View Full Version : Malware problems
Dominance
2009-04-29, 09:19
Hello, I have some problems with my computer, I've already deleted multiple traces of spyware, but some still linger. On start up I get the rundll message cannot run protect dll, and cannot run "autocheck" (something around that line). I know they are part of the spyware, and would like to resolve this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:01 AM, on 4/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\libusbd-nt.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\?\globalroot\C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/intl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [] C:\DOCUME~1\Jtwist\LOCALS~1\Temp\dlr9envu.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\refomoyo c:\windows\system32\zuzadoja.dll,C:\WINDOWS\system32\refomoyo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jtwist/LOCALS~1/Temp/msohtml1/01/clip_image003.gif
--
End of file - 11363 bytes
Hi there,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Dominance
2009-05-01, 03:44
First off thanks for your help I really appreciate it. Here are the combo fix and HJT logs.
ComboFix 09-04-30.05 - Jtwist 04/30/2009 20:11:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.638 [GMT -4:00]
Running from: C:\Documents and Settings\Jtwist\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *disabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jtwist\Application Data\wiaserva.log
C:\WINDOWS\mqcd.dbt
C:\WINDOWS\system32\ashl.nq
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\config\systemprofile\protect.dll
C:\WINDOWS\system32\dolman.zt
C:\WINDOWS\system32\drivers\ovfsthalkbdwtmnmlxnrnckwturyjnjcxjtgdy.sys
C:\WINDOWS\system32\fairy.an
C:\WINDOWS\system32\ferryl.cbv
C:\WINDOWS\system32\inqby.sr
C:\WINDOWS\system32\ovfsthekghujlubksdxbprjgtwolgknrdovgwy.dll
C:\WINDOWS\system32\ovfsthjvviliusxrpxtnmnawrqihbcloedyjec.dll
C:\WINDOWS\system32\ovfsthrjkamerjaccfmsggbxrilragpqrxyhns.dat
C:\WINDOWS\system32\ovfsthsxwsgmvtpfyrixmibmntyrhwsktxdxoq.dat
C:\WINDOWS\system32\ovfsthvsiqimqqejxwticfaisnaoqecxrjntdo.dll
.
---- Previous Run -------
.
C:\WINDOWS\mqcd.dbt
C:\WINDOWS\system32\ashl.nq
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\config\systemprofile\protect.dll
C:\WINDOWS\system32\dolman.zt
C:\WINDOWS\system32\drivers\ovfsthalkbdwtmnmlxnrnckwturyjnjcxjtgdy.sys
C:\WINDOWS\system32\fairy.an
C:\WINDOWS\system32\ferryl.cbv
C:\WINDOWS\system32\inqby.sr
C:\WINDOWS\system32\ovfsthekghujlubksdxbprjgtwolgknrdovgwy.dll
C:\WINDOWS\system32\ovfsthjvviliusxrpxtnmnawrqihbcloedyjec.dll
C:\WINDOWS\system32\ovfsthrjkamerjaccfmsggbxrilragpqrxyhns.dat
C:\WINDOWS\system32\ovfsthsxwsgmvtpfyrixmibmntyrhwsktxdxoq.dat
C:\WINDOWS\system32\ovfsthvsiqimqqejxwticfaisnaoqecxrjntdo.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_ovfsthmvpyxddwoyufoqfttabivkbeentoyoul
-------\Legacy_WIN32X
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.
2009-04-29 05:52:45 . 2009-04-29 05:52:45 0 d-----w C:\Program Files\Trend Micro
2009-04-29 05:42:48 . 2009-04-29 05:43:05 0 d-----w C:\Program Files\ERUNT
2009-04-29 04:00:38 . 2009-04-29 22:11:25 0 d--h--w C:\$AVG8.VAULT$
2009-04-29 03:56:31 . 2009-04-29 03:56:31 10520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2009-04-29 03:56:31 . 2009-04-29 03:56:31 108552 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2009-04-29 03:56:25 . 2009-04-29 03:56:25 325640 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2009-04-29 03:56:20 . 2009-04-30 22:54:23 0 d-----w C:\WINDOWS\system32\drivers\Avg
2009-04-29 03:56:20 . 2009-04-29 03:56:20 0 d-----w C:\Documents and Settings\Jtwist\Application Data\AVGTOOLBAR
2009-04-29 03:56:06 . 2009-04-29 03:56:06 0 d-----w C:\Program Files\AVG
2009-04-29 03:56:05 . 2009-04-30 23:38:28 0 d-----w C:\Documents and Settings\All Users\Application Data\avg8
2009-04-29 03:36:33 . 2009-04-29 03:38:46 0 d-----w C:\Program Files\SpywareBlaster
2009-04-29 01:15:56 . 2009-04-29 01:15:56 0 d-----w C:\Documents and Settings\Jtwist\Application Data\Malwarebytes
2009-04-29 01:15:53 . 2009-04-06 19:32:46 15504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2009-04-29 01:15:51 . 2009-04-06 19:32:54 38496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-04-29 01:15:50 . 2009-04-29 01:15:50 0 d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-29 01:15:50 . 2009-04-29 01:15:54 0 d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-04-28 20:44:28 . 2009-04-29 02:34:17 0 d-----w C:\WINDOWS\system32\796525
2009-04-28 20:44:19 . 2009-05-01 00:17:04 109308 ----a-w C:\WINDOWS\system32\drivers\80132f40.sys
2009-04-23 01:46:40 . 2009-04-23 01:46:40 0 d-----w C:\Program Files\danny_kay1710
2009-04-21 22:40:51 . 2009-04-21 22:46:24 0 d-----w C:\Program Files\PSP Grader
2009-04-21 22:00:25 . 2009-04-21 22:00:25 0 d-----w C:\mspformat
2009-04-21 22:00:25 . 2009-04-21 22:00:25 0 d-----w C:\msinst
2009-04-14 03:36:20 . 2009-04-14 03:36:20 0 d-----w C:\Documents and Settings\Jtwist\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-04-14 03:27:18 . 2009-04-14 03:37:50 0 d-----w C:\Program Files\GGPO
2009-04-14 03:26:25 . 2009-04-14 03:26:25 0 d-----w C:\Program Files\Common Files\Adobe AIR
