View Full Version : another Win32.TDSS.rtk infection
boss123b
2009-08-28, 07:48
and spybot is the only one of 3 malware detection programs to report it. Good Job! I would appreciate you kind assistance. :confused: I have backed up my registry.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:16 AM, on 8/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5287\ULiRaid.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\DU Meter\DUMETER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULI5287\ULiRaid.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMETER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [SpybotDeletingA8093] command.com /c del "C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9862] cmd.exe /c del "C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA477] command.com /c del "C:\WINDOWS\system32\hjgruibqvdlllx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3334] cmd.exe /c del "C:\WINDOWS\system32\hjgruibqvdlllx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9286] command.com /c del "C:\WINDOWS\system32\hjgruiwqkswlnt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2500] cmd.exe /c del "C:\WINDOWS\system32\hjgruiwqkswlnt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4589] command.com /c del "C:\WINDOWS\system32\hjgruidmlwblto.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1249] cmd.exe /c del "C:\WINDOWS\system32\hjgruidmlwblto.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2587] command.com /c del "C:\WINDOWS\system32\hjgruilog.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1980] cmd.exe /c del "C:\WINDOWS\system32\hjgruilog.dat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1333] command.com /c del "C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD981] cmd.exe /c del "C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6806] command.com /c del "C:\WINDOWS\system32\hjgruibqvdlllx.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD611] cmd.exe /c del "C:\WINDOWS\system32\hjgruibqvdlllx.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5285] command.com /c del "C:\WINDOWS\system32\hjgruiwqkswlnt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5856] cmd.exe /c del "C:\WINDOWS\system32\hjgruiwqkswlnt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3703] command.com /c del "C:\WINDOWS\system32\hjgruidmlwblto.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8655] cmd.exe /c del "C:\WINDOWS\system32\hjgruidmlwblto.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3225] command.com /c del "C:\WINDOWS\system32\hjgruilog.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2589] cmd.exe /c del "C:\WINDOWS\system32\hjgruilog.dat"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250327666185
O18 - Protocol: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - C:\Program Files\MCataloguer\MCatProt.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6592 bytes
Bio-Hazard
2009-08-29, 16:20
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
No Reply Within 4 Days Will Result In Your Topic Being Closed!!
STEP 1
Download DDS
Please download DDS by sUBs from one of the links below and save it to your desktop:
http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Download DDS and save it to your desktop from:
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply
STEP 2
Gmer
Please download Gmer (http://www.gmer.net/download.php) by Gmer and save it to your desktop.
Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.
Next Reply
Please reply with:
DDS.txt
Attach.txt
Gmer log
boss123b
2009-08-29, 19:49
thank you for your time and efforts Bio-Hazard it is greatly appreciated.:thanks:
DDS (Ver_09-07-30.01) - NTFSx86
Run by owner at 11:55:23.84 on Sat 08/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1394 [GMT -4:00]
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5287\ULiRaid.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\DU Meter\DUMETER.EXE
GMER 1.0.15.15077 [f4kvo83k.exe] - http://www.gmer.net
Rootkit scan 2009-08-29 12:35:17
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
INT 0x20 srescan.sys B7DCAC90
Code 899448D8 ZwEnumerateKey
Code 89AF3248 ZwFlushInstructionCache
Code 89AD1AFE IofCallDriver
Code 8994381E IofCompleteRequest
---- Devices - GMER 1.0.15 ----
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys (*** hidden *** ) [SYSTEM] hjgruipnxrjkyl <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl@imagepath \systemroot\system32\drivers\hjgruikdmixfqh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main@aid 10097
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruikdmixfqh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgruicmd.dll \systemroot\system32\hjgruibqvdlllx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgruilog.dat \systemroot\system32\hjgruidmlwblto.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgruiwsp.dll \systemroot\system32\hjgruiwqkswlnt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgrui.dat \systemroot\system32\hjgruixtqsnswu.dat
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl@imagepath \systemroot\system32\drivers\hjgruikdmixfqh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main@aid 10097
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruikdmixfqh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgruicmd.dll \systemroot\system32\hjgruibqvdlllx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgruilog.dat \systemroot\system32\hjgruidmlwblto.dat
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgruiwsp.dll \systemroot\system32\hjgruiwqkswlnt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgrui.dat \systemroot\system32\hjgruixtqsnswu.dat
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys 66560 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\hjgruibqvdlllx.dll 42496 bytes executable
File C:\WINDOWS\system32\hjgruidmlwblto.dat 350742 bytes
File C:\WINDOWS\system32\hjgruilog.dat 265 bytes
File C:\WINDOWS\system32\hjgruiwqkswlnt.dll 19456 bytes executable
---- EOF - GMER 1.0.15 ----
3651
Bio-Hazard
2009-08-29, 19:59
Download and Run ComboFix
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE (http://www.bleepingcomputer.com/forums/topic114351.html)
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
Double click on Combo-Fix.exe and follow the prompts.
