View Full Version : Win32.TDSS.rtk <--- plz help remove
i think i have Win32.TDSS.rtk
it shows up on spybot when i scan and i cant remove it because it seems to come back and when i try to jump to location it says the item/directory doesn't exist so plz help. i have since stopped trying to remove the virus
by the way on windows defender there was another threat found called like fraudspamguard2009 or something like that and i searched for the file and deleted it, sorry in advance if that screws up something up =(
all the file names (as far as i know) begin with the letters g-e-y- ecetera
thanks for the help
here is the hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:28 PM, on 8/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\V0350Mon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60284
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60284
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60284
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60284
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {0B5549E3-CE42-4020-A1FF-6FCBDB40A7BE} - (no file)
O2 - BHO: (no name) - {37419DC5-DAD1-4B53-82D0-CCADC072F7AA} - (no file)
O2 - BHO: (no name) - {484CAC38-0B9B-4368-AC51-78FC3A4E1717} - (no file)
O2 - BHO: (no name) - {4F98D354-4D0F-460A-B845-74BFED7F7A01} - (no file)
O2 - BHO: (no name) - {52972D89-EAB9-4D1E-9C45-9FB3C4813C73} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {545EDD84-D244-4851-BF68-9BFC2E6C05D5} - (no file)
O2 - BHO: (no name) - {57ABCA2B-92D8-4D59-8227-7863F4712286} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {685DE641-E362-4C47-BBDC-67FFA87E0CB6} - (no file)
O2 - BHO: (no name) - {6DC20758-C26B-4A03-90B4-06DB1F2A3B17} - (no file)
O2 - BHO: (no name) - {73730DBE-E9F4-4CAB-8342-42B691293004} - (no file)
O2 - BHO: (no name) - {7A571ED2-44F6-460A-B661-BDEA98301316} - (no file)
O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack2.dll
O2 - BHO: (no name) - {87FB19DF-B56E-476D-962A-E3648CB40844} - (no file)
O2 - BHO: (no name) - {8FBA0A7F-F9C6-4B81-A5B8-5B50B892E777} - (no file)
O2 - BHO: (no name) - {977611CB-984B-467D-9FD6-78A5C5B3BA43} - (no file)
O2 - BHO: (no name) - {98DD771F-ACAA-443A-A779-77777CAA987D} - (no file)
O2 - BHO: (no name) - {A8CAFE93-49E6-4D2E-9957-A35500AA6C93} - (no file)
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll (disabled by BHODemon)
O2 - BHO: (no name) - {A920B58C-2670-4C43-B33A-06F8FF946CCA} - (no file)
O2 - BHO: (no name) - {A9C89BB3-FD10-4F30-9833-A4E83719C372} - (no file)
O2 - BHO: (no name) - {C9993CEA-2DF6-44AB-9D0A-537FF89499D6} - (no file)
O2 - BHO: (no name) - {E1D48A79-165C-4522-B167-57AD7F69FF14} - (no file)
O2 - BHO: (no name) - {E4AF1F7B-D38B-4C93-8F6B-4A1DEB6403C5} - (no file)
O2 - BHO: (no name) - {E6C03226-B6B3-4C28-8713-32819A984C3A} - (no file)
O2 - BHO: (no name) - {EBDA4825-C3DF-4A60-9B47-2488B71D3A12} - (no file)
O2 - BHO: (no name) - {FC584D85-280E-42F8-A4A8-43587A912298} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: (no name) - {FF772D70-A3E4-4F5D-9294-2498781ACE5E} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll__BHODemonDisabled (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "c:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFA71DEB-421F-4F4F-AB36-A006E1FA1EF0}: NameServer = 207.69.188.167 207.69.188.166
O20 - Winlogon Notify: iifDvVlm - iifDvVlm.dll (file missing)
O20 - Winlogon Notify: ljJCtUkj - ljJCtUkj.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA02D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 14425 bytes
i might take a bit of time to respond because i am avoiding too much internet access until this virus is gone
i hope i did everything correctly and according to site protocols and thanks in advance again for helping me get rid of this virus (i hate viruses they make me very paranoid)
Hi mchea
Please post next spybot report :)
http://forums.spybot.info/showthread.php?p=330012#post330012
uh the report was too long to fit
so what should i do?
and the report u want is in Tools-View Report right?
