View Full Version : Virtumonde removal
skybluelegend
2009-08-08, 16:35
When i search for ceratin things (such as spyware removal) in my browser my internet closes down, I have tried to open my anti virus programmes but it wont let me, I have run spybot search and destroy and it says i have got virtumonde. I have no idea what to do and I am not very computer savvy, please help.:thanks:
Hello skybluelegend
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
skybluelegend
2009-08-09, 19:54
DDS (Ver_09-07-30.01) - NTFSx86
Run by alee at 18:53:22.01 on 09/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.312 [GMT 1:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\alee\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\alee\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart board software\NotebookPlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [BroadcomWireless] c:\program files\broadcom\wireless\utility\WlanUtil.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartb~1.lnk - c:\program files\smart board software\SMARTBoardTools.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231579077968
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231579070250
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: daecefaddc - c:\windows\system32\daecefaddc.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\alee\applic~1\mozilla\firefox\profiles\baxtqnt2.default\
FF - prefs.js: browser.startup.homepage - www.gmkonline.com
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-2-12 58048]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-22 353672]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-5-22 464264]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-13 55152]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-2-12 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2008-2-12 108256]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
=============== Created Last 30 ================
2009-08-07 21:20 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-07 21:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-07 21:03 <DIR> --d----- c:\docume~1\alee\applic~1\AntispywareBot
2009-08-07 20:57 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-08-07 20:56 <DIR> --d----- c:\documents and settings\alee\.housecall6.6
2009-08-05 14:37 192,528 a------- c:\windows\system32\kdpini.dll
==================== Find3M ====================
2009-08-06 17:29 313,871 -------- c:\windows\system32\daecefaddc.dll
2009-06-14 19:49 34 a------- c:\documents and settings\alee\jagex_runescape_preferences.dat
2009-05-22 21:52 4,212 a---h--- c:\windows\system32\zllictbl.dat
============= FINISH: 18:53:56.98 ===============
Hi,
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
skybluelegend
2009-08-09, 21:22
I have followed the instructions and have now downloaded malwarebytes, i cannot open it (as in my thread titile i cannot open anything related to anti-malware) except spybot.:sad:
OK, lets do this. There is a rash of Rootkit infections going around and this is what you may have.
Go to this site RootRepeal (http://rootrepeal.googlepages.com/)
Scoll down until you see the Download heading. You can download it in either RAR or ZIP format. Use whatever is easiest for you.
Extract the RootRepeal.exe file from the RAR or ZIP.
Disable your antivirus, antispyware, and firewalls before continuing or they may block RootRepeal from running properly.
Now run the RootRepeal.exe program by double clicking on it.
On the botton click the Files tab and then click the Scan button
A Select Drives form will open. Select all of your drives by checking the boxes and then click OK.
It will start scanning. Wait for it to finish. It can take awhile depending on how many drives, how many files, how many folders...etc. Be patient.
When it finishes, click Save Report and save it somewhere you can easily find it (like your Desktop)
Name it NRRlog.txt
Copy and Paste to log into this thread.
skybluelegend
2009-08-09, 23:35
Didn't take very long at all...(only found 3 hidden/locked files) heres the report...
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/09 22:36
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\system32\92b0279ecab395a29c75138aa0b239ae.sys
Status: Invisible to the Windows API!
Path: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
Status: Invisible to the Windows API!
That cant be the entire log :confused:
skybluelegend
2009-08-10, 01:05
Is it the drivers that i should be scanning? Sorry for being a pain in the a** im rubbish with computers:sad:
skybluelegend
2009-08-10, 01:08
I clicked the files tab and only C\: came up, then scanned and that is all that comes up.
Lets do this than
We are going to run Combofix, make sure you follow the instructions and rename it before you download it.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
skybluelegend
2009-08-10, 01:48
ComboFix 09-08-09.03 - alee 10/08/2009 0:37.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.510 [GMT 1:00]
Running from: c:\documents and settings\alee\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\alee\Application Data\AntispywareBot
c:\recycler\S-1-5-21-1547161642-484763869-839522115-1005
c:\recycler\S-1-5-21-1547161642-484763869-839522115-500
c:\windows\inform.dat
c:\windows\system32\descript.lnk
c:\windows\system32\Desktop_.ini
c:\windows\system32\kdpini.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.