When finished, it will produce a report for you (C:\ComboFix.txt )
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
boss123b
2009-08-29, 20:43
cool! I thought I was going to have to do all that manually.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:34 PM, on 8/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULI5287\ULiRaid.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMETER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250327666185
O18 - Protocol: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - C:\Program Files\MCataloguer\MCatProt.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4391 bytes
ComboFix 09-08-28.06 - owner 08/29/2009 13:26.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1690 [GMT -4:00]
Running from: c:\documents and settings\owner\Desktop\combo-fix.exe
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Installer\4802907.msi
c:\windows\Installer\480290f.msi
c:\windows\Installer\4802917.msi
c:\windows\Installer\480291f.msi
c:\windows\Installer\4802927.msi
c:\windows\Installer\4802934.msi
c:\windows\Installer\480293c.msi
c:\windows\Installer\4802944.msi
c:\windows\Installer\480294c.msi
c:\windows\Installer\4802958.msi
c:\windows\Installer\4802960.msi
c:\windows\Installer\4802968.msi
c:\windows\Installer\4802970.msi
c:\windows\Installer\4802978.msi
c:\windows\Installer\4802980.msi
c:\windows\Installer\4802988.msi
c:\windows\Installer\4802990.msi
c:\windows\Installer\4802998.msi
c:\windows\Installer\48029a0.msi
c:\windows\Installer\48029a8.msi
c:\windows\Installer\48029b0.msi
c:\windows\Installer\c123c.msi
c:\windows\Installer\c1244.msi
c:\windows\Installer\c124c.msi
c:\windows\Installer\c1254.msi
c:\windows\Installer\c125c.msi
c:\windows\Installer\c1269.msi
c:\windows\Installer\c1271.msi
c:\windows\Installer\c1279.msi
c:\windows\Installer\c1281.msi
c:\windows\Installer\c128d.msi
c:\windows\Installer\c1295.msi
c:\windows\Installer\c129d.msi
c:\windows\Installer\c12a5.msi
c:\windows\Installer\c12ad.msi
c:\windows\Installer\c12b5.msi
c:\windows\Installer\c12bd.msi
c:\windows\Installer\c12c5.msi
c:\windows\Installer\c12cd.msi
c:\windows\Installer\c12d5.msi
c:\windows\Installer\c12dd.msi
c:\windows\Installer\c12e5.msi
c:\windows\system32\drivers\hjgruikdmixfqh.sys
c:\windows\system32\hjgruibqvdlllx.dll
c:\windows\system32\hjgruidmlwblto.dat
c:\windows\system32\hjgruilog.dat
c:\windows\system32\hjgruiwqkswlnt.dll
c:\windows\system32\hjgruixtqsnswu.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_hjgruipnxrjkyl
-------\Legacy_hjgruipnxrjkyl
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.