This should help :)
Produce a short log (showing items flagged)
* Open SpyBot.
* Check for problems.
* When the scan completes, right click on the results list, select "Copy results to clipboard".
* Paste (Ctrl+V) those results into a new post.
this is the latest log but i didnt do anything because win32.tdss.rtk just disappeared after i ran ERUNT and HijackThis some days ago
though i did find one file and fixed it using spybot.
ill put a log that shows the virus while spybot still picked it up (and maybe a third of after i ran HJT and ERUNT if u need it)
i can now manualy find the virus files on my computer though (after ERUNT and HJT)
Congratulations!: No immediate threats were found. (Status)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-25 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-08-18 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-08-19 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-08-04 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-08-19 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-08-18 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-07-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-08-11 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-19 Includes\Trojans.sbi (*)
2009-08-19 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--------------------------
this is one report (of many) where the virus showed up
--------------------------
--- Report generated: 2009-07-31 22:16 ---
Win32.TDSS.rtk: [SBI $1473B578] File (File, fixed)
C:\WINDOWS\system32\drivers\geyekrmlxrjtkl.sys
Properties.size=0
Properties.md5=571F2EAA4A7488C33A786A7E56917FA7
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrkbibqrwp.dll
Properties.size=0
Properties.md5=064315D9C9153CC7C6B2450AA95C776B
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrppjdultp.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310
Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekruhylqgof.dat
Properties.size=0
Properties.md5=80FDC386BDF91202ACC02A664ACD3A5E
Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekrwxjbogik.dat
Properties.size=0
Properties.md5=C4661D251793BC48937AF6946FCA0F56
Right Media: Tracking cookie (Internet Explorer: HP_Owner) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-25 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-07-28 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-07-28 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-07-28 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-28 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-07-14 Includes\Malware.sbi (*)
2009-07-28 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-07-28 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-07-28 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-07-28 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-07-22 Includes\Trojans.sbi (*)
2009-07-28 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
the stuff in marc's and kevin's folders may have weird names but arent any thing bad (just so ya no)
AHH!! hidden bad stuff! its right THERE! (dun dun)
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-25 18:46:01
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT 8986B998 ZwConnectPort
---- Kernel code sections - GMER 1.0.15 ----
.text win32k.sys!EngAcquireSemaphore + 20E2 BF8084A5 5 Bytes JMP 89A7C4D0
.text win32k.sys!EngFreeUserMem + 5B9B BF80EFF5 5 Bytes JMP 89A7C430
.text win32k.sys!EngUnmapFontFileFD + E0A5 BF84CCE6 5 Bytes JMP 89A7C610
.text win32k.sys!EngGradientFill + 1EE4 BF8AD239 5 Bytes JMP 89A7C570
.text win32k.sys!EngStretchBltROP + 9A8B BF8BA12B 5 Bytes JMP 89A7C750
.text win32k.sys!EngAlphaBlend + 3E8 BF8C3205 5 Bytes JMP 89A7C6B0
.text win32k.sys!PATHOBJ_vGetBounds + 74EC BF8F0126 5 Bytes JMP 89A7C7F0