2009-08-09 21:26 . 2009-08-09 21:26 0 ----a-w- c:\documents and settings\alee\settings.dat
2009-08-07 20:20 . 2009-08-07 21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 20:20 . 2009-08-07 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 19:57 . 2009-08-07 19:57 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-07 19:56 . 2009-08-07 20:04 -------- d-----w- c:\documents and settings\alee\.housecall6.6
2009-08-07 15:33 . 2009-08-07 15:33 1924440 ----a-w- c:\documents and settings\alee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 16:11 . 2009-08-08 16:12 2852864 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-07 10:15 . 2009-08-07 10:15 106074 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_07_10_59_06_small.dmp.zip
2009-08-06 16:29 . 2005-06-13 08:05 313871 ------w- c:\windows\system32\daecefaddc.dll
2009-07-20 22:36 . 2009-07-20 22:36 1867212 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-07-01 23:55 . 2008-02-12 11:47 -------- d-----w- c:\program files\Launch Manager
2009-06-29 18:39 . 2009-06-29 14:43 -------- d-----w- c:\program files\DivX
2009-06-29 14:51 . 2009-06-29 14:51 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-29 14:46 . 2009-06-29 14:46 -------- d-----w- c:\documents and settings\alee\Application Data\DivX
2009-06-22 23:00 . 2009-06-22 23:01 2621440 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-19 17:01 . 2009-01-22 18:41 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-06-16 16:21 . 2009-06-16 16:21 1915520 ----a-w- c:\documents and settings\alee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-14 18:49 . 2009-06-14 18:48 34 ----a-w- c:\documents and settings\alee\jagex_runescape_preferences.dat
2009-06-14 15:29 . 2009-06-14 15:29 19010635 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_06_14_16_18_21_full.dmp.zip
2009-06-13 21:07 . 2009-06-13 21:07 0 ----a-w- c:\windows\nsreg.dat
2009-06-13 08:15 . 2009-01-03 13:19 -------- d-----w- c:\documents and settings\alee\Application Data\Ahead
2009-06-08 23:06 . 2009-06-09 19:43 2817536 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-05-29 10:42 . 2009-05-29 10:42 18652224 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_05_29_10_08_41_full.dmp.zip
2009-05-22 20:52 . 2009-05-22 20:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-21 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-21 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-21 138008]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-02-12 850704]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-05-24 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 180269]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-05-29 16132608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-2-12 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-9-18 3395584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\daecefaddc]
2009-08-06 16:29 313871 ------w- c:\windows\system32\daecefaddc.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [12/02/2008 16:32 58048]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [22/05/2009 21:53 464264]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [13/04/2009 18:42 55152]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
.
Contents of the 'Scheduled Tasks' folder
2009-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll
Toolbar-SITEguard - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKLM-Run-BroadcomWireless - c:\program files\Broadcom\Wireless\Utility\WlanUtil.exe
HKLM-Run-NWEReboot - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\alee\Application Data\Mozilla\Firefox\Profiles\baxtqnt2.default\
FF - prefs.js: browser.startup.homepage - www.gmkonline.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 00:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\_92b0279ecab395a29c75138aa0b239ae.sys_.vir 39936 bytes executable
c:\windows\system32\92b0279ecab395a29c75138aa0b239ae.sys 39936 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\92b0279ecab395a29c75138aa0b239ae]
"ImagePath"="system32\92b0279ecab395a29c75138aa0b239ae.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\daecefaddc.dll
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-08-09 0:47
ComboFix-quarantined-files.txt 2009-08-09 23:47
Pre-Run: 59,721,187,328 bytes free
Post-Run: 59,693,821,952 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
213 --- E O F --- 2008-09-25 08:42
Hi,
I am looking over your log, a few things need to be fixed , in the meantime see you can now run Malwarebytes, if so run it and post the log please
Good Morning,
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::
Driver::
92b0279ecab395a29c75138aa0b239ae
File::
c:\windows\system32\daecefaddc.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\daecefaddc]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
skybluelegend
2009-08-10, 13:19
ComboFix 09-08-09.03 - alee 10/08/2009 12:03.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.441 [GMT 1:00]
Running from: c:\documents and settings\alee\Desktop\Alex's Folder\Anti-Virus\Combo-Fix.exe
Command switches used :: c:\documents and settings\alee\Desktop\CFScript.txt
* Resident AV is active
FILE ::
"c:\windows\system32\daecefaddc.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\daecefaddc.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-08-10 11:03 . 2009-08-10 11:03 -------- d-----w- C:\quarantine
2009-08-09 21:26 . 2009-08-09 21:26 0 ----a-w- c:\documents and settings\alee\settings.dat
2009-08-07 20:20 . 2009-08-07 21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 20:20 . 2009-08-07 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 19:57 . 2009-08-07 19:57 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-07 19:56 . 2009-08-07 20:04 -------- d-----w- c:\documents and settings\alee\.housecall6.6