2009-08-29 05:09 . 2009-08-29 05:09 -------- d-----w- c:\program files\Windows Sidebar
2009-08-29 03:56 . 2009-08-29 03:56 -------- d-----w- c:\documents and settings\owner\Application Data\DivX
2009-08-28 10:58 . 2009-08-29 12:45 -------- d-----w- c:\documents and settings\owner\Application Data\dvdcss
2009-08-28 10:55 . 2009-08-29 12:45 -------- d-----w- c:\documents and settings\owner\Application Data\vlc
2009-08-28 10:49 . 2009-08-28 10:50 18015723 ----a-w- c:\documents and settings\All Users\Application Data\vlc-1.0.1-win32.exe
2009-08-28 10:47 . 2009-08-28 10:47 -------- d-----w- c:\windows\system32\custom matrices
2009-08-28 10:47 . 2009-08-28 10:47 -------- d-----w- c:\windows\system32\C2MP
2009-08-28 10:47 . 2009-08-28 10:47 -------- d-----w- c:\windows\system32\QuickTime
2009-08-28 10:41 . 2009-08-28 10:41 -------- d-----w- c:\program files\VideoLAN
2009-08-28 05:42 . 2009-08-29 07:58 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\QuickPar
2009-08-28 05:38 . 2009-08-28 05:39 -------- d-----w- c:\program files\QuickPar
2009-08-28 04:38 . 2009-08-28 04:38 -------- d-----w- c:\program files\Trend Micro
2009-08-28 04:35 . 2009-08-28 04:36 -------- d-----w- c:\program files\ERUNT
2009-08-26 10:04 . 2009-08-26 10:04 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-08-25 01:33 . 2009-08-25 01:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-25 00:00 . 2009-08-25 00:00 -------- d-----w- c:\documents and settings\owner\Application Data\NeroDigital(TM)
2009-08-24 22:39 . 2009-08-26 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 22:39 . 2009-08-24 22:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-24 17:16 . 2009-08-24 17:16 -------- d-----w- c:\documents and settings\owner\Application Data\CyberLink
2009-08-24 17:13 . 2009-08-24 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-08-24 17:11 . 2009-08-24 17:18 -------- d-----w- c:\program files\CyberLink
2009-08-24 17:08 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-08-24 04:56 . 2009-08-24 04:56 71256 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-24 04:54 . 2009-08-24 04:54 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Nero
2009-08-21 21:57 . 2009-08-21 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-21 20:35 . 2009-08-21 20:35 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 20:35 . 2009-08-21 20:35 -------- d-----w- c:\program files\MSBuild
2009-08-21 20:35 . 2009-08-21 20:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 20:34 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 20:34 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 20:34 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 20:34 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 20:34 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 20:34 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 20:34 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 20:32 . 2009-08-21 20:32 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-21 20:32 . 2009-08-21 20:32 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-21 20:25 . 2009-08-21 20:25 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2009-08-21 20:13 . 2009-08-21 20:13 -------- d-----w- c:\program files\DFX
2009-08-21 18:25 . 2009-08-23 20:43 -------- d-----w- c:\documents and settings\owner\Application Data\Nero
2009-08-21 18:22 . 2009-08-21 18:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-21 17:58 . 2009-08-29 05:08 -------- d-----w- c:\program files\Nero
2009-08-21 17:58 . 2009-08-29 05:09 -------- d-----w- c:\program files\Common Files\Nero
2009-08-21 17:58 . 2009-08-29 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-21 15:20 . 2009-08-21 15:20 -------- d-----w- c:\documents and settings\owner\Application Data\Earthsim
2009-08-21 15:07 . 2009-08-21 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Earthsim
2009-08-21 14:32 . 2009-08-21 14:32 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-21 14:31 . 2009-08-21 14:30 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-08-21 14:31 . 2009-08-21 14:30 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-08-21 14:29 . 2009-08-21 14:29 -------- d-----w- c:\program files\MasterSplitter
2009-08-21 14:06 . 2009-04-28 20:20 129520 ------w- c:\windows\system32\pxafs.dll
2009-08-21 14:06 . 2009-08-21 21:19 -------- d-----w- c:\documents and settings\owner\Application Data\Winamp
2009-08-21 14:06 . 2009-08-21 20:13 -------- d-----w- c:\program files\Winamp