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3300] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\geyekrmlxrjtkl.sys (*** hidden *** ) [SYSTEM] geyekryavbotxu <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu@imagepath \systemroot\system32\drivers\geyekrmlxrjtkl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrmlxrjtkl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\modules@geyekrcmd.dll \systemroot\system32\geyekrppjdultp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\modules@geyekrlog.dat \systemroot\system32\geyekrwxjbogik.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\modules@geyekrwsp.dll \systemroot\system32\geyekrkbibqrwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekryavbotxu\modules@geyekr.dat \systemroot\system32\geyekruhylqgof.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu@imagepath \systemroot\system32\drivers\geyekrmlxrjtkl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrmlxrjtkl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\modules@geyekrcmd.dll \systemroot\system32\geyekrppjdultp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\modules@geyekrlog.dat \systemroot\system32\geyekrwxjbogik.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\modules@geyekrwsp.dll \systemroot\system32\geyekrkbibqrwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekryavbotxu\modules@geyekr.dat \systemroot\system32\geyekruhylqgof.dat
---- Files - GMER 1.0.15 ----
File C:\Documents and Settings\HP_Owner\My Documents\My Pictures\kevin's pics\King Guy Files\Knai.data\gas 15.data\gas 14.data\gas 13.data\gas 10.data\gas 11.data\gas 12.data\gas 9.data\gas 8.data\gas 7.data\gas 4.data\gas 5.data\gas 6.data\gas 3.data\gas 2.data\001.001.png 113821 bytes
File C:\Documents and Settings\HP_Owner\My Documents\My Pictures\kevin's pics\King Guy Files\Knai.data\gas 15.data\gas 14.data\gas 13.data\gas 10.data\gas 11.data\gas 12.data\gas 9.data\gas 8.data\gas 7.data\gas 4.data\gas 5.data\gas 6.data\gas 3.data\gas 2.data\002.001.vec 53 bytes
File C:\Documents and Settings\HP_Owner\My Documents\My Pictures\kevin's pics\King Guy Files\Knai.data\gas 15.data\gas 14.data\gas 13.data\gas 10.data\gas 11.data\gas 12.data\gas 9.data\gas 8.data\gas 7.data\gas 4.data\gas 5.data\gas 6.data\gas 3.data\gas 2.data\gas 1.data 0 bytes
File C:\Documents and Settings\HP_Owner\My Documents\My Pictures\kevin's pics\King Guy Files\Knai.data\gas 15.data\gas 14.data\gas 13.data\gas 10.data\gas 11.data\gas 12.data\gas 9.data\gas 8.data\gas 7.data\gas 4.data\gas 5.data\gas 6.data\gas 3.data\gas 2.data\gas 1.data\001.001.png 50525 bytes
File C:\Documents and Settings\HP_Owner\My Documents\My Pictures\kevin's pics\King Guy Files\Knai.data\gas 15.data\gas 14.data\gas 13.data\gas 10.data\gas 11.data\gas 12.data\gas 9.data\gas 8.data\gas 7.data\gas 4.data\gas 5.data\gas 6.data\gas 3.data\gas 2.data\gas 1.data\002.001.vec 53 bytes
File C:\Documents and Settings\HP_Owner\My Documents\My Pictures\kevin's pics\King Guy Files\Knai.data\gas 15.data\gas 14.data\gas 13.data\gas 10.data\gas 11.data\gas 12.data\gas 9.data\gas 8.data\gas 7.data\gas 4.data\gas 5.data\gas 6.data\gas 3.data\gas 2.data\gas 1.data\palette.xml 1530 bytes
File C:\Documents and Settings\HP_Owner\My Documents\My Pictures\kevin's pics\King Guy Files\Knai.data\gas 15.data\gas 14.data\gas 13.data\gas 10.data\gas 11.data\gas 12.data\gas 9.data\gas 8.data\gas 7.data\gas 4.data\gas 5.data\gas 6.data\gas 3.data\gas 2.data\gas 1.data\Thumbs.db 7680 bytes
File C:\Documents and Settings\HP_Owner\My Documents\My Pictures\kevin's pics\King Guy Files\Knai.data\gas 15.data\gas 14.data\gas 13.data\gas 10.data\gas 11.data\gas 12.data\gas 9.data\gas 8.data\gas 7.data\gas 4.data\gas 5.data\gas 6.data\gas 3.data\gas 2.data\palette.xml 1530 bytes
File C:\Documents and Settings\HP_Owner\My Documents\My Pictures\kevin's pics\King Guy Files\Knai.data\gas 15.data\gas 14.data\gas 13.data\gas 10.data\gas 11.data\gas 12.data\gas 9.data\gas 8.data\gas 7.data\gas 4.data\gas 5.data\gas 6.data\gas 3.data\gas 2.data\Thumbs.db 5632 bytes
---- EOF - GMER 1.0.15 ----
Yes we have a rootkit.