2009-08-07 15:33 . 2009-08-07 15:33 1924440 ----a-w- c:\documents and settings\alee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 16:11 . 2009-08-08 16:12 2852864 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-07 10:15 . 2009-08-07 10:15 106074 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_07_10_59_06_small.dmp.zip
2009-07-20 22:36 . 2009-07-20 22:36 1867212 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-07-01 23:55 . 2008-02-12 11:47 -------- d-----w- c:\program files\Launch Manager
2009-06-29 18:39 . 2009-06-29 14:43 -------- d-----w- c:\program files\DivX
2009-06-29 14:51 . 2009-06-29 14:51 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-29 14:46 . 2009-06-29 14:46 -------- d-----w- c:\documents and settings\alee\Application Data\DivX
2009-06-22 23:00 . 2009-06-22 23:01 2621440 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-19 17:01 . 2009-01-22 18:41 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-06-16 16:21 . 2009-06-16 16:21 1915520 ----a-w- c:\documents and settings\alee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-14 18:49 . 2009-06-14 18:48 34 ----a-w- c:\documents and settings\alee\jagex_runescape_preferences.dat
2009-06-14 15:29 . 2009-06-14 15:29 19010635 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_06_14_16_18_21_full.dmp.zip
2009-06-13 21:07 . 2009-06-13 21:07 0 ----a-w- c:\windows\nsreg.dat
2009-06-13 08:15 . 2009-01-03 13:19 -------- d-----w- c:\documents and settings\alee\Application Data\Ahead
2009-06-08 23:06 . 2009-06-09 19:43 2817536 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-05-29 10:42 . 2009-05-29 10:42 18652224 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_05_29_10_08_41_full.dmp.zip
2009-05-22 20:52 . 2009-05-22 20:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-08-09_23.44.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 10:52 . 2009-08-10 10:52 16384 c:\windows\Temp\Perflib_Perfdata_d24.dat
+ 2009-08-10 11:11 . 2009-08-10 11:11 16384 c:\windows\Temp\Perflib_Perfdata_798.dat
+ 2009-08-10 10:51 . 2009-08-10 10:51 16384 c:\windows\Temp\Perflib_Perfdata_39c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-21 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-21 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-21 138008]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-02-12 850704]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-05-24 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 180269]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-05-29 16132608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-2-12 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-9-18 3395584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [12/02/2008 16:32 58048]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [22/05/2009 21:53 464264]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [13/04/2009 18:42 55152]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
.
Contents of the 'Scheduled Tasks' folder
2009-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
Notify-daecefaddc - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\alee\Application Data\Mozilla\Firefox\Profiles\baxtqnt2.default\
FF - prefs.js: browser.startup.homepage - www.gmkonline.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 12:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\_92b0279ecab395a29c75138aa0b239ae.sys_.vir 39936 bytes executable
c:\windows\system32\92b0279ecab395a29c75138aa0b239ae.sys 39936 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\92b0279ecab395a29c75138aa0b239ae]
"ImagePath"="system32\92b0279ecab395a29c75138aa0b239ae.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\EntApi.dll
- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\EntApi.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchTrayHook.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\SMART Board Software\SMARTBoardService.exe
c:\program files\SMART Board Software\Aware.exe
c:\program files\SMART Board Software\Marker.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
c:\docume~1\alee\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-08-10 12:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 11:17
ComboFix2.txt 2009-08-09 23:47
Pre-Run: 59,878,232,064 bytes free
Post-Run: 59,820,331,008 bytes free
240 --- E O F --- 2008-09-25 08:42
skybluelegend
2009-08-10, 13:22
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:09, on 10/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\DOCUME~1\alee\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231579077968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231579070250
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\Software\..\Telephony: DomainName = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10895 bytes
(ps I am now able to run malwarebytes, I will post the log)
We need to run it again,
A bit of a change
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::
Driver::
92b0279ecab395a29c75138aa0b239ae.sys
File::
c:\windows\system32\_92b0279ecab395a29c75138aa0b239ae.sys_.vir
c:\windows\system32\92b0279ecab395a29c75138aa0b239ae.sys
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
skybluelegend
2009-08-10, 13:28
Malwarebytes' Anti-Malware 1.36
Database version: 2167
Windows 5.1.2600 Service Pack 2
10/08/2009 12:28:15
mbam-log-2009-08-10 (12-28-15).txt
Scan type: Quick Scan
Objects scanned: 107650
Time elapsed: 3 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\_92b0279ecab395a29c75138aa0b239ae.sys_.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\92b0279ecab395a29c75138aa0b239ae.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
skybluelegend
2009-08-10, 13:45
ComboFix 09-08-09.03 - alee 10/08/2009 12:37.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.504 [GMT 1:00]
Running from: c:\documents and settings\alee\Desktop\Alex's Folder\Anti-Virus\Combo-Fix.exe
Command switches used :: c:\documents and settings\alee\Desktop\CFScript.txt
* Resident AV is active
FILE ::
"c:\windows\system32\_92b0279ecab395a29c75138aa0b239ae.sys_.vir"
"c:\windows\system32\92b0279ecab395a29c75138aa0b239ae.sys"
.