2009-08-20 15:01 . 2009-08-20 15:01 -------- d-----w- c:\program files\Agent
2009-08-20 14:36 . 2009-08-29 14:29 -------- d-----w- C:\a1 Try These
2009-08-20 11:10 . 2009-08-21 13:46 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\MCataloguer
2009-08-20 11:03 . 2009-08-20 11:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-08-19 12:01 . 2009-08-19 12:01 -------- d-----w- c:\program files\MSXML 4.0
2009-08-19 08:31 . 2009-08-19 08:31 -------- d-----w- c:\program files\MCataloguer
2009-08-19 08:31 . 2009-08-19 08:31 -------- d-----w- c:\program files\MSXML 6.0
2009-08-19 03:53 . 2009-08-19 03:53 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-19 03:52 . 2009-08-19 03:53 -------- d-----w- c:\program files\Common Files\HP
2009-08-19 03:51 . 2009-08-19 03:51 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-19 03:46 . 2009-08-19 03:55 117094 ----a-w- c:\windows\hpoins11.dat
2009-08-18 19:21 . 2009-08-18 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-18 18:21 . 2009-08-18 18:21 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\IsolatedStorage
2009-08-18 18:21 . 2009-08-18 18:21 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\HP
2009-08-18 18:21 . 2009-08-18 18:21 128 ----a-w- c:\documents and settings\owner\Local Settings\Application Data\fusioncache.dat
2009-08-18 18:20 . 2009-08-18 18:21 -------- d-----w- c:\documents and settings\owner\Application Data\HP
2009-08-18 18:12 . 2009-08-18 18:13 94084 ----a-w- c:\windows\hpqins07.dat
2009-08-18 18:11 . 2009-08-18 18:12 94237 ----a-w- c:\windows\hpqins04.dat
2009-08-18 18:10 . 2009-08-18 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-08-18 18:08 . 2009-08-18 18:10 94215 ----a-w- c:\windows\hpqins09.dat
2009-08-18 18:07 . 2009-08-18 18:08 94107 ----a-w- c:\windows\hpqins05.dat
2009-08-18 18:05 . 2009-08-18 18:07 94115 ----a-w- c:\windows\hpqins01.dat
2009-08-18 18:03 . 2009-08-18 18:04 94083 ----a-w- c:\windows\hpqins11.dat
2009-08-18 17:52 . 2009-08-18 17:52 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-18 17:51 . 2006-04-13 01:04 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-08-18 17:51 . 2006-04-13 01:04 49664 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-08-18 17:51 . 2006-01-04 09:12 77824 ----a-r- c:\windows\system32\HPZIDS01.dll
2009-08-18 17:51 . 2006-04-10 18:03 38400 ----a-w- c:\windows\system32\hpz3l054.dll
2009-08-18 17:50 . 2008-04-13 15:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-18 17:50 . 2008-04-13 15:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-18 17:48 . 2007-08-09 07:27 73728 ----a-w- c:\windows\system32\HPZipm12.exe
2009-08-18 17:48 . 2006-03-04 01:03 282680 ----a-w- c:\windows\system32\HPZidr12.dll
2009-08-18 17:48 . 2006-03-04 01:03 65536 ----a-w- c:\windows\system32\HPZinw12.exe
2009-08-18 17:48 . 2006-03-04 01:02 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2009-08-18 17:48 . 2006-03-04 01:02 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2009-08-18 17:48 . 2006-03-04 01:02 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2009-08-18 17:47 . 2009-08-19 03:54 -------- d-----w- c:\program files\HP
2009-08-18 17:42 . 2008-04-13 15:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-08-18 17:42 . 2008-04-13 15:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-08-17 11:31 . 2009-08-21 20:32 -------- d-----w- c:\windows\system32\LogFiles
2009-08-16 12:25 . 2008-04-13 15:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-16 12:25 . 2008-04-13 15:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-16 12:25 . 2008-04-13 15:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-08-16 12:25 . 2008-04-13 15:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-16 12:21 . 2009-08-16 12:57 -------- d-----w- c:\program files\MultiViewer
2009-08-16 09:06 . 2009-08-16 09:06 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\ACD Systems
2009-08-16 09:06 . 2009-08-16 09:06 -------- d-----w- c:\documents and settings\owner\Application Data\ACD Systems
2009-08-16 09:04 . 2009-08-16 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-08-16 09:04 . 2009-08-20 22:32 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-08-16 09:04 . 2009-08-16 09:04 -------- d-----w- c:\program files\ACD Systems
2009-08-16 09:02 . 2009-08-20 16:26 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Downloaded Installations
2009-08-16 05:54 . 2009-08-16 05:54 -------- d-----w- c:\windows\Downloaded Installations
2009-08-16 05:51 . 2003-06-25 20:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2009-08-16 05:14 . 2009-08-16 05:14 -------- d-----w- c:\program files\SonicWallES