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 00:14:18 . 2004-08-04 10:00:00 577536 ----a-w C:\WINDOWS\system32\user32.dll
2009-04-21 02:43:12 . 2005-11-24 01:47:46 0 d-----w C:\Program Files\Spybot - Search & Destroy
2009-03-25 21:13:23 . 2009-03-25 21:12:39 0 d-----w C:\Program Files\QuickTime
2009-03-25 21:11:26 . 2007-04-22 05:16:27 0 d-----w C:\Program Files\Apple Software Update
2009-03-06 17:47:06 . 2007-10-08 02:21:12 0 d-----w C:\Program Files\Electronic Arts
2009-03-06 17:46:34 . 2005-05-03 15:55:56 0 d--h--w C:\Program Files\InstallShield Installation Information
2009-03-06 14:44:35 . 2004-08-04 10:00:00 283648 ----a-w C:\WINDOWS\system32\pdh.dll
2009-02-20 08:30:23 . 2004-08-04 10:00:00 81920 ----a-w C:\WINDOWS\system32\ieencode.dll
2009-02-20 08:30:23 . 2004-08-04 10:00:00 659456 ----a-w C:\WINDOWS\system32\wininet.dll
2009-02-09 10:20:34 . 2004-08-04 10:00:00 723456 ----a-w C:\WINDOWS\system32\lsasrv.dll
2009-02-09 10:20:34 . 2004-08-04 10:00:00 399360 ----a-w C:\WINDOWS\system32\rpcss.dll
2009-02-09 10:20:33 . 2004-08-04 10:00:00 714752 ----a-w C:\WINDOWS\system32\ntdll.dll
2009-02-09 10:20:33 . 2004-08-04 10:00:00 616960 ----a-w C:\WINDOWS\system32\advapi32.dll
2009-02-09 10:19:34 . 2004-08-04 10:00:00 1846272 ----a-w C:\WINDOWS\system32\win32k.sys
2009-02-06 17:22:17 . 1980-01-01 05:00:00 2136064 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2009-02-06 17:14:03 . 2004-08-04 10:00:00 110592 ----a-w C:\WINDOWS\system32\services.exe
2009-02-06 16:54:36 . 2004-08-04 10:00:00 35328 ----a-w C:\WINDOWS\system32\sc.exe
2009-02-06 16:49:02 . 1980-01-01 05:00:00 2015744 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2009-02-03 20:08:52 . 2004-08-04 10:00:00 55808 ----a-w C:\WINDOWS\system32\secur32.dll
2008-12-19 07:03:24 . 2005-11-29 19:19:25 67688 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll
2008-12-19 07:03:24 . 2005-11-29 19:19:28 54368 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll
2008-12-19 07:03:24 . 2007-06-29 15:37:32 34944 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll
2008-12-19 07:03:24 . 2007-06-29 15:37:36 46712 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll
2008-12-19 07:03:24 . 2005-11-29 19:19:25 172136 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll
2005-05-13 21:12:00 . 2005-05-13 21:12:00 217073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 15:13:58 . 2005-10-24 15:13:58 66560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 01:27:00 . 2005-10-14 01:27:00 422400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 23:14:52 . 2005-10-07 23:14:52 308224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 16:31:20 . 2005-07-14 16:31:20 27648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 19:32:28 . 2005-06-26 19:32:28 616448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-22 02:37:42 . 2005-06-22 02:37:42 45568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-25 04:00:00 . 2004-01-25 04:00:00 70656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 14:24:24 . 2006-04-27 14:24:24 2945024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 17:16:22 . 2005-02-28 17:16:22 240128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-25 04:00:00 . 2004-01-25 04:00:00 70656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.
Infected C:\WINDOWS\system32\user32.dll hex repaired
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:38 PM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\libusbd-nt.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jtwist/LOCALS~1/Temp/msohtml1/01/clip_image003.gif
--
End of file - 11050 bytes
Hi again
Looks like ComboFix log didn't get fully posted. Could you post a complete one, please? :)
Dominance
2009-05-01, 20:16
Hello again when combo fix was writing the log my computer crashed and got a blue screen, that must be why it didn't complete, should I run combo fix again? Thanks for your help and sorry for the inconvenience.
Hi
Yes, please run ComboFix again :)
Dominance
2009-05-01, 23:37
Ok sorry for the wait it took a few tries but I finally got it.
ComboFix 09-04-30.05 - Jtwist 05/01/2009 16:22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.547 [GMT -4:00]
Running from: c:\documents and settings\Jtwist\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *disabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Jtwist\Application Data\wiaserva.log
c:\windows\mqcd.dbt
c:\windows\system32\ashl.nq
c:\windows\system32\bszip.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\dolman.zt
c:\windows\system32\drivers\ovfsthalkbdwtmnmlxnrnckwturyjnjcxjtgdy.sys
c:\windows\system32\fairy.an
c:\windows\system32\ferryl.cbv
c:\windows\system32\inqby.sr
c:\windows\system32\ovfsthekghujlubksdxbprjgtwolgknrdovgwy.dll
c:\windows\system32\ovfsthjvviliusxrpxtnmnawrqihbcloedyjec.dll
c:\windows\system32\ovfsthrjkamerjaccfmsggbxrilragpqrxyhns.dat
c:\windows\system32\ovfsthsxwsgmvtpfyrixmibmntyrhwsktxdxoq.dat
c:\windows\system32\ovfsthvsiqimqqejxwticfaisnaoqecxrjntdo.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_ovfsthmvpyxddwoyufoqfttabivkbeentoyoul
-------\Legacy_WIN32X
-------\Legacy_win32x
-------\Legacy_WIN32X
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.