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-08-10 11:21 . 2009-08-10 11:21 -------- d-----w- c:\program files\Trend Micro
2009-08-10 11:03 . 2009-08-10 11:37 -------- d-----w- C:\quarantine
2009-08-09 21:26 . 2009-08-09 21:26 0 ----a-w- c:\documents and settings\alee\settings.dat
2009-08-07 20:20 . 2009-08-07 21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 20:20 . 2009-08-07 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 19:57 . 2009-08-07 19:57 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-07 19:56 . 2009-08-07 20:04 -------- d-----w- c:\documents and settings\alee\.housecall6.6
2009-08-07 15:33 . 2009-08-07 15:33 1924440 ----a-w- c:\documents and settings\alee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 16:11 . 2009-08-08 16:12 2852864 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-07 10:15 . 2009-08-07 10:15 106074 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_07_10_59_06_small.dmp.zip
2009-07-20 22:36 . 2009-07-20 22:36 1867212 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-07-01 23:55 . 2008-02-12 11:47 -------- d-----w- c:\program files\Launch Manager
2009-06-29 18:39 . 2009-06-29 14:43 -------- d-----w- c:\program files\DivX
2009-06-29 14:51 . 2009-06-29 14:51 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-29 14:46 . 2009-06-29 14:46 -------- d-----w- c:\documents and settings\alee\Application Data\DivX
2009-06-22 23:00 . 2009-06-22 23:01 2621440 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-19 17:01 . 2009-01-22 18:41 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-06-16 16:21 . 2009-06-16 16:21 1915520 ----a-w- c:\documents and settings\alee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-14 18:49 . 2009-06-14 18:48 34 ----a-w- c:\documents and settings\alee\jagex_runescape_preferences.dat
2009-06-14 15:29 . 2009-06-14 15:29 19010635 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_06_14_16_18_21_full.dmp.zip
2009-06-13 21:07 . 2009-06-13 21:07 0 ----a-w- c:\windows\nsreg.dat
2009-06-13 08:15 . 2009-01-03 13:19 -------- d-----w- c:\documents and settings\alee\Application Data\Ahead
2009-06-08 23:06 . 2009-06-09 19:43 2817536 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-05-29 10:42 . 2009-05-29 10:42 18652224 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_05_29_10_08_41_full.dmp.zip
2009-05-22 20:52 . 2009-05-22 20:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-08-09_23.44.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 11:31 . 2009-08-10 11:31 16384 c:\windows\Temp\Perflib_Perfdata_d28.dat
+ 2009-08-10 11:31 . 2009-08-10 11:31 16384 c:\windows\Temp\Perflib_Perfdata_214.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-21 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-21 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-21 138008]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-02-12 850704]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-05-24 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 180269]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-05-29 16132608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-2-12 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-9-18 3395584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\daecefaddc]
[BU]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [12/02/2008 16:32 58048]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [22/05/2009 21:53 464264]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [13/04/2009 18:42 55152]
S0 92b0279ecab395a29c75138aa0b239ae;92b0279ecab395a29c75138aa0b239ae;c:\windows\system32\92b0279ecab395a29c75138aa0b239ae.sys --> c:\windows\system32\92b0279ecab395a29c75138aa0b239ae.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
2009-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\alee\Application Data\Mozilla\Firefox\Profiles\baxtqnt2.default\
FF - prefs.js: browser.startup.homepage - www.gmkonline.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 12:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\EntApi.dll
- - - - - - - > 'explorer.exe'(2256)
c:\windows\system32\EntApi.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchTrayHook.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-10 12:45
ComboFix-quarantined-files.txt 2009-08-10 11:45
ComboFix2.txt 2009-08-10 11:17
ComboFix3.txt 2009-08-09 23:47
Pre-Run: 59,840,778,240 bytes free
Post-Run: 59,782,975,488 bytes free
209 --- E O F --- 2008-09-25 08:42
skybluelegend
2009-08-10, 13:46
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:20, on 10/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231579077968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231579070250
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\Software\..\Telephony: DomainName = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O20 - Winlogon Notify: daecefaddc - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10730 bytes