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
sorry bout the late response internet wuz acting funny
combofix log
ComboFix 09-08-27.02 - HP_Owner 08/29/2009 20:26.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1919.1430 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\GetModule
c:\program files\PeoplePC\Toolbar\PPCToolbar.dll
c:\recycler\S-1-5-21-240816582-765764969-4128011640-1009
c:\recycler\S-1-5-21-284714857-4030919976-3652047588-1003
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\11828.msi
c:\windows\Installer\1fb3ae.msi
c:\windows\Installer\2d39a.msi
c:\windows\Installer\2ff7ae.msi
c:\windows\Installer\612bde.msi
c:\windows\Installer\78ce3.msi
c:\windows\system32\bgqrmygy.ini
c:\windows\system32\cont_globaladsolution-remove.exe
c:\windows\system32\dogqyvlh.dll
c:\windows\system32\drivers\geyekrmlxrjtkl.sys
c:\windows\system32\fiybytyx.ini
c:\windows\system32\geyekrppjdultp.dll
c:\windows\system32\geyekruhylqgof.dat
c:\windows\system32\geyekrwxjbogik.dat
c:\windows\system32\gufxnfgr.ini
c:\windows\system32\gxdooysw.ini
c:\windows\system32\ievbvqwq.ini
c:\windows\system32\ifqutibr.ini
c:\windows\system32\itesllwa.ini
c:\windows\system32\ivsfokhk.ini
c:\windows\system32\jhtmbjkh.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mrarhxon.ini
c:\windows\system32\ngeetobr.ini
c:\windows\system32\nlqpuded.ini
c:\windows\system32\onvblvne.ini
c:\windows\system32\peyegffp.ini
c:\windows\system32\ps2.bat
c:\windows\system32\rpnorjxd.ini
c:\windows\system32\vsipwhdh.ini
c:\windows\system32\yeeqpaks.ini
c:\windows\viassary-hp.reg
c:\windows\wiaserviv.log
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_geyekryavbotxu
-------\Service_geyekryavbotxu
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.
2009-08-29 23:07 . 2009-08-29 23:07 -------- d-----w- c:\program files\SymNetDrv
2009-08-29 22:50 . 2009-08-29 22:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Motive
2009-08-29 22:46 . 2009-08-29 22:46 78968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 22:26 . 2009-08-29 22:26 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-15 16:15 . 2009-08-15 16:15 -------- d-----w- c:\windows\ServicePackFiles
2009-08-15 02:56 . 2009-08-15 02:56 -------- d-----w- c:\program files\Trend Micro
2009-08-15 02:54 . 2009-08-15 02:54 -------- d-----w- c:\program files\ERUNT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 01:32 . 2009-08-30 01:32 3645 ----a-w- c:\windows\viassary-hp.reg
2009-08-29 23:08 . 2004-12-02 06:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-29 23:07 . 2004-12-02 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-29 19:04 . 2009-05-12 02:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\gtk-2.0
2009-08-29 19:04 . 2009-05-12 02:31 -------- d-----w- c:\docume~1\HP_Owner\APPLIC~1\gtk-2.0
2009-08-23 19:45 . 2009-02-23 23:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Audacity
2009-08-23 19:45 . 2009-02-23 23:55 -------- d-----w- c:\docume~1\HP_Owner\APPLIC~1\Audacity
2009-08-21 03:53 . 2008-03-18 05:58 4556 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2009-08-21 03:53 . 2008-03-18 05:58 4556 ----a-w- c:\docume~1\HP_Owner\APPLIC~1\wklnhst.dat
2009-08-05 09:11 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:18 . 2008-04-28 18:54 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-01 02:22 . 2009-01-02 23:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 01:30 . 2008-10-11 23:18 34 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat
2009-07-17 18:55 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-04 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 11:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:55 . 2004-08-04 11:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 18:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2008-11-22 23:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-04 11:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 11:00 1290752 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 155648]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-02 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-06-05 286720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-13 58488]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-18 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"V0350Mon.exe"="c:\windows\V0350Mon.exe" [2007-06-04 32768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Bart Station"="c:\program files\PeoplePC\ISP6200\BIN\PPCOLink.exe" [2005-07-25 20480]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-08-29 111840]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-12-2 36864]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMremind.exe [2008-10-30 442368]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
OKI LPR Utility.lnk - c:\program files\Okidata\OKI LPR Utility\okilpr.exe [2005-3-3 151552]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-12-2 45056]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [9/2/2008 7:33 AM 100352]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [3/26/2008 9:34 AM 142656]
S3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [3/26/2008 9:34 AM 7424]
S3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [3/26/2008 9:34 AM 170368]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-08-28 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-02 08:26]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0B5549E3-CE42-4020-A1FF-6FCBDB40A7BE} - (no file)
BHO-{37419DC5-DAD1-4B53-82D0-CCADC072F7AA} - (no file)
BHO-{484CAC38-0B9B-4368-AC51-78FC3A4E1717} - (no file)
BHO-{4F98D354-4D0F-460A-B845-74BFED7F7A01} - (no file)
BHO-{52972D89-EAB9-4D1E-9C45-9FB3C4813C73} - (no file)
BHO-{545EDD84-D244-4851-BF68-9BFC2E6C05D5} - (no file)
BHO-{57ABCA2B-92D8-4D59-8227-7863F4712286} - (no file)
BHO-{685DE641-E362-4C47-BBDC-67FFA87E0CB6} - (no file)
BHO-{6DC20758-C26B-4A03-90B4-06DB1F2A3B17} - (no file)
BHO-{73730DBE-E9F4-4CAB-8342-42B691293004} - (no file)
BHO-{7A571ED2-44F6-460A-B661-BDEA98301316} - (no file)
BHO-{87FB19DF-B56E-476D-962A-E3648CB40844} - (no file)
BHO-{8FBA0A7F-F9C6-4B81-A5B8-5B50B892E777} - (no file)
BHO-{977611CB-984B-467D-9FD6-78A5C5B3BA43} - (no file)
BHO-{98DD771F-ACAA-443A-A779-77777CAA987D} - (no file)
BHO-{A8CAFE93-49E6-4D2E-9957-A35500AA6C93} - (no file)
BHO-{A920B58C-2670-4C43-B33A-06F8FF946CCA} - (no file)
BHO-{A9C89BB3-FD10-4F30-9833-A4E83719C372} - (no file)
BHO-{C9993CEA-2DF6-44AB-9D0A-537FF89499D6} - (no file)
BHO-{E1D48A79-165C-4522-B167-57AD7F69FF14} - (no file)
BHO-{E4AF1F7B-D38B-4C93-8F6B-4A1DEB6403C5} - (no file)
BHO-{E6C03226-B6B3-4C28-8713-32819A984C3A} - (no file)
BHO-{EBDA4825-C3DF-4A60-9B47-2488B71D3A12} - (no file)
BHO-{FC584D85-280E-42F8-A4A8-43587A912298} - (no file)
BHO-{FF772D70-A3E4-4F5D-9294-2498781ACE5E} - (no file)
HKLM-Run-WT GameChannel - c:\program files\WildTangent\Apps\GameChannel.exe
Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\HP_Owner\APPLIC~1\Mozilla\Firefox\Profiles\5hkrohs1.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 20:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(312)
c:\windows\system32\WININET.dll
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PeoplePC\ISP6200\Browser\BartShel.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\progra~1\PeoplePC\ISP6200\Browser\PPShared.exe
.
**************************************************************************
.