2009-04-29 05:52 . 2009-04-29 05:52 -------- d-----w c:\program files\Trend Micro
2009-04-29 05:42 . 2009-04-29 05:43 -------- d-----w c:\program files\ERUNT
2009-04-29 04:00 . 2009-04-29 22:11 -------- d--h--w C:\$AVG8.VAULT$
2009-04-29 03:56 . 2009-04-29 03:56 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-29 03:56 . 2009-04-29 03:56 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 03:56 . 2009-04-29 03:56 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-29 03:56 . 2009-04-30 22:54 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-29 03:56 . 2009-04-29 03:56 -------- d-----w c:\documents and settings\Jtwist\Application Data\AVGTOOLBAR
2009-04-29 03:56 . 2009-04-29 03:56 -------- d-----w c:\program files\AVG
2009-04-29 03:56 . 2009-04-30 23:38 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-29 03:36 . 2009-04-29 03:38 -------- d-----w c:\program files\SpywareBlaster
2009-04-29 01:15 . 2009-04-29 01:15 -------- d-----w c:\documents and settings\Jtwist\Application Data\Malwarebytes
2009-04-29 01:15 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 01:15 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 01:15 . 2009-04-29 01:15 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 01:15 . 2009-04-29 01:15 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 20:44 . 2009-04-29 02:34 -------- d-----w c:\windows\system32\796525
2009-04-28 20:44 . 2009-05-01 20:10 0 ----a-w c:\windows\system32\drivers\80132f40.sys
2009-04-23 01:46 . 2009-04-23 01:46 -------- d-----w c:\program files\danny_kay1710
2009-04-21 22:40 . 2009-04-21 22:46 -------- d-----w c:\program files\PSP Grader
2009-04-21 22:00 . 2009-04-21 22:00 -------- d-----w C:\mspformat
2009-04-21 22:00 . 2009-04-21 22:00 -------- d-----w C:\msinst
2009-04-14 03:36 . 2009-04-14 03:36 -------- d-----w c:\documents and settings\Jtwist\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-04-14 03:27 . 2009-04-14 03:37 -------- d-----w c:\program files\GGPO
2009-04-14 03:26 . 2009-04-14 03:26 -------- d-----w c:\program files\Common Files\Adobe AIR
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 00:14 . 2004-08-04 10:00 577536 ----a-w c:\windows\system32\user32.dll
2009-04-21 02:43 . 2005-11-24 01:47 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 21:13 . 2009-03-25 21:12 -------- d-----w c:\program files\QuickTime
2009-03-25 21:11 . 2007-04-22 05:16 -------- d-----w c:\program files\Apple Software Update
2009-03-06 17:47 . 2007-10-08 02:21 -------- d-----w c:\program files\Electronic Arts
2009-03-06 17:46 . 2005-05-03 15:55 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:44 . 2004-08-04 10:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:30 . 2004-08-04 10:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2004-08-04 10:00 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-09 10:20 . 2004-08-04 10:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 10:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 10:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 10:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 1980-01-01 05:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 1980-01-01 05:00 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 10:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-12-19 07:03 . 2005-11-29 19:19 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 07:03 . 2005-11-29 19:19 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 07:03 . 2007-06-29 15:37 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 07:03 . 2007-06-29 15:37 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 07:03 . 2005-11-29 19:19 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-05-13 21:12 . 2005-05-13 21:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 15:13 . 2005-10-24 15:13 66560 --sha-r c:\windows\MOTA113.exe
2005-10-14 01:27 . 2005-10-14 01:27 422400 --sha-r c:\windows\x2.64.exe
2005-10-07 23:14 . 2005-10-07 23:14 308224 --sha-r c:\windows\SYSTEM32\avisynth.dll
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r c:\windows\SYSTEM32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r c:\windows\SYSTEM32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r c:\windows\SYSTEM32\cygz.dll
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r c:\windows\SYSTEM32\i420vfw.dll
2006-04-27 14:24 . 2006-04-27 14:24 2945024 --sha-r c:\windows\SYSTEM32\Smab.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r c:\windows\SYSTEM32\x.264.exe
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r c:\windows\SYSTEM32\yv12vfw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-05-03 26112]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"WUSB54Gv4"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-08-28 396800]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2006-01-11 212992]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]
c:\documents and settings\Jtwist\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
NYKO Gamepad Mapping Tools.lnk - c:\program files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2005-12-25 416768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-29 03:56 10520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Jtwist\Application Data\iolo\
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeefirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Doom 3\\DOOM3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\1163121967\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1163121967\\ee\\aim6.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 80132f40;80132f40;c:\windows\System32\drivers\80132f40.sys [2009-05-01 0]
R3 38f1b4w7;38f1b4w7; [x]
S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-29 325640]
S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-29 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-29 298264]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-10 18944]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]
S3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - gtndis5
*NewlyCreated* - WIN32X
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{791ff664-6a31-11dd-b28d-00121789cf11}]
\Shell\abrir\command - explorer "%1"
\Shell\AutoRun\command - alyehs.EXE
\Shell\open\command - alyehs.EXE explorer "%1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a941c4e2-e050-11dc-b21b-00121789cf11}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-04-24 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (1) (JORGE-Jtwist).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-05-03 23:18]
2009-04-24 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (JORGE-Jtwist).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-05-03 23:18]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemonsearch.com/intl/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jtwist\Application Data\Mozilla\Firefox\Profiles\q0ejizjc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 16:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\drivers\win32x.sys 12544 bytes executable
c:\windows\system32\userinit.exe 77312 bytes executable
c:\windows\system32\win32x.exe 24576 bytes executable
scan completed successfully
hidden files: 3
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2716511838-1003853643-1138849529-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2716511838-1003853643-1138849529-1006\Software\SecuROM\License information*]
"datasecu"=hex:9a,89,20,15,25,55,74,a0,26,15,23,38,67,39,fd,c7,ca,cf,fb,55,9b,
a5,ff,83,44,51,15,27,52,43,d2,f3,82,b8,4a,42,29,65,89,42,db,93,38,ec,2c,26,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3488)
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-01 16:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 20:33
Pre-Run: 10,004,717,568 bytes free
Post-Run: 9,997,455,360 bytes free
268 --- E O F --- 2009-04-15 07:02
Hi again,
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
LimeWire
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
You seem to have both AVG and McAfee installed there. It's recommended to have only one antivirus installed in same system. Decide which one to keep and uninstall the other one.
