 2006-09-25 21:54:24 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 21:20:54 c:\program files\iTunes\iTunesHelper.exe
----a-w 49,263 2006-11-09 23:07:30 c:\program files\Java\jre1.5.0_10\bin\bak\jusched.exe
----a-w 22,523 2000-09-13 03:40:02 c:\program files\Konami\Woody Woodpecker Racing\Data\Models\Cars\Atv\bak\ATV.PSD
----a-w 11,071 2000-09-30 03:27:36 c:\program files\Konami\Woody Woodpecker Racing\Data\Models\Cars\Atv\ATV.PSD
----a-w 139,264 2006-05-02 21:11:48 c:\program files\McAfee\Managed VirusScan\Agent\bak\myagttry.exe
----a-w 247,104 2008-01-23 06:09:30 c:\program files\McAfee\Managed VirusScan\Agent\myagttry.exe
----a-w 409,600 2006-05-02 21:27:26 c:\program files\McAfee\Managed VirusScan\Agent\bak\Splash.exe
----a-w 468,288 2008-01-23 06:09:32 c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe
----a-w 282,624 2006-09-24 10:24:54 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 18:30:50 c:\program files\QuickTime\QTTask.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 87360]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 468288]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-23 483328]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-20 185632]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="e:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="e:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"58a3301c"="c:\winnt\system32\mapatawa.dll" [2009-03-06 79872]
"CPM5b900380"="c:\winnt\system32\vokizofe.dll" [2009-03-06 84992]
"ridosatidu"="c:\winnt\system32\tenugizu.dll" [N/A]
"Synchronization Manager"="mobsync.exe" [2008-04-13 c:\winnt\system32\mobsync.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-13 214528]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\winnt\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-09-30 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-20 65588]
Photo Loader supervisory.lnk - e:\program files\CASIO\Photo Loader\Plauto.exe [2008-11-06 229376]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\winnt\system32\vokizofe.dll" [2009-03-06 84992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\vokizofe.dll [2009-03-06 84992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\winnt\system32\vokizofe.dll
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"vidc.3IV2"= 3ivxVfWCodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\WINNT\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-02-08 14144]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2005-05-22 169280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-06-04 24652]
R3 brfilt;Brother MFC Filter Driver;c:\winnt\system32\drivers\BrFilt.sys [2008-04-01 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\winnt\system32\drivers\BrParImg.sys [2008-04-01 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\winnt\system32\drivers\BrParwdm.sys [2008-04-01 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\winnt\system32\drivers\BrSerWdm.sys [2008-04-01 61952]
S2 EMSLink;EMS Inter-Link driver V3.0;c:\winnt\system32\drivers\EM3Link.sys [2005-09-07 6176]
S2 StkSSrv;USB2.0 TVBOX Service;c:\winnt\System32\StkSrv2K_.exe --> c:\winnt\System32\StkSrv2K_.exe [?]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\winnt\system32\drivers\BrUsbMdm.sys [2008-07-10 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\winnt\system32\drivers\BrUsbScn.sys [2008-07-10 10368]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2005-03-30 66591]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3330a642-b43e-11dd-a10b-00065bc37623}]
\Shell\AutoRun\command - i:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - i:\system\viewer\FlipVideoforPC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-03-07 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-03-07 c:\winnt\Tasks\At1.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At10.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At11.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At12.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At13.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At14.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At15.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At16.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-08 c:\winnt\Tasks\At17.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At18.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At19.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At2.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At20.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At21.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At22.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At23.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At24.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At25.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At26.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At27.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At28.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At29.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At3.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At30.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At31.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At32.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At33.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At34.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At35.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At36.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At37.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At38.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At39.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At4.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At40.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-08 c:\winnt\Tasks\At41.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At42.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At43.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At44.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At45.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At46.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At47.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At48.job
- c:\winnt\system32\0FGRs5Se.exe []
2009-03-07 c:\winnt\Tasks\At5.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At6.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At7.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At8.job
- c:\winnt\system32\7ptcvBag.exe []
2009-03-07 c:\winnt\Tasks\At9.job
- c:\winnt\system32\7ptcvBag.exe []
.