2009-08-16 05:12 . 2009-08-16 05:12 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Identities
2009-08-16 04:22 . 2009-08-16 04:22 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Google
2009-08-16 01:29 . 2009-08-29 04:35 -------- d-----r- c:\documents and settings\owner\Downloads
2009-08-15 12:43 . 2009-08-15 12:43 0 ----a-w- c:\windows\nsreg.dat
2009-08-15 12:43 . 2009-08-15 12:43 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Mozilla
2009-08-15 12:08 . 2009-08-15 12:08 -------- d-----w- c:\program files\ULI5287
2009-08-15 12:07 . 2005-03-10 01:01 28672 ----a-w- c:\windows\system32\unM5287.exe
2009-08-15 12:07 . 2001-11-14 04:24 35587 ----a-w- c:\windows\system32\rm5287.exe
2009-08-15 12:07 . 2005-04-06 20:54 28672 ----a-w- c:\windows\system32\UnLAN.exe
2009-08-15 12:07 . 2005-03-23 00:36 28672 ----a-w- c:\windows\system32\drivers\ULILAN51.SYS
2009-08-15 12:07 . 2001-11-14 01:24 35587 ----a-w- c:\windows\system32\rmlan.exe
2009-08-15 12:07 . 2001-11-14 01:24 34307 ----a-w- c:\windows\system32\drivers\Install.EXE
2009-08-15 12:07 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-08-15 12:07 . 2009-08-15 12:07 -------- d-----w- c:\windows\system32\URTTemp
2009-08-15 12:06 . 2009-08-15 12:06 -------- d-----w- c:\program files\ATI Technologies
2009-08-15 12:06 . 2009-08-24 17:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 12:05 . 2009-08-15 12:06 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-15 12:05 . 2004-08-14 10:56 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 17:31 . 2009-08-15 11:44 64361504 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-29 15:00 . 2009-08-15 11:42 144 ----a-w- c:\windows\system32\pdfl.dat
2009-08-28 03:30 . 2009-08-28 03:30 1930751 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-08-26 22:30 . 2009-08-15 11:46 -------- d-----w- c:\documents and settings\owner\Application Data\#ISW.FS#
2009-08-26 09:21 . 2009-08-26 09:24 2547200 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-23 14:40 . 2009-08-15 09:48 18888 ----a-w- c:\documents and settings\owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 17:37 . 2009-08-15 11:16 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-21 18:39 . 2009-08-15 11:44 854840 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-16 12:20 . 2009-08-16 12:20 -------- d-----w- c:\program files\Wireless Camera Watcher
2009-08-16 05:14 . 2009-08-15 11:46 -------- d-----w- c:\documents and settings\owner\Application Data\MailFrontier
2009-08-16 01:16 . 2009-08-15 11:42 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-15 11:53 . 2009-08-15 11:53 -------- d-----w- c:\program files\microsoft frontpage
2009-08-15 11:51 . 2009-08-15 11:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-15 11:46 . 2009-08-15 11:46 -------- d-----w- c:\documents and settings\owner\Application Data\CheckPoint
2009-08-15 11:42 . 2009-08-15 11:42 80 ----a-w- c:\windows\system32\ibfl.dat
2009-08-15 11:42 . 2009-08-15 11:42 144 ----a-w- c:\windows\system32\lkfl.dat
2009-08-15 11:42 . 2009-08-15 11:42 -------- d-----w- c:\program files\CheckPoint
2009-08-15 11:42 . 2009-08-15 11:42 -------- d-----w- c:\program files\Zone Labs
2009-08-15 11:28 . 2009-08-15 11:27 -------- d-----w- c:\program files\ASUS
2009-08-15 11:26 . 2009-08-15 11:26 -------- d-----w- c:\program files\Realtek
2009-08-15 11:25 . 2009-08-15 11:25 -------- d-----w- c:\program files\AMD
2009-08-15 11:21 . 2009-08-15 10:29 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-15 11:21 . 2009-08-15 10:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-15 11:21 . 2009-08-15 11:21 -------- d-----w- c:\program files\NVIDIA Corporation
2009-08-15 11:21 . 2009-08-15 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-08-15 10:20 . 2009-08-15 11:52 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-08-11 20:21 . 2009-08-11 20:21 87552 ----a-w- c:\windows\system32\ac3config.exe
2009-08-05 09:01 . 2009-08-15 09:24 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:58 . 2009-08-04 15:58 802603 ----a-w- c:\windows\system32\ff_x264.dll
2009-08-04 15:57 . 2009-08-04 15:57 557003 ----a-w- c:\windows\system32\libmplayer.dll
2009-08-04 13:07 . 2009-08-04 13:07 4455179 ----a-w- c:\windows\system32\libavcodec.dll
2009-07-29 23:10 . 2009-07-29 23:10 829781 ----a-w- c:\windows\system32\xvidcore.dll