Upload following file to http://www.virustotal.com and post back the results:
c:\windows\system32\userinit.exe
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=309211#post309211
Collect::
c:\windows\system32\drivers\win32x.sys
c:\windows\system32\win32x.exe
Driver::
80132f40
38f1b4w7
File::
c:\windows\system32\drivers\80132f40.sys
Folder::
c:\windows\system32\796525
c:\program files\limewire
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeefirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{791ff664-6a31-11dd-b28d-00121789cf11}]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. You'll be asked to submit some samples. Please follow the given instructions to carry out submitting successfully.
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
Dominance
2009-05-02, 03:44
Once again, thanks for your help, I had forgotten I had lime wire, its been years since I've used it, I took a look at the suggested topic also. I'm following all the directions you're giving me, however I don't have the userinit.exe file in my system 32 folder so I can't upload it, will that be a problem?
Hi
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
See if you can find the file now. If not, move on with the instructions.
Dominance
2009-05-02, 04:27
Ok I've found the file and analyzed it here are the results:
File userinit.exe received on 05.02.2009 03:14:39 (CET)
Current status: finished
Result: 21/40 (52.5%)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.02 Trojan-Mailfinder!IK
AhnLab-V3 5.0.0.2 2009.05.01 -
AntiVir 7.9.0.160 2009.04.30 TR/Crypt.XPACK.Gen
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.01 -
Avast 4.8.1335.0 2009.05.01 Win32:Rootkit-gen
AVG 8.5.0.327 2009.05.01 SHeur2.ACAX
BitDefender 7.2 2009.05.02 Trojan.Waledac.Gen.1
CAT-QuickHeal 10.00 2009.04.30 -
ClamAV 0.94.1 2009.05.02 -
Comodo 1146 2009.05.01 TrojWare.Win32.Mailfinder.Agent.aan
DrWeb 4.44.0.09170 2009.05.02 Trojan.MulDrop.29377
eSafe 7.0.17.0 2009.04.30 -
eTrust-Vet 31.6.6487 2009.05.02 Win32/Meldsimp.FI
F-Prot 4.4.4.56 2009.05.01 -
F-Secure 8.0.14470.0 2009.05.01 Trojan-Mailfinder.Win32.Agent.aan
Fortinet 3.117.0.0 2009.05.02 W32/Agent.AAN!tr
GData 19 2009.05.02 Trojan.Waledac.Gen.1
Ikarus T3.1.1.49.0 2009.05.02 Trojan-Mailfinder
K7AntiVirus 7.10.721 2009.05.01 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.05.01 Trojan-Mailfinder.Win32.Agent.aan
McAfee 5602 2009.05.01 -
McAfee+Artemis 5602 2009.05.01 Artemis!8EB5CEADC1F8
McAfee-GW-Edition 6.7.6 2009.04.30 Trojan.Crypt.XPACK.Gen
Microsoft 1.4602 2009.05.01 -
NOD32 4049 2009.05.01 Win32/SpamTool.Agent.NCB
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.01 Trojan/W32.Agent.77312.AE
Panda 10.0.0.14 2009.05.01 Trj/CI.A
PCTools 4.4.2.0 2009.05.01 -
Prevx1 3.0 2009.05.02 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.02 -
Sunbelt 3.2.1858.2 2009.05.02 Trojan-Dropper.Multi.Gen
Symantec 1.4.4.12 2009.05.02 Trojan.Dropper
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.02 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.01 -
Additional information
File size: 77312 bytes
MD5...: 8eb5ceadc1f8f1f75990ab1706967d92
SHA1..: a10aeb156816de3abc9c168250dfc62dab9b257e
SHA256: a7bb00d15aaf21cc4f3bc93a68451efb9346af7636284ec40fad8a1ed02ca70a
SHA512: 7244098e06bc4c4b4840226b55ee52765174044ff4e6c9770d100f70c919370a
0467836a6807c1e8167b3b829c98043de45ab43dff5f232f15984d70d7d176ff
ssdeep: 768:kQKnTS3LzWO9sJA1doimCjCXA7MPkDNUcSi7VKzwRBeiN+dOI:F0Se+oJ1XA
4i7MzwR1M
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x11bb
timedatestamp.....: 0x44a761ac (Sun Jul 02 06:03:24 2006)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x106da 0x10600 7.91 fc3c28b860b4aa696d4e0d8f0d3b90fe
.data 0x12000 0x1ff6 0x2000 5.71 c7d9a645f736fd48103e8bbea602dcbe
.rdata 0x14000 0x3a0 0x400 2.93 2fdbf84e8a6a40ae5b7d30c5257a75f3
.bss 0x15000 0x2e5 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
( 4 imports )
> USER32.dll: DestroyAcceleratorTable, CtxInitUser32, DestroyAcceleratorTable, GetUserObjectInformationW, EnumDisplaySettingsA
> msvcrt.dll: tanh, wcstoul, mktime, fputws, wcsstr, fgetwc
> ole32.dll: WriteOleStg, ProgIDFromCLSID, CoFileTimeToDosDateTime
> KERNEL32.dll: HeapAlloc, ExitProcess, VirtualProtect, FindFirstFileExA
( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=8eb5ceadc1f8f1f75990ab1706967d92' target='_blank'>http://www.threatexpert.com/report.aspx?md5=8eb5ceadc1f8f1f75990ab1706967d92</a>
Here is the Combo fix log:
ComboFix 09-04-30.05 - Jtwist 05/01/2009 20:55.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.501 [GMT -4:00]
Running from: c:\documents and settings\Jtwist\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jtwist\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Outdated)
FW: McAfee Personal Firewall Plus *disabled*
FILE ::
c:\windows\system32\drivers\80132f40.sys
file zipped: c:\windows\system32\drivers\win32x.sys
file zipped: c:\windows\system32\win32x.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\limewire
c:\windows\system32\796525
c:\windows\system32\drivers\80132f40.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WIN32X
-------\Service_?????????