- - - - ORPHANS REMOVED - - - -
BHO-{2365d1dc-d741-460d-b615-cad7b21796a2} - (no file)
BHO-{df35ffef-c0ea-47fb-b0f7-92c7a653a758} - c:\winnt\system32\xkuvyb.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x80djprj.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 15:56:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2748)
c:\winnt\system32\mapatawa.dll
c:\winnt\system32\vokizofe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\winnt\system32\Brmfrmps.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
e:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\winnt\system32\HPZipm12.exe
c:\winnt\system32\snmp.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\system32\mspmspsv.exe
c:\program files\McAfee\Managed VirusScan\Agent\myagttry.exe
c:\winnt\system32\rundll32.exe
c:\winnt\system32\BrmfRsmg.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MANAGE~1\VScan\McShield.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\McAfee\Managed VirusScan\Agent\UpdDlg.exe
c:\winnt\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2009-03-07 16:05:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 00:05:16
ComboFix2.txt 2008-12-24 09:11:54
Pre-Run: 1,085,747,200 bytes free
Post-Run: 1,518,804,992 bytes free
298 --- E O F --- 2009-02-25 06:38:00
and the hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:58 PM, on 3/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\Brmfrmps.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
E:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINNT\system32\BRMFRSMG.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Whatever.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\HtmlDlg.Exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [58a3301c] rundll32.exe "C:\WINNT\system32\mapatawa.dll",b
O4 - HKLM\..\Run: [CPM5b900380] Rundll32.exe "c:\winnt\system32\vokizofe.dll",a
O4 - HKLM\..\Run: [ridosatidu] Rundll32.exe "C:\WINNT\system32\tenugizu.dll",s
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = E:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206769000921
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://96.236.65.17/Remote/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.2/ttinst.cab
O20 - AppInit_DLLs: c:\winnt\system32\vokizofe.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\vokizofe.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\vokizofe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: USB2.0 TVBOX Service (StkSSrv) - Unknown owner - C:\WINNT\System32\StkSrv2K_.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10704 bytes
Open notepad and copy/paste the text in the codebox below into it:
File::
c:\winnt\system32\awatapam.ini
c:\temp\OY4aAKa1.exe
c:\winnt\system32\vokizofe.dll
c:\winnt\system32\mapatawa.dll
c:\winnt\system32\fevubitu.dll
c:\winnt\Tasks\At1.job
c:\winnt\Tasks\At10.job
c:\winnt\Tasks\At11.job
c:\winnt\Tasks\At12.job
c:\winnt\Tasks\At13.job
c:\winnt\Tasks\At14.job
c:\winnt\Tasks\At15.job
c:\winnt\Tasks\At16.job
c:\winnt\Tasks\At17.job
c:\winnt\Tasks\At18.job
c:\winnt\Tasks\At19.job
c:\winnt\Tasks\At2.job
c:\winnt\Tasks\At20.job
c:\winnt\Tasks\At21.job
c:\winnt\Tasks\At22.job
c:\winnt\Tasks\At23.job
c:\winnt\Tasks\At24.job
c:\winnt\Tasks\At25.job
c:\winnt\Tasks\At26.job
c:\winnt\Tasks\At27.job
c:\winnt\Tasks\At28.job
c:\winnt\Tasks\At29.job
c:\winnt\Tasks\At3.job
c:\winnt\Tasks\At30.job
c:\winnt\Tasks\At31.job
c:\winnt\Tasks\At32.job
c:\winnt\Tasks\At33.job
c:\winnt\Tasks\At34.job
c:\winnt\Tasks\At35.job
c:\winnt\Tasks\At36.job
c:\winnt\Tasks\At37.job
c:\winnt\Tasks\At38.job
c:\winnt\Tasks\At39.job
c:\winnt\Tasks\At4.job
c:\winnt\Tasks\At40.job
c:\winnt\Tasks\At41.job
c:\winnt\Tasks\At42.job
c:\winnt\Tasks\At43.job
c:\winnt\Tasks\At44.job
c:\winnt\Tasks\At45.job
c:\winnt\Tasks\At46.job
c:\winnt\Tasks\At47.job
c:\winnt\Tasks\At48.job
c:\winnt\Tasks\At5.job
c:\winnt\Tasks\At6.job
c:\winnt\Tasks\At7.job
c:\winnt\Tasks\At8.job
c:\winnt\Tasks\At9.job
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"58a3301c"=-
"CPM5b900380"=-
"ridosatidu"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
riderfam5
2009-03-08, 20:50
It seems to be running better now. The hard drive is not constantly working and I'm not seeing the pop-up windows.