2009-07-29 04:37 . 2001-08-18 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2001-08-18 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 18:54 . 2009-08-15 11:19 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-07-14 18:54 . 2009-08-15 11:19 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-07-14 18:54 . 2009-08-15 11:19 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-07-14 18:54 . 2009-08-15 10:28 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-14 18:54 . 2008-07-31 12:49 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-07-14 18:54 . 2008-07-26 04:48 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-07-14 18:54 . 2008-07-26 04:48 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-14 18:54 . 2008-07-26 04:48 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-07-14 18:54 . 2008-07-26 04:48 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-07-14 18:54 . 2004-08-04 07:56 5842816 ----a-w- c:\windows\system32\nv4_disp.dll
2009-07-14 18:54 . 2004-08-04 05:29 7741664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-07-14 17:35 . 2009-07-14 17:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-07-14 17:35 . 2009-07-14 17:35 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-07-14 17:35 . 2009-07-14 17:35 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-07-14 17:35 . 2009-07-14 17:35 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-07-14 17:34 . 2009-07-14 17:34 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-07-14 17:34 . 2009-07-14 17:34 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-07-14 17:34 . 2009-07-14 17:34 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-07-14 17:34 . 2009-07-14 17:34 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-07-14 17:34 . 2009-07-14 17:34 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-07-14 17:34 . 2009-07-14 17:34 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-07-14 17:34 . 2009-07-14 17:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-07-14 17:34 . 2009-07-14 17:34 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-07-14 17:34 . 2009-07-14 17:34 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-07-14 13:19 . 2009-07-14 13:19 425040 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2009-07-14 12:31 . 2009-07-14 12:31 146098 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-10 11:01 . 2009-08-15 10:28 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-03 17:09 . 2001-08-18 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2009-06-26 16:50 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2001-08-18 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2001-08-18 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2001-08-18 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2001-08-18 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2001-08-18 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2001-08-18 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2001-08-18 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 12:31 . 2001-08-18 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2001-08-18 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2001-08-18 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-08-15 11:51 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2001-08-18 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2009-08-15 09:24 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 17:35 . 2009-06-02 17:35 328334 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-06-02 17:15 . 2009-06-02 17:15 113152 ----a-w- c:\windows\system32\ff_unrar.dll
2009-06-02 17:15 . 2009-06-02 17:15 146944 ----a-w- c:\windows\system32\ff_tremor.dll
2009-06-02 17:15 . 2009-06-02 17:15 183296 ----a-w- c:\windows\system32\ff_samplerate.dll
2009-06-02 17:14 . 2009-06-02 17:14 178688 ----a-w- c:\windows\system32\ff_libmad.dll
2009-06-02 17:14 . 2009-06-02 17:14 486400 ----a-w- c:\windows\system32\ff_libfaad2.dll
2009-06-02 17:13 . 2009-06-02 17:13 257024 ----a-w- c:\windows\system32\ff_libdts.dll
2009-06-02 17:13 . 2009-06-02 17:13 142848 ----a-w- c:\windows\system32\ff_liba52.dll
2009-06-02 17:11 . 2009-06-02 17:11 98304 ----a-w- c:\windows\system32\ff_wmv9.dll
2009-06-02 17:11 . 2009-06-02 17:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ULiRaid"="c:\program files\ULI5287\ULiRaid.exe" [2005-08-24 409600]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"DU Meter"="d:\du meter\DUMETER.EXE" [2001-01-22 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-07-14 14679552]
c:\documents and settings\owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [12/31/1979 8:00 PM 101120]