Its most likely gone but lets be sure
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
Driver::
92b0279ecab395a29c75138aa0b239ae.sys
Rootkit::
c:\windows\system32\_92b0279ecab395a29c75138aa0b239ae.sys_.vir
c:\windows\system32\92b0279ecab395a29c75138aa0b239ae.sys
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Rest of your logs look fine, how are things running now??
skybluelegend
2009-08-10, 15:02
ComboFix 09-08-09.03 - alee 10/08/2009 13:46.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.451 [GMT 1:00]
Running from: c:\documents and settings\alee\Desktop\Alex's Folder\Anti-Virus\Combo-Fix.exe
Command switches used :: c:\documents and settings\alee\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090707-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_92b0279ecab395a29c75138aa0b239ae
-------\Service_92b0279ecab395a29c75138aa0b239ae
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-08-10 12:05 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-10 12:05 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-10 12:05 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-10 12:05 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-10 12:05 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-10 12:05 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-10 12:05 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-10 12:05 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-10 12:05 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-10 12:05 . 2009-08-10 12:05 -------- d-----w- c:\program files\Alwil Software
2009-08-10 11:21 . 2009-08-10 11:21 -------- d-----w- c:\program files\Trend Micro
2009-08-10 11:03 . 2009-08-10 12:46 -------- d-----w- C:\quarantine
2009-08-09 21:26 . 2009-08-09 21:26 0 ----a-w- c:\documents and settings\alee\settings.dat
2009-08-07 20:20 . 2009-08-07 21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 20:20 . 2009-08-07 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 19:57 . 2009-08-07 19:57 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-07 19:56 . 2009-08-07 20:04 -------- d-----w- c:\documents and settings\alee\.housecall6.6
2009-08-07 15:33 . 2009-08-07 15:33 1924440 ----a-w- c:\documents and settings\alee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 16:11 . 2009-08-08 16:12 2852864 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-07 10:15 . 2009-08-07 10:15 106074 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_07_10_59_06_small.dmp.zip
2009-07-20 22:36 . 2009-07-20 22:36 1867212 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-07-01 23:55 . 2008-02-12 11:47 -------- d-----w- c:\program files\Launch Manager
2009-06-29 18:39 . 2009-06-29 14:43 -------- d-----w- c:\program files\DivX
2009-06-29 14:51 . 2009-06-29 14:51 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-29 14:46 . 2009-06-29 14:46 -------- d-----w- c:\documents and settings\alee\Application Data\DivX
2009-06-22 23:00 . 2009-06-22 23:01 2621440 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-19 17:01 . 2009-01-22 18:41 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-06-16 16:21 . 2009-06-16 16:21 1915520 ----a-w- c:\documents and settings\alee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-14 18:49 . 2009-06-14 18:48 34 ----a-w- c:\documents and settings\alee\jagex_runescape_preferences.dat
2009-06-14 15:29 . 2009-06-14 15:29 19010635 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_06_14_16_18_21_full.dmp.zip
2009-06-13 21:07 . 2009-06-13 21:07 0 ----a-w- c:\windows\nsreg.dat
2009-06-13 08:15 . 2009-01-03 13:19 -------- d-----w- c:\documents and settings\alee\Application Data\Ahead
2009-06-08 23:06 . 2009-06-09 19:43 2817536 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-05-29 10:42 . 2009-05-29 10:42 18652224 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2009_05_29_10_08_41_full.dmp.zip
2009-05-22 20:52 . 2009-05-22 20:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-08-09_23.44.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 12:20 . 2009-08-10 12:20 16384 c:\windows\Temp\Perflib_Perfdata_b68.dat
+ 2009-08-10 12:53 . 2009-08-10 12:53 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
+ 2009-08-10 12:16 . 2009-08-10 12:16 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
+ 2009-08-10 12:53 . 2009-08-10 12:53 16384 c:\windows\Temp\Perflib_Perfdata_4a4.dat