Completion time: 2009-08-30 20:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 01:35
Pre-Run: 133,058,654,208 bytes free
Post-Run: 133,323,644,928 bytes free
241 --- E O F --- 2009-08-27 14:33
hijackthis log =================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:28 PM, on 8/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\V0350Mon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60284
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60284
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {0B5549E3-CE42-4020-A1FF-6FCBDB40A7BE} - (no file)
O2 - BHO: (no name) - {37419DC5-DAD1-4B53-82D0-CCADC072F7AA} - (no file)
O2 - BHO: (no name) - {484CAC38-0B9B-4368-AC51-78FC3A4E1717} - (no file)
O2 - BHO: (no name) - {4F98D354-4D0F-460A-B845-74BFED7F7A01} - (no file)
O2 - BHO: (no name) - {52972D89-EAB9-4D1E-9C45-9FB3C4813C73} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {545EDD84-D244-4851-BF68-9BFC2E6C05D5} - (no file)
O2 - BHO: (no name) - {57ABCA2B-92D8-4D59-8227-7863F4712286} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {685DE641-E362-4C47-BBDC-67FFA87E0CB6} - (no file)
O2 - BHO: (no name) - {6DC20758-C26B-4A03-90B4-06DB1F2A3B17} - (no file)
O2 - BHO: (no name) - {73730DBE-E9F4-4CAB-8342-42B691293004} - (no file)
O2 - BHO: (no name) - {7A571ED2-44F6-460A-B661-BDEA98301316} - (no file)
O2 - BHO: (no name) - {87FB19DF-B56E-476D-962A-E3648CB40844} - (no file)
O2 - BHO: (no name) - {8FBA0A7F-F9C6-4B81-A5B8-5B50B892E777} - (no file)
O2 - BHO: (no name) - {977611CB-984B-467D-9FD6-78A5C5B3BA43} - (no file)
O2 - BHO: (no name) - {98DD771F-ACAA-443A-A779-77777CAA987D} - (no file)
O2 - BHO: (no name) - {A8CAFE93-49E6-4D2E-9957-A35500AA6C93} - (no file)
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {A920B58C-2670-4C43-B33A-06F8FF946CCA} - (no file)
O2 - BHO: (no name) - {A9C89BB3-FD10-4F30-9833-A4E83719C372} - (no file)
O2 - BHO: (no name) - {C9993CEA-2DF6-44AB-9D0A-537FF89499D6} - (no file)
O2 - BHO: (no name) - {E1D48A79-165C-4522-B167-57AD7F69FF14} - (no file)
O2 - BHO: (no name) - {E4AF1F7B-D38B-4C93-8F6B-4A1DEB6403C5} - (no file)
O2 - BHO: (no name) - {E6C03226-B6B3-4C28-8713-32819A984C3A} - (no file)
O2 - BHO: (no name) - {EBDA4825-C3DF-4A60-9B47-2488B71D3A12} - (no file)
O2 - BHO: (no name) - {FC584D85-280E-42F8-A4A8-43587A912298} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: (no name) - {FF772D70-A3E4-4F5D-9294-2498781ACE5E} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA02D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 12328 bytes
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
After that, please rerun combofix and post back a fresh combofix log and a fresh hijackthis log.
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:51 PM, on 8/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\V0350Mon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60284
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60284
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA02D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 9882 bytes
combofix log
ComboFix 09-08-27.02 - HP_Owner 08/31/2009 18:50.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1919.1476 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Owner\Local Settings\Temp\IadHide5.dll
c:\windows\viassary-hp.reg
.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.
2009-08-29 23:07 . 2009-08-29 23:07 -------- d-----w- c:\program files\SymNetDrv
2009-08-29 22:50 . 2009-08-29 22:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Motive
2009-08-29 22:46 . 2009-08-29 22:46 78968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 22:26 . 2009-08-29 22:26 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-15 16:15 . 2009-08-15 16:15 -------- d-----w- c:\windows\ServicePackFiles
2009-08-15 02:56 . 2009-08-15 02:56 -------- d-----w- c:\program files\Trend Micro
2009-08-15 02:54 . 2009-08-15 02:54 -------- d-----w- c:\program files\ERUNT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 12:50 . 2008-04-28 18:54 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-29 23:08 . 2004-12-02 06:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-29 23:07 . 2004-12-02 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-29 19:04 . 2009-05-12 02:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\gtk-2.0
2009-08-29 19:04 . 2009-05-12 02:31 -------- d-----w- c:\docume~1\HP_Owner\APPLIC~1\gtk-2.0
2009-08-23 19:45 . 2009-02-23 23:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Audacity
2009-08-23 19:45 . 2009-02-23 23:55 -------- d-----w- c:\docume~1\HP_Owner\APPLIC~1\Audacity