Here are the updated log files:
ComboFix 09-03-06.02 - Administrator 2009-03-08 12:29:20.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.664 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
AV: Total Protection Service *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\temp\OY4aAKa1.exe
c:\winnt\system32\awatapam.ini
c:\winnt\system32\fevubitu.dll
c:\winnt\system32\mapatawa.dll
c:\winnt\system32\vokizofe.dll
c:\winnt\Tasks\At1.job
c:\winnt\Tasks\At10.job
c:\winnt\Tasks\At11.job
c:\winnt\Tasks\At12.job
c:\winnt\Tasks\At13.job
c:\winnt\Tasks\At14.job
c:\winnt\Tasks\At15.job
c:\winnt\Tasks\At16.job
c:\winnt\Tasks\At17.job
c:\winnt\Tasks\At18.job
c:\winnt\Tasks\At19.job
c:\winnt\Tasks\At2.job
c:\winnt\Tasks\At20.job
c:\winnt\Tasks\At21.job
c:\winnt\Tasks\At22.job
c:\winnt\Tasks\At23.job
c:\winnt\Tasks\At24.job
c:\winnt\Tasks\At25.job
c:\winnt\Tasks\At26.job
c:\winnt\Tasks\At27.job
c:\winnt\Tasks\At28.job
c:\winnt\Tasks\At29.job
c:\winnt\Tasks\At3.job
c:\winnt\Tasks\At30.job
c:\winnt\Tasks\At31.job
c:\winnt\Tasks\At32.job
c:\winnt\Tasks\At33.job
c:\winnt\Tasks\At34.job
c:\winnt\Tasks\At35.job
c:\winnt\Tasks\At36.job
c:\winnt\Tasks\At37.job
c:\winnt\Tasks\At38.job
c:\winnt\Tasks\At39.job
c:\winnt\Tasks\At4.job
c:\winnt\Tasks\At40.job
c:\winnt\Tasks\At41.job
c:\winnt\Tasks\At42.job
c:\winnt\Tasks\At43.job
c:\winnt\Tasks\At44.job
c:\winnt\Tasks\At45.job
c:\winnt\Tasks\At46.job
c:\winnt\Tasks\At47.job
c:\winnt\Tasks\At48.job
c:\winnt\Tasks\At5.job
c:\winnt\Tasks\At6.job
c:\winnt\Tasks\At7.job
c:\winnt\Tasks\At8.job
c:\winnt\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\temp\OY4aAKa1.exe
c:\winnt\system32\awatapam.ini
c:\winnt\system32\fevubitu.dll
c:\winnt\system32\mapatawa.dll
c:\winnt\system32\vokizofe.dll
c:\winnt\Tasks\At1.job
c:\winnt\Tasks\At10.job
c:\winnt\Tasks\At11.job
c:\winnt\Tasks\At12.job
c:\winnt\Tasks\At13.job
c:\winnt\Tasks\At14.job
c:\winnt\Tasks\At15.job
c:\winnt\Tasks\At16.job
c:\winnt\Tasks\At17.job
c:\winnt\Tasks\At18.job
c:\winnt\Tasks\At19.job
c:\winnt\Tasks\At2.job
c:\winnt\Tasks\At20.job
c:\winnt\Tasks\At21.job
c:\winnt\Tasks\At22.job
c:\winnt\Tasks\At23.job
c:\winnt\Tasks\At24.job
c:\winnt\Tasks\At25.job
c:\winnt\Tasks\At26.job
c:\winnt\Tasks\At27.job
c:\winnt\Tasks\At28.job
c:\winnt\Tasks\At29.job
c:\winnt\Tasks\At3.job
c:\winnt\Tasks\At30.job
c:\winnt\Tasks\At31.job
c:\winnt\Tasks\At32.job
c:\winnt\Tasks\At33.job
c:\winnt\Tasks\At34.job
c:\winnt\Tasks\At35.job
c:\winnt\Tasks\At36.job
c:\winnt\Tasks\At37.job
c:\winnt\Tasks\At38.job
c:\winnt\Tasks\At39.job
c:\winnt\Tasks\At4.job
c:\winnt\Tasks\At40.job
c:\winnt\Tasks\At41.job
c:\winnt\Tasks\At42.job
c:\winnt\Tasks\At43.job
c:\winnt\Tasks\At44.job
c:\winnt\Tasks\At45.job
c:\winnt\Tasks\At46.job
c:\winnt\Tasks\At47.job
c:\winnt\Tasks\At48.job
c:\winnt\Tasks\At5.job
c:\winnt\Tasks\At6.job
c:\winnt\Tasks\At7.job
c:\winnt\Tasks\At8.job
c:\winnt\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 00:45 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-04 17:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 17:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-03 22:45 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-16 00:45 --------- d-----w c:\program files\iTunes
2009-01-15 07:12 --------- d-----w c:\program files\iPod
2009-01-15 07:12 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-15 07:08 --------- d-----w c:\program files\QuickTime
2009-01-15 07:06 --------- d-----w c:\program files\Common Files\Apple
2009-01-14 06:54 --------- d-----w c:\program files\Google
2009-01-12 23:51 --------- d-----w c:\documents and settings\Administrator\Application Data\TaxCut
2005-03-30 17:26 271 --sha-w c:\program files\desktop.ini
2005-03-30 17:26 21,952 ---ha-w c:\program files\folder.htt