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.
2009-05-02 00:49 . 2009-05-02 00:49 -------- d-----w c:\program files\JavaFX
2009-05-02 00:49 . 2009-05-02 00:49 -------- d-----w c:\program files\Sun
2009-05-02 00:49 . 2009-05-02 00:48 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 05:52 . 2009-04-29 05:52 -------- d-----w c:\program files\Trend Micro
2009-04-29 05:42 . 2009-04-29 05:43 -------- d-----w c:\program files\ERUNT
2009-04-29 04:00 . 2009-04-29 22:11 -------- d--h--w C:\$AVG8.VAULT$
2009-04-29 03:56 . 2009-04-29 03:56 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-29 03:56 . 2009-04-29 03:56 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 03:56 . 2009-04-29 03:56 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-29 03:56 . 2009-05-01 21:02 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-29 03:56 . 2009-04-29 03:56 -------- d-----w c:\program files\AVG
2009-04-29 03:56 . 2009-05-01 20:59 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-29 03:36 . 2009-04-29 03:38 -------- d-----w c:\program files\SpywareBlaster
2009-04-29 01:15 . 2009-04-29 01:15 -------- d-----w c:\documents and settings\Jtwist\Application Data\Malwarebytes
2009-04-29 01:15 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 01:15 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 01:15 . 2009-04-29 01:15 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 01:15 . 2009-04-29 01:15 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 20:44 . 2009-04-28 20:44 12544 ----a-w c:\windows\system32\drivers\win32x.sys
2009-04-23 01:46 . 2009-04-23 01:46 -------- d-----w c:\program files\danny_kay1710
2009-04-21 22:40 . 2009-04-21 22:46 -------- d-----w c:\program files\PSP Grader
2009-04-21 22:00 . 2009-04-21 22:00 -------- d-----w C:\mspformat
2009-04-21 22:00 . 2009-04-21 22:00 -------- d-----w C:\msinst
2009-04-14 03:36 . 2009-04-14 03:36 -------- d-----w c:\documents and settings\Jtwist\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-04-14 03:27 . 2009-04-14 03:37 -------- d-----w c:\program files\GGPO
2009-04-14 03:26 . 2009-04-14 03:26 -------- d-----w c:\program files\Common Files\Adobe AIR
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 00:48 . 2005-05-03 15:54 -------- d-----w c:\program files\Java
2009-05-02 00:33 . 2005-05-03 16:02 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-05-01 00:14 . 2004-08-04 10:00 577536 ----a-w c:\windows\system32\user32.dll
2009-04-28 20:44 . 2004-08-04 10:00 77312 ----a-w c:\windows\system32\userinit.exe
2009-04-21 02:43 . 2005-11-24 01:47 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 21:13 . 2009-03-25 21:12 -------- d-----w c:\program files\QuickTime
2009-03-25 21:11 . 2007-04-22 05:16 -------- d-----w c:\program files\Apple Software Update
2009-03-06 17:47 . 2007-10-08 02:21 -------- d-----w c:\program files\Electronic Arts
2009-03-06 17:46 . 2005-05-03 15:55 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:44 . 2004-08-04 10:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:30 . 2004-08-04 10:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2004-08-04 10:00 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-09 10:20 . 2004-08-04 10:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 10:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 10:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 10:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 1980-01-01 05:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 1980-01-01 05:00 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 10:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-12-19 07:03 . 2005-11-29 19:19 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 07:03 . 2005-11-29 19:19 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 07:03 . 2007-06-29 15:37 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 07:03 . 2007-06-29 15:37 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 07:03 . 2005-11-29 19:19 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-05-13 21:12 . 2005-05-13 21:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 15:13 . 2005-10-24 15:13 66560 --sha-r c:\windows\MOTA113.exe
2005-10-14 01:27 . 2005-10-14 01:27 422400 --sha-r c:\windows\x2.64.exe
2005-10-07 23:14 . 2005-10-07 23:14 308224 --sha-r c:\windows\SYSTEM32\avisynth.dll
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r c:\windows\SYSTEM32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r c:\windows\SYSTEM32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r c:\windows\SYSTEM32\cygz.dll
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r c:\windows\SYSTEM32\i420vfw.dll
2006-04-27 14:24 . 2006-04-27 14:24 2945024 --sha-r c:\windows\SYSTEM32\Smab.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r c:\windows\SYSTEM32\x.264.exe
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r c:\windows\SYSTEM32\yv12vfw.dll
.
------- Sigcheck -------
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2009-04-28 20:44 77312 8EB5CEADC1F8F1F75990AB1706967D92 c:\windows\SYSTEM32\userinit.exe
[7] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\SYSTEM32\DLLCACHE\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-05-01_20.27.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 01:00 . 2009-05-02 01:00 16384 c:\windows\temp\Perflib_Perfdata_784.dat
+ 2009-05-02 00:50 . 2009-05-02 00:50 10134 c:\windows\Installer\{7396F7C8-EDD8-4473-BF6A-2CE4996716E1}\SystemFolder_msiexec.exe
+ 2009-05-02 00:49 . 2009-05-02 00:48 148888 c:\windows\SYSTEM32\javaws.exe
+ 2009-05-02 00:49 . 2009-05-02 00:48 144792 c:\windows\SYSTEM32\javaw.exe
+ 2009-05-02 00:49 . 2009-05-02 00:48 144792 c:\windows\SYSTEM32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-05-03 26112]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"WUSB54Gv4"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-08-28 396800]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-02 148888]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]
c:\documents and settings\Jtwist\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
NYKO Gamepad Mapping Tools.lnk - c:\program files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2005-12-25 416768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-29 03:56 10520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Jtwist\Application Data\iolo\
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeefirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Doom 3\\DOOM3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1163121967\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1163121967\\ee\\aim6.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 80132f40;80132f40; [x]
R3 38f1b4w7;38f1b4w7; [x]
R3 win32x;win32x;c:\windows\system32\drivers\win32x.sys [2009-04-28 12544]
S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-29 325640]
S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-29 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-29 298264]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-10 18944]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]
S3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\DRIVERS\rt2500usb.sys [2004-05-07 79616]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a941c4e2-e050-11dc-b21b-00121789cf11}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemonsearch.com/intl/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jtwist\Application Data\Mozilla\Firefox\Profiles\q0ejizjc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 21:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2716511838-1003853643-1138849529-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2716511838-1003853643-1138849529-1006\Software\SecuROM\License information*]
"datasecu"=hex:9a,89,20,15,25,55,74,a0,26,15,23,38,67,39,fd,c7,ca,cf,fb,55,9b,
a5,ff,83,44,51,15,27,52,43,d2,f3,82,b8,4a,42,29,65,89,42,db,93,38,ec,2c,26,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2260)
c:\windows\system32\ctagent.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
.