2009-08-21 03:53 . 2008-03-18 05:58 4556 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2009-08-21 03:53 . 2008-03-18 05:58 4556 ----a-w- c:\docume~1\HP_Owner\APPLIC~1\wklnhst.dat
2009-08-05 09:11 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 02:22 . 2009-01-02 23:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 01:30 . 2008-10-11 23:18 34 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat
2009-07-17 18:55 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-04 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 11:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-16 14:55 . 2004-08-04 11:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 18:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2008-11-22 23:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-04 11:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 11:00 1290752 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-30_01.32.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-31 00:05 . 2009-08-31 23:48 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-31 00:05 . 2009-08-31 23:48 32768 c:\windows\temp\History\History.IE5\index.dat
+ 2009-08-31 00:05 . 2009-08-31 23:48 16384 c:\windows\temp\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 155648]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-02 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-06-05 286720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-13 58488]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-18 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"V0350Mon.exe"="c:\windows\V0350Mon.exe" [2007-06-04 32768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Bart Station"="c:\program files\PeoplePC\ISP6200\BIN\PPCOLink.exe" [2005-07-25 20480]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-08-29 111840]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-12-2 36864]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMremind.exe [2008-10-30 442368]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
OKI LPR Utility.lnk - c:\program files\Okidata\OKI LPR Utility\okilpr.exe [2005-3-3 151552]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-12-2 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [9/2/2008 7:33 AM 100352]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [3/26/2008 9:34 AM 142656]
S3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [3/26/2008 9:34 AM 7424]
S3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [3/26/2008 9:34 AM 170368]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-08-28 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-02 08:26]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0B5549E3-CE42-4020-A1FF-6FCBDB40A7BE} - (no file)
BHO-{37419DC5-DAD1-4B53-82D0-CCADC072F7AA} - (no file)
BHO-{484CAC38-0B9B-4368-AC51-78FC3A4E1717} - (no file)
BHO-{4F98D354-4D0F-460A-B845-74BFED7F7A01} - (no file)
BHO-{52972D89-EAB9-4D1E-9C45-9FB3C4813C73} - (no file)
BHO-{545EDD84-D244-4851-BF68-9BFC2E6C05D5} - (no file)
BHO-{57ABCA2B-92D8-4D59-8227-7863F4712286} - (no file)
BHO-{685DE641-E362-4C47-BBDC-67FFA87E0CB6} - (no file)
BHO-{6DC20758-C26B-4A03-90B4-06DB1F2A3B17} - (no file)
BHO-{73730DBE-E9F4-4CAB-8342-42B691293004} - (no file)
BHO-{7A571ED2-44F6-460A-B661-BDEA98301316} - (no file)
BHO-{87FB19DF-B56E-476D-962A-E3648CB40844} - (no file)
BHO-{8FBA0A7F-F9C6-4B81-A5B8-5B50B892E777} - (no file)
BHO-{977611CB-984B-467D-9FD6-78A5C5B3BA43} - (no file)
BHO-{98DD771F-ACAA-443A-A779-77777CAA987D} - (no file)
BHO-{A8CAFE93-49E6-4D2E-9957-A35500AA6C93} - (no file)
BHO-{A920B58C-2670-4C43-B33A-06F8FF946CCA} - (no file)
BHO-{A9C89BB3-FD10-4F30-9833-A4E83719C372} - (no file)
BHO-{C9993CEA-2DF6-44AB-9D0A-537FF89499D6} - (no file)
BHO-{E1D48A79-165C-4522-B167-57AD7F69FF14} - (no file)
BHO-{E4AF1F7B-D38B-4C93-8F6B-4A1DEB6403C5} - (no file)
BHO-{E6C03226-B6B3-4C28-8713-32819A984C3A} - (no file)
BHO-{EBDA4825-C3DF-4A60-9B47-2488B71D3A12} - (no file)
BHO-{FC584D85-280E-42F8-A4A8-43587A912298} - (no file)
BHO-{FF772D70-A3E4-4F5D-9294-2498781ACE5E} - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\HP_Owner\APPLIC~1\Mozilla\Firefox\Profiles\5hkrohs1.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 18:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(888)
c:\windows\system32\WININET.dll
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PeoplePC\ISP6200\Browser\BartShel.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\progra~1\PeoplePC\ISP6200\Browser\PPShared.exe
.
**************************************************************************
.