2008-09-09 14:29 32,768 --sha-w c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090920080910\index.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-03-07_16.01.52.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 04:02:28 163,328 ----a-w c:\winnt\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 03:02:28 163,328 ----a-w c:\winnt\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 16:00:00 29,696 ----a-w c:\winnt\NIRCMD.exe
+ 2000-08-31 15:00:00 29,696 ----a-w c:\winnt\NIRCMD.exe
- 2000-08-31 16:00:00 161,792 ----a-w c:\winnt\SWREG.exe
+ 2000-08-31 15:00:00 161,792 ----a-w c:\winnt\SWREG.exe
- 2008-12-18 06:25:13 54,690 ----a-w c:\winnt\system32\perfc009.dat
+ 2009-03-08 19:19:24 54,690 ----a-w c:\winnt\system32\perfc009.dat
- 2008-12-18 06:25:13 385,746 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-08 19:19:24 385,746 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-08 19:34:31 16,384 ----atw c:\winnt\temp\Perflib_Perfdata_648.dat
+ 2009-03-08 19:34:37 16,384 ----atw c:\winnt\temp\Perflib_Perfdata_708.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 307,200 2005-08-18 19:49:06 c:\program files\Adobe\Acrobat 7.0\Acrobat\bak\AdobeUpdateManager.exe
----a-r 307,200 2005-08-18 19:49:06 c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
----a-w 483,328 2005-09-24 05:30:38 c:\program files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
----a-w 483,328 2005-09-24 05:30:38 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
----a-w 120,320 2006-10-15 02:54:23 c:\program files\Google\Google Desktop Search\bak\GoogleDesktop.exe
----a-w 49,152 2006-02-19 10:41:10 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 229,952 2006-09-25 21:54:24 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 21:20:54 c:\program files\iTunes\iTunesHelper.exe
----a-w 49,263 2006-11-09 23:07:30 c:\program files\Java\jre1.5.0_10\bin\bak\jusched.exe
----a-w 22,523 2000-09-13 03:40:02 c:\program files\Konami\Woody Woodpecker Racing\Data\Models\Cars\Atv\bak\ATV.PSD
----a-w 11,071 2000-09-30 03:27:36 c:\program files\Konami\Woody Woodpecker Racing\Data\Models\Cars\Atv\ATV.PSD
----a-w 139,264 2006-05-02 21:11:48 c:\program files\McAfee\Managed VirusScan\Agent\bak\myagttry.exe
----a-w 247,104 2008-01-23 06:09:30 c:\program files\McAfee\Managed VirusScan\Agent\myagttry.exe
----a-w 409,600 2006-05-02 21:27:26 c:\program files\McAfee\Managed VirusScan\Agent\bak\Splash.exe
----a-w 468,288 2008-01-23 06:09:32 c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe
----a-w 282,624 2006-09-24 10:24:54 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 18:30:50 c:\program files\QuickTime\QTTask.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 87360]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 468288]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-23 483328]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-20 185632]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="e:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="e:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Synchronization Manager"="mobsync.exe" [2008-04-13 c:\winnt\system32\mobsync.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-13 214528]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\winnt\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-09-30 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Photo Loader supervisory.lnk - e:\program files\CASIO\Photo Loader\Plauto.exe [2008-11-06 229376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"vidc.3IV2"= 3ivxVfWCodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\WINNT\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-02-08 14144]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2005-05-22 169280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-06-04 24652]