**************************************************************************
.
Completion time: 2009-05-02 21:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 01:08
ComboFix2.txt 2009-05-01 20:33
Pre-Run: 9,467,387,904 bytes free
Post-Run: 9,460,031,488 bytes free
249 --- E O F --- 2009-04-15 07:02
And finally the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:15 PM, on 5/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jtwist/LOCALS~1/Temp/msohtml1/01/clip_image003.gif
--
End of file - 10153 bytes
I also uninstalled limewire as requested.
Dominance
2009-05-02, 08:39
I had forgotten but here is the Kapersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 02, 2009 00:39:41
Records in database: 2118498
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 211868
Threat name: 7
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 03:26:56
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\CONFIG\systemprofile\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthalkbdwtmnmlxnrnckwturyjnjcxjtgdy.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthekghujlubksdxbprjgtwolgknrdovgwy.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthjvviliusxrpxtnmnawrqihbcloedyjec.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthvsiqimqqejxwticfaisnaoqecxrjntdo.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\[4]-Submit_2009-5-1_20.54.58.zip Infected: Trojan-Mailfinder.Win32.Agent.th 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1321\A0610416.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1321\A0611416.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0611418.sys Infected: Trojan.Win32.Tdss.aalf 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0611419.dll Infected: Trojan.Win32.Tdss.aalc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0611420.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0611421.dll Infected: Trojan.Win32.Tdss.aald 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\WINDOWS\SYSTEM32\userinit.exe Infected: Trojan-Mailfinder.Win32.Agent.aan 1
The selected area was scanned.
Ok. That file is patched. Let's see if there's a clean one available.
Upload these two files to VT like you did with the other file:
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
c:\windows\SYSTEM32\DLLCACHE\userinit.exe
Post back the results then.
Dominance
2009-05-02, 23:29
In the order you listed.
First file
File userinit.exe received on 05.02.2009 22:22:44 (CET)
Current status: finished
Result: 0/40 (0%)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.02 -
AhnLab-V3 5.0.0.2 2009.05.01 -
AntiVir 7.9.0.160 2009.05.02 -
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.02 -
Avast 4.8.1335.0 2009.05.02 -
AVG 8.5.0.327 2009.05.02 -
BitDefender 7.2 2009.05.02 -
CAT-QuickHeal 10.00 2009.05.02 -
ClamAV 0.94.1 2009.05.02 -
Comodo 1147 2009.05.02 -
DrWeb 4.44.0.09170 2009.05.02 -
eSafe 7.0.17.0 2009.04.30 -
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.02 -
F-Secure 8.0.14470.0 2009.05.02 -
Fortinet 3.117.0.0 2009.05.02 -
GData 19 2009.05.02 -
Ikarus T3.1.1.49.0 2009.05.02 -
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.02 -
McAfee 5603 2009.05.02 -
McAfee+Artemis 5603 2009.05.02 -
McAfee-GW-Edition 6.7.6 2009.05.02 -
Microsoft 1.4602 2009.05.02 -
NOD32 4049 2009.05.01 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.02 -
Panda 10.0.0.14 2009.05.02 -
PCTools 4.4.2.0 2009.05.02 -
Prevx1 3.0 2009.05.02 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.02 -
Sunbelt 3.2.1858.2 2009.05.02 -
Symantec 1.4.4.12 2009.05.02 -
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.02 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.02 -
Additional information
File size: 26112 bytes
MD5...: a93aee1928a9d7ce3e16d24ec7380f89
SHA1..: 513f8bdf67a5a9e09803cfb61f590b39f2683853
SHA256: 944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f
SHA512: b4df088a96dda785b1a2edb32ef72554fb8000d01a29668f0da0614f6100c8ea
59c31790d5248e551543efd36684b12b687df55cbeaa36b8c31decf686980f42
ssdeep: 768:0RMJi8jDLIDSAaQFxfftjaLacmkLGKOq:0RMJbDMDSA7FxffJaLaSLG9q
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x54ad
timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
.rsrc 0x8000 0xb50 0xc00 3.27 bac832e39f87c4f5f640e5d5c6a1c2fc
( 9 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken
> NETAPI32.dll: DsGetDcNameW, NetApiBufferFree
> WLDAP32.dll: -, -, -, -, -, -
> msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit
> KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW
( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=a93aee1928a9d7ce3e16d24ec7380f89' target='_blank'>http://www.threatexpert.com/report.aspx?md5=a93aee1928a9d7ce3e16d24ec7380f89</a>
Second file
File userinit.exe received on 05.02.2009 22:27:48 (CET)
Current status: finished
Result: 0/40 (0%)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.02 -
AhnLab-V3 5.0.0.2 2009.05.01 -
AntiVir 7.9.0.160 2009.05.02 -
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.02 -
Avast 4.8.1335.0 2009.05.02 -
AVG 8.5.0.327 2009.05.02 -
BitDefender 7.2 2009.05.02 -
CAT-QuickHeal 10.00 2009.05.02 -
ClamAV 0.94.1 2009.05.02 -
Comodo 1147 2009.05.02 -
DrWeb 4.44.0.09170 2009.05.02 -
eSafe 7.0.17.0 2009.04.30 -
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.02 -
F-Secure 8.0.14470.0 2009.05.02 -
Fortinet 3.117.0.0 2009.05.02 -
GData 19 2009.05.02 -
Ikarus T3.1.1.49.0 2009.05.02 -
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.02 -
McAfee 5603 2009.05.02 -
McAfee+Artemis 5603 2009.05.02 -
McAfee-GW-Edition 6.7.6 2009.05.02 -
Microsoft 1.4602 2009.05.02 -
NOD32 4049 2009.05.01 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.02 -
Panda 10.0.0.14 2009.05.02 -
PCTools 4.4.2.0 2009.05.02 -
Prevx1 3.0 2009.05.02 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.02 -
Sunbelt 3.2.1858.2 2009.05.02 -
Symantec 1.4.4.12 2009.05.02 -
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.02 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.02 -
Additional information
File size: 24576 bytes
MD5...: 39b1ffb03c2296323832acbae50d2aff