Completion time: 2009-08-31 18:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 23:59
ComboFix2.txt 2009-08-30 01:35
Pre-Run: 133,193,523,200 bytes free
Post-Run: 133,163,274,240 bytes free
206 --- E O F --- 2009-08-27 14:33
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
uhh the online scan says i need a better version of java and the file is 10mb and i have dial-up (i suck) =(
You can then run this instead:
Please go to ESET Online Scanner (http://www.eset.eu/online-scanner) - © ESET All Rights Reserved... to run an online scan.
Note: You - will - need to use Internet Explorer for this scan!
Check the box next to "YES, I accept the Terms of Use."
Click "Start"
Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
Once installed, the scanner will be initialized.
Click "Start". Make sure that the options: Remove found threats is UNCHECKED
Scan unwanted applications is CHECKED
Click "Scan"
Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste the contents of log.txt in your next reply.
i am currently doing the download for Eset
this post is really just so that this thread doesnt get archived
the eset log
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=046c2ad758df1a418b7e4ee5a40feb01
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-13 01:32:52
# local_time=2009-09-12 08:32:52 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=3585 63 50 0 0
# compatibility_mode=5889 63 259 1 128972791612681854
# scanned=100374
# found=24
# cleaned=0
# scan_time=2829
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSSAgent1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\bgqrmygy.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\dogqyvlh.dll.vir Win32/Adware.SuperJuan application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\fiybytyx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\gufxnfgr.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxdooysw.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ievbvqwq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ifqutibr.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\itesllwa.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ivsfokhk.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jhtmbjkh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\mrarhxon.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ngeetobr.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\nlqpuded.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\onvblvne.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\peyegffp.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\rpnorjxd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vsipwhdh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\yeeqpaks.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\WINDOWS\instsp1.exe Win32/Agent.OVZ trojan 00000000000000000000000000000000 I
by the way can the virus(s) i have infect a flash drive and then have the flash drive infect other computers or reinfect my own again?
No, not these viruses you had.
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
C:\WINDOWS\instsp1.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
i dunno if these are the results you wanted but here they are
Scanners
[ArcaVir]
2009-09-14 Trojan.Agent.Awlc
[G DATA]
2009-09-14 Trojan.Generic.1821554
[A-Squared]
2009-09-15 Trojan.Spammer!IK
[Ikarus]
2009-09-14 Trojan.Spammer
[Avast! antivirus]
2009-09-14 Win32:Trojan-gen {Other}
[Kaspersky Anti-Virus]
2009-09-14 Trojan.Win32.Pakes.mxm
[Grisoft AVG Anti-Virus]
2009-09-14 Worm/Generic_r.ED
[ESET NOD32]
2009-09-14 Win32/Agent.OVZ
[Avira AntiVir]
2009-09-14 TR/Crypt.ULPM.Gen
[Norman Virus Control]
2009-09-14 W32/DLoader.NFVF
[Softwin BitDefender]
2009-09-14 Trojan.Generic.1821554
[Panda Antivirus]
2009-09-14 Trj/Pakes.EB
[ClamAV]
2009-09-14 Found nothing
[Quick Heal]
2009-09-14 Found nothing
[CPsecure]
2009-09-14 Found nothing
[Sophos]
2009-09-15 Troj/Mdrop-BZO
[Dr.Web]
2009-09-15 Trojan.DownLoad.28016
[VirusBlokAda VBA32]
2009-09-14 Win32.Agent.OVZ
[Frisk F-Prot Antivirus]
2009-09-14 W32/Trojan2.GAXF
[VirusBuster]
2009-09-14 Trojan.Pakes.FWQ
[F-Secure Anti-Virus]
2009-09-13 Trojan.Win32.Pakes.mxm
Yes they are :)
Empty these folders:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\Qoobox\Quarantine
Delete this:
C:\WINDOWS\instsp1.exe
Empty Recycle Bin.
Still problems?
all thats done soo i dunno if all the viruses are gone but they seem to be deleted =) do i need to post a final log?
No need if you don't have any issues left?
i dont think i have any problems anymore so thanks =)
Before them I have to ask that does Norton have also a firewall?
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Everyone else please begin a New Topic.