R3 brfilt;Brother MFC Filter Driver;c:\winnt\system32\drivers\BrFilt.sys [2008-04-01 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\winnt\system32\drivers\BrParImg.sys [2008-04-01 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\winnt\system32\drivers\BrParwdm.sys [2008-04-01 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\winnt\system32\drivers\BrSerWdm.sys [2008-04-01 61952]
S2 EMSLink;EMS Inter-Link driver V3.0;c:\winnt\system32\drivers\EM3Link.sys [2005-09-07 6176]
S2 StkSSrv;USB2.0 TVBOX Service;c:\winnt\System32\StkSrv2K_.exe --> c:\winnt\System32\StkSrv2K_.exe [?]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\winnt\system32\drivers\BrUsbMdm.sys [2008-07-10 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\winnt\system32\drivers\BrUsbScn.sys [2008-07-10 10368]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2005-03-30 66591]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3330a642-b43e-11dd-a10b-00065bc37623}]
\Shell\AutoRun\command - i:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - i:\system\viewer\FlipVideoforPC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-03-07 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x80djprj.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 12:36:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\winnt\system32\Brmfrmps.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
e:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\winnt\system32\HPZipm12.exe
c:\winnt\system32\snmp.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\system32\mspmspsv.exe
c:\winnt\system32\BrmfRsmg.exe
c:\program files\McAfee\Managed VirusScan\Agent\myagttry.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
c:\winnt\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-08 12:42:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 19:42:10
ComboFix2.txt 2009-03-08 00:05:37
ComboFix3.txt 2008-12-24 09:11:54
Pre-Run: 1,477,193,728 bytes free
Post-Run: 1,516,249,088 bytes free
288 --- E O F --- 2009-02-25 06:38:00
Hijack-this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:32 PM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\Brmfrmps.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\BRMFRSMG.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
E:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Whatever.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = E:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206769000921
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://96.236.65.17/Remote/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.2/ttinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: USB2.0 TVBOX Service (StkSSrv) - Unknown owner - C:\WINNT\System32\StkSrv2K_.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10055 bytes
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
riderfam5
2009-03-10, 05:54
I ran the Kaspersky scan but it didn't detect any malware. There was not logfile. Here is the hjt file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:16 PM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
E:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\Brmfrmps.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\BRMFRSMG.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Whatever.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = E:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206769000921
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://96.236.65.17/Remote/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.2/ttinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: USB2.0 TVBOX Service (StkSSrv) - Unknown owner - C:\WINNT\System32\StkSrv2K_.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10089 bytes
riderfam5
2009-03-11, 01:04
Everything seems to be working fine. Am I okay?
Yes, we can then assume so.
Before final instructions, does McAfee have antivirus only?
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.