+ 2009-08-10 12:51 . 2009-08-10 12:51 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-10 12:51 . 2009-08-10 12:51 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-10 12:51 . 2009-08-10 12:51 299008 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 12:51 . 2009-08-10 12:51 229376 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-10 12:51 . 2009-08-10 12:51 229376 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-10 12:51 . 2009-08-10 12:51 8859648 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-21 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-21 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-21 138008]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-02-12 850704]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-05-24 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 180269]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-05-29 16132608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-2-12 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-9-18 3395584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\daecefaddc]
[BU]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/08/2009 13:05 114768]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [12/02/2008 16:32 58048]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [22/05/2009 21:53 464264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/08/2009 13:05 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [13/04/2009 18:42 55152]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
2009-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\alee\Application Data\Mozilla\Firefox\Profiles\baxtqnt2.default\
FF - prefs.js: browser.startup.homepage - www.gmkonline.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 13:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\EntApi.dll
- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\EntApi.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchTrayHook.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Alwil Software\Avast4\Setup\avast.setup
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\SMART Board Software\SMARTBoardService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\SMART Board Software\Aware.exe
c:\program files\SMART Board Software\Marker.exe
c:\docume~1\alee\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-08-10 14:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 13:00
ComboFix2.txt 2009-08-10 11:45
ComboFix3.txt 2009-08-10 11:17
ComboFix4.txt 2009-08-09 23:47
Pre-Run: 59,635,924,992 bytes free
Post-Run: 59,512,733,696 bytes free
267 --- E O F --- 2008-09-25 08:42
skybluelegend
2009-08-10, 15:03
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:03:32, on 10/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\DOCUME~1\alee\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\mspaint.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231579077968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231579070250
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\Software\..\Telephony: DomainName = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O20 - Winlogon Notify: daecefaddc - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11603 bytes
skybluelegend
2009-08-10, 15:05
I seem to be gettinting these pop ups on my desktop, suggesting I have a virus.
Here it is; http://img21.imageshack.us/img21/1031/problemzuh.png
Hi,
That Rootkit entry is now gone :bigthumb:
Remove this with HJT
O20 - Winlogon Notify: daecefaddc - C:\WINDOWS\
Your virus scan picked up a file in the temp folder and removed it.
Run this cleaner again.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Post a new HJT log and let me take a final look
skybluelegend
2009-08-10, 18:13
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:11:42, on 10/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\alee\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231579077968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231579070250
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\Software\..\Telephony: DomainName = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11641 bytes
I have downloaded avast free home edition from http://www.avast.com/ is this safe?
skybluelegend
2009-08-10, 18:14
although i still seem to be getting those pop ups in desktop:confused:
Hi,
Avast is fine but now you have TWO ANTI VIRUS PROGRAMS RUNNING not recommended, they will slow down your system and cause other issues, if you want to keep Avast, then you need to uninstall McAfee.
Your HJT log is clean.
although i still seem to be getting those pop ups in desktopThis tells me nothing, are they tracking cookies, trojans or what are they???
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
skybluelegend
2009-08-10, 20:49
I do not have a clue what it is apart from a false virus alert, I have print screened what comes up;
http://img21.imageshack.us/img21/1031/problemzuh.png
Now running ESET will post results...
skybluelegend
2009-08-10, 20:55
I have tried to get into ESET in explorer but it is running without add ons and will not run, how do I enable add ons so I can run ESET?
skybluelegend
2009-08-10, 21:08
problem sorted, I will post log as soon as it is finished
skybluelegend
2009-08-10, 21:38
85 threats found, there was no option for a log just took me straight into purchase info.