R2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/17/2009 4:11 AM 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/17/2009 4:11 AM 394632]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [8/15/2009 8:07 AM 28672]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [4/17/2009 4:11 AM 54928]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?ncid=toolbar
mStart Page =
Handler: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - c:\program files\MCataloguer\MCatProt.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\mozilla\firefox\profiles\xevmfdd3.default\
---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 13:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-08-29 13:32
ComboFix-quarantined-files.txt 2009-08-29 17:32
Pre-Run: 280,628,199,424 bytes free
Post-Run: 282,270,347,264 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /bootlog
431 --- E O F --- 2009-08-26 23:02
Bio-Hazard
2009-08-30, 16:56
Hello!
Do you know what is in this folder C:\a1 Try These?
Antivirus
Looking over your log it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect cleans and erase harmful virus files on a computer Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
Avira AntiVir Personal (http://www.free-av.de/en/download/1/avira_antivir_personal__free_antivirus.html) (Protects your computer against dangerous viruses, worms, Trojans and costly dialers.)
avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) (The home edition is freeware for noncommercial users.)
AVG Anti-Virus Free Edition (http://free.avg.com/223204) (AVG Anti-Virus Free Edition is only available for single computer use for home and non commercial use.)
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.
Remove HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.
Uninstall list
Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
ATF-Cleaner
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.
Eset online scannner
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Reply to my question
Hijackthis uninstall list
ESET log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
boss123b
2009-08-31, 14:29
The directory you asked about is my quarrantine directory where I copy files from other hard drives that I don't immediately recognize. From here programs are deleted unless I absolutely trust the source. I frequently swap in other hard drives. I will download entire newsgroups and go through them sometimes years later. I'm normally very careful. I have been using the internet since it was a dos prompt and this is my first ever infection.
I am using zone alarm extreme security suite so I do have antivirus/spyware protection. However I am disappointed in the vendor they chose for this part of the suite.
FYI anyone using ZA's browser security must open an unprotected browser in addition to turning off antivirus and spyware. Otherwise you get an error about not having administrator rights even if you are an administrator.
The PC is running fine. no more misdirects or not being able to use certain programs. Is this particular nasty just a browser hijacker or do I need to worry about keylogging passwords and credit cards too?
Logs follow: uninstall
Advertising Center
AOL Toolbar
AsusUpdate
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
Cool & Quiet
DFX 8 for Winamp
DolbyFiles
Download Updater (AOL LLC)
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Software Update
HP Solution Center 7.0
Magnifier Powertoy for Windows XP
MCataloguer
Media Player Codec Pack 3.7.0
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Movie Templates - Starter Kit
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
MultiViewer
Nero 9 Trial
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero Live
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
NeroLiveGadget
neroxml
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OCR Software by I.R.I.S 7.0
PC Probe II
PowerDVD
QuickPar 0.9
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SoundTrax
Spybot - Search & Destroy
Tweak UI
ULi M5287 SATA Controller Driver
ULi PCI 10-100 Fast Ethernet Controller Driver
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
USB2.0 Capture Device
VC 9.0 Runtime
VLC media player 1.0.1
Winamp
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wireless Camera Watcher
ZoneAlarm Extreme Security
online scan:
C:\Documents and Settings\owner\Downloads\Nero-9.4.13.2b_trial.exe Win32/Toolbar.AskSBar application