SHA1..: e5aedcbe25a97c89101f1f3860ff846e94d70445
SHA256: 5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7
SHA512: ae81b19b8d778a368cf460016a9678676dfd7b8bfdeb236e8f87ef9a6c755323
227b340924d0713698350ce30bb0b3d09789c90897710cd48b3fe84ddca4a551
ssdeep: 384:DNkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCS
F4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x50e5
timedatestamp.....: 0x41107b78 (Wed Aug 04 06:00:24 2004)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4db8 0x4e00 6.01 16aee663ed180007a0bf5bf24b845096
.data 0x6000 0x14c 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
.rsrc 0x7000 0xb60 0xc00 3.27 b388ab1541ccd9727979fb26a23f72e1
( 7 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
> KERNEL32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW
( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
( Microsoft )
> MSDN Disc 2428.5: userinit.exe
> MSDN Disc 2428.4: userinit.exe
> MSDN Disc 2428.8: userinit.exe
> Operating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: userinit.exe
> Virtual PC for Mac Windows XP Professional Edition: userinit.exe
> Virtual PC for Mac Windows XP Home Edition: userinit.exe
( Gateway )
> Gateway Operating System Windows XP Pro Edition SP2: USERINIT.EXE,userinit.exe
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=39b1ffb03c2296323832acbae50d2aff' target='_blank'>http://www.threatexpert.com/report.aspx?md5=39b1ffb03c2296323832acbae50d2aff</a>
Hi again,
Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Close browsers and fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
80132f40
38f1b4w7
win32x
File::
c:\windows\system32\drivers\win32x.sys
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
FCopy::
c:\windows\SYSTEM32\DLLCACHE\userinit.exe | c:\windows\system32\userinit.exe
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Dominance
2009-05-03, 21:22
Thanks again, the comp seems to be better than ever, here is the combofix log.
ComboFix 09-04-30.05 - Jtwist 05/03/2009 14:02.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.553 [GMT -4:00]
Running from: c:\documents and settings\Jtwist\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jtwist\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
FILE ::
c:\windows\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\drivers\win32x.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\SYSTEM32\DLLCACHE\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_?????????
((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.
2009-05-03 05:45 . 2009-05-03 05:45 -------- d-----w c:\documents and settings\Jtwist\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-02 00:49 . 2009-05-02 00:49 -------- d-----w c:\program files\JavaFX
2009-05-02 00:49 . 2009-05-02 00:49 -------- d-----w c:\program files\Sun
2009-05-02 00:49 . 2009-05-02 00:48 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 05:52 . 2009-04-29 05:52 -------- d-----w c:\program files\Trend Micro
2009-04-29 05:42 . 2009-04-29 05:43 -------- d-----w c:\program files\ERUNT
2009-04-29 04:00 . 2009-04-29 22:11 -------- d--h--w C:\$AVG8.VAULT$
2009-04-29 03:56 . 2009-04-29 03:56 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-29 03:56 . 2009-04-29 03:56 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 03:56 . 2009-04-29 03:56 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-29 03:56 . 2009-05-02 20:07 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-29 03:56 . 2009-04-29 03:56 -------- d-----w c:\program files\AVG
2009-04-29 03:56 . 2009-05-01 20:59 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-29 03:36 . 2009-05-03 06:00 -------- d-----w c:\program files\SpywareBlaster
2009-04-29 01:15 . 2009-04-29 01:15 -------- d-----w c:\documents and settings\Jtwist\Application Data\Malwarebytes
2009-04-29 01:15 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 01:15 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 01:15 . 2009-04-29 01:15 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 01:15 . 2009-04-29 01:15 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 01:46 . 2009-04-23 01:46 -------- d-----w c:\program files\danny_kay1710
2009-04-21 22:40 . 2009-04-21 22:46 -------- d-----w c:\program files\PSP Grader
2009-04-21 22:00 . 2009-04-21 22:00 -------- d-----w C:\mspformat
2009-04-21 22:00 . 2009-04-21 22:00 -------- d-----w C:\msinst
2009-04-14 03:36 . 2009-04-14 03:36 -------- d-----w c:\documents and settings\Jtwist\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-04-14 03:27 . 2009-04-14 03:37 -------- d-----w c:\program files\GGPO
2009-04-14 03:26 . 2009-04-14 03:26 -------- d-----w c:\program files\Common Files\Adobe AIR
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 05:41 . 2007-06-02 02:23 -------- d-----w c:\program files\Common Files\Adobe
2009-05-02 01:03 . 2005-05-03 16:02 -------- d-----w c:\program files\McAfee.com
2009-05-02 00:48 . 2005-05-03 15:54 -------- d-----w c:\program files\Java
2009-05-02 00:33 . 2005-05-03 16:02 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-05-01 00:14 . 2004-08-04 10:00 577536 ----a-w c:\windows\system32\user32.dll
2009-04-21 02:43 . 2005-11-24 01:47 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 21:13 . 2009-03-25 21:12 -------- d-----w c:\program files\QuickTime
2009-03-25 21:11 . 2007-04-22 05:16 -------- d-----w c:\program files\Apple Software Update
2009-03-06 17:47 . 2007-10-08 02:21 -------- d-----w c:\program files\Electronic Arts
2009-03-06 17:46 . 2005-05-03 15:55 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:44 . 2004-08-04 10:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:30 . 2004-08-04 10:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2004-08-04 10:00 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-09 10:20 . 2004-08-04 10:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 10:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 10:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 10:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 1980-01-01 05:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 1980-01-01 05:00 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 10:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-12-19 07:03 . 2005-11-29 19:19 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 07:03 . 2005-11-29 19:19 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 07:03 . 2007-06-29 15:37 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 07:03 . 2007-06-29 15:37 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 07:03 . 2005-11-29 19:19 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-05-13 21:12 . 2005-05-13 21:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 15:13 . 2005-10-24 15:13 66560 --sha-r c:\windows\MOTA113.exe
2005-10-14 01:27 . 2005-10-14 01:27 422400 --sha-r c:\windows\x2.64.exe
2005-10-07 23:14 . 2005-10-07 23:14 308224 --sha-r c:\windows\SYSTEM32\avisynth.dll
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r c:\windows\SYSTEM32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r c:\windows\SYSTEM32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r c:\windows\SYSTEM32\cygz.dll
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r c:\windows\SYSTEM32\i420vfw.dll
2006-04-27 14:24 . 2006-04-27 14:24 2945024 --sha-r c:\windows\SYSTEM32\Smab.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r c:\windows\SYSTEM32\x.264.exe
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r c:\windows\SYSTEM32\yv12vfw.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-01_20.27.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 18:07 . 2009-05-03 18:07 16384 c:\windows\temp\Perflib_Perfdata_6e4.dat
+ 2004-08-04 10:00 . 2004-08-04 10:00 24576 c:\windows\SYSTEM32\DLLCACHE\userinit.exe
+ 2009-05-02 00:50 . 2009-05-02 00:50 10134 c:\windows\Installer\{7396F7C8-EDD8-4473-BF6A-2CE4996716E1}\SystemFolder_msiexec.exe
+ 2009-05-02 00:49 . 2009-05-02 00:48 148888 c:\windows\SYSTEM32\javaws.exe
+ 2009-05-02 00:49 . 2009-05-02 00:48 144792 c:\windows\SYSTEM32\javaw.exe
+ 2009-05-02 00:49 . 2009-05-02 00:48 144792 c:\windows\SYSTEM32\java.exe
+ 2009-05-03 05:25 . 2009-05-03 05:25 172032 c:\windows\ERDNT\AutoBackup\5-3-2009\Users\00000002\UsrClass.dat
+ 2009-05-03 05:25 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-3-2009\ERDNT.EXE
+ 2009-05-02 20:02 . 2009-05-02 20:02 172032 c:\windows\ERDNT\AutoBackup\5-2-2009\Users\00000002\UsrClass.dat
+ 2009-05-02 20:02 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-2-2009\ERDNT.EXE
+ 2009-05-03 05:25 . 2009-05-03 05:25 9211904 c:\windows\ERDNT\AutoBackup\5-3-2009\Users\00000001\ntuser.dat
+ 2009-05-02 20:02 . 2009-05-02 20:02 9211904 c:\windows\ERDNT\AutoBackup\5-2-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-05-03 26112]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"WUSB54Gv4"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-08-28 396800]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-02 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]
c:\documents and settings\Jtwist\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
NYKO Gamepad Mapping Tools.lnk - c:\program files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2005-12-25 416768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-29 03:56 10520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Jtwist\Application Data\iolo\
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Doom 3\\DOOM3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1163121967\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1163121967\\ee\\aim6.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 80132f40;80132f40; [x]
R3 38f1b4w7;38f1b4w7; [x]
S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-29 325640]
S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-29 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-29 298264]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-10 18944]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]
S3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\DRIVERS\rt2500usb.sys [2004-05-07 79616]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a941c4e2-e050-11dc-b21b-00121789cf11}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemonsearch.com/intl/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jtwist\Application Data\Mozilla\Firefox\Profiles\q0ejizjc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 14:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2716511838-1003853643-1138849529-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2716511838-1003853643-1138849529-1006\Software\SecuROM\License information*]
"datasecu"=hex:9a,89,20,15,25,55,74,a0,26,15,23,38,67,39,fd,c7,ca,cf,fb,55,9b,
a5,ff,83,44,51,15,27,52,43,d2,f3,82,b8,4a,42,29,65,89,42,db,93,38,ec,2c,26,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3640)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-03 14:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 18:14
ComboFix2.txt 2009-05-03 06:32
ComboFix3.txt 2009-05-03 05:31
ComboFix4.txt 2009-05-02 01:09
ComboFix5.txt 2009-05-03 18:02
Pre-Run: 7,290,171,392 bytes free
Post-Run: 7,282,950,144 bytes free
252 --- E O F --- 2009-04-15 07:02
And the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:39 PM, on 5/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jtwist/LOCALS~1/Temp/msohtml1/01/clip_image003.gif
--
End of file - 10366 bytes
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
We need to re hide system files. To do so, please follow the steps below:
Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.
Put a check by
Hide file extensions for known file types.
Under the
Hidden files
folder, select
Show hidden files and folders.
Check
Hide protected operating system files.
Click Apply, and then click OK.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Dominance
2009-05-04, 00:58
Thank you very much I appreciate you going out of your way to make my, and everyone else's computer safe, the post you made answered all of my questions, deleting the system restore got rid of the last Trojan on my computer. Everything is fine now, no problems at all. Once again thanks.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.