skybluelegend
2009-08-10, 21:40
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16705 (vista_gdr.080618-1506)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=3bda1fa8195f8b45bf8c184fe0db8245
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-10 07:37:22
# local_time=2009-08-10 08:37:22 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=769 21 100 100 21318125000
# scanned=61433
# found=85
# cleaned=85
# scan_time=1523
C:\Qoobox\Quarantine\C\WINDOWS\system32\daecefaddc.dll.vir Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\kdpini.dll.vir Win32/BHO.NKS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\quarantine\Av-test.txt.Vir Eicar test file (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\quarantine\Av-test.txt.Vir.0 Eicar test file (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\quarantine\Av-test.txt.Vir.1 Eicar test file (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP209\A0051285.sys probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP211\A0053523.exe Win32/TrojanDownloader.VB.NOY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP211\A0053539.exe a variant of Win32/TrojanDownloader.VB.NOY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP211\A0053553.exe Win32/TrojanDownloader.VB.NOY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP220\A0056025.sys probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP220\A0056066.dll Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP220\A0056067.dll Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP221\A0056111.dll Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP223\A0056238.rbf probably a variant of Win32/Adware.SpywareRemover.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP224\A0061631.dll Win32/BHO.NKS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP224\A0061846.dll Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP224\A0066256.dll a variant of Win32/Spy.Ambler trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCA0U9W3T.dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCA2JBWQK.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCA8ABUP3.dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCACIDI01.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCADUPT1W.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCAFTC6E2.dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCAZ91ZA3.dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[10].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[11].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[1].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[2].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[3].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[4].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[6].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[7].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[8].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[9].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\u570[1].ini a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[1].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[2].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[3].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[4].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[5].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[6].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[7].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[8].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[9].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\q[2].exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\q[3].exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\u888[1].exe a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\NewServer[1].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\NewServer[2].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\NewServer[3].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\NewServer[4].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u167[1].ini a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u295[1].mp3 a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u437[1].nmp Win32/BHO.NNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u481[1].mp3 a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u674[1].ini Win32/BHO.NNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCA1AGKLI.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCA1T9V22.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCA51RL02.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCA6VDUMX.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCABW82FY.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCACT62EQ.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAD6HOU3.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAFL3HMS.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAFZCPPD.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAGRNEIX.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAHYHOKY.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAI8URNP.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAK0QAQ8.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAO3Q09S.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAS0VSZN.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAVUA0QJ.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAWNOUZT.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAY45DSU.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAYGXZ0J.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[10].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[11].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[1].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[2].dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[3].dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[6].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[7].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[8].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[9].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\q[1].exe probably a variant of Win32/TrojanDownloader.Obfuscated trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Ok,
Not to much to be worried about, lets clean out a few things.
The files in Qoobox are what Combofix removed
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
You had bad files in the Windows System Restore program, lets flush that all out, it was going to be part of your final clean up.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Open up Internet Explorer and go to Tools> Internet Options> General Tab and delete all temp files, cookies and browsing history.
Then go to Start> Run and type in cleanmgr and have it remove all Temp Files and Temporary Internet Files.
Close IE when done.
Reboot your system and run ESET again and post the log please along with a new HJT log
skybluelegend
2009-08-11, 00:08
I don't know if this is the new log as there was only one saved to that area...
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16705 (vista_gdr.080618-1506)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=3bda1fa8195f8b45bf8c184fe0db8245
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-10 07:37:22
# local_time=2009-08-10 08:37:22 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=769 21 100 100 21318125000
# scanned=61433
# found=85
# cleaned=85
# scan_time=1523
C:\Qoobox\Quarantine\C\WINDOWS\system32\daecefaddc.dll.vir Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\kdpini.dll.vir Win32/BHO.NKS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\quarantine\Av-test.txt.Vir Eicar test file (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\quarantine\Av-test.txt.Vir.0 Eicar test file (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\quarantine\Av-test.txt.Vir.1 Eicar test file (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP209\A0051285.sys probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP211\A0053523.exe Win32/TrojanDownloader.VB.NOY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP211\A0053539.exe a variant of Win32/TrojanDownloader.VB.NOY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP211\A0053553.exe Win32/TrojanDownloader.VB.NOY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP220\A0056025.sys probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP220\A0056066.dll Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP220\A0056067.dll Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP221\A0056111.dll Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP223\A0056238.rbf probably a variant of Win32/Adware.SpywareRemover.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP224\A0061631.dll Win32/BHO.NKS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP224\A0061846.dll Win32/Agent.BXE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{5039AE2F-7CD7-4B8A-8F95-42A41EEFEACA}\RP224\A0066256.dll a variant of Win32/Spy.Ambler trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCA0U9W3T.dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCA2JBWQK.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCA8ABUP3.dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCACIDI01.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCADUPT1W.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCAFTC6E2.dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServerCAZ91ZA3.dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[10].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[11].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[1].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[2].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[3].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[4].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[6].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[7].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[8].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\NewServer[9].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H9SK8VWX\u570[1].ini a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[1].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[2].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[3].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[4].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[5].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[6].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[7].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[8].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\NewServer[9].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\q[2].exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\q[3].exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KYHR1TUM\u888[1].exe a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\NewServer[1].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\NewServer[2].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\NewServer[3].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\NewServer[4].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u167[1].ini a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u295[1].mp3 a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u437[1].nmp Win32/BHO.NNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u481[1].mp3 a variant of Win32/BHO.NSD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N1KUVA6P\u674[1].ini Win32/BHO.NNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCA1AGKLI.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCA1T9V22.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCA51RL02.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCA6VDUMX.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCABW82FY.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCACT62EQ.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAD6HOU3.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAFL3HMS.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAFZCPPD.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAGRNEIX.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAHYHOKY.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAI8URNP.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAK0QAQ8.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAO3Q09S.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAS0VSZN.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAVUA0QJ.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAWNOUZT.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAY45DSU.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServerCAYGXZ0J.dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[10].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[11].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[1].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[2].dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[3].dll Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[6].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[7].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[8].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\NewServer[9].dll probably a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UHWABQMN\q[1].exe probably a variant of Win32/TrojanDownloader.Obfuscated trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
# version=6
# iexplore.exe=7.00.6000.16705 (vista_gdr.080618-1506)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=3bda1fa8195f8b45bf8c184fe0db8245
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-10 10:07:39
# local_time=2009-08-10 11:07:39 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=769 21 100 100 15180937500
# scanned=56062
# found=0
# cleaned=0
# scan_time=1378
skybluelegend
2009-08-11, 00:09
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:10:36, on 10/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\DOCUME~1\alee\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\Software\..\Telephony: DomainName = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10451 bytes
The ESET log is same one you posted earlier. If you saved it to your desktop as per instructions, delete it , run the scan again and post the new log.
Look though the instructions for saving the log and make sure you post the correct one
skybluelegend
2009-08-11, 01:18
Hi Ken, ESET is currently scanning, after it finishes it just takes me away from the scan to the purchase page, where should the log be? Sorry for my lack of computer knowledge.
Not to worry, this stuff gets a bit confusing sometime.
Try here, read the date on the log, it should be current
C:\Program Files\EsetOnlineScanner\log.txt
skybluelegend
2009-08-11, 01:26
Whilst it is scanning may I ask; is it worth keeping the programmes/applications that you have previuosly told me to install such as TFC, rootrepeal and HJT for futur scenarios?
skybluelegend
2009-08-11, 01:40
esets_scanner_update returned -1 esets_gle=53251
# version=6
# iexplore.exe=7.00.6000.16705 (vista_gdr.080618-1506)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=3bda1fa8195f8b45bf8c184fe0db8245
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-10 11:39:37
# local_time=2009-08-11 12:39:37 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=769 21 100 100 64940937500
# scanned=58315
# found=0
# cleaned=0
# scan_time=1399
skybluelegend
2009-08-11, 01:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:42:41, on 11/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\DOCUME~1\alee\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\Software\..\Telephony: DomainName = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = curric.cardinalwiseman.coventry.sch.uk
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10289 bytes
Wonderfull :bigthumb:
Your all clean
Lets update your Java to make your system more secure
Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 15, if not proceed with the instructions.
Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.
Java SE Runtime Environment (JRE)JRE 6 Update 15 <--The wording is confusing but this is what you need
Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version
You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)
HJT <--You can keep it, hopefully you wont need it again
RootRepeal <---Drag it to the trash, if you need it again you can redownload it
TFC <--Yours to keep, run it about once aweek to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
skybluelegend
2009-08-11, 02:01
Thanks ever so much Ken, you have been extremly helpful and also very patient, sorry for being a bit slow along the way but we got their in the end! Thanks once again!:thanks::bigthumb::D:
I have sent you a friend request, can you accept it or can you only accept other helpers?
Got it.
Must be 2 or 3 am on your side of the pond :)
Take Care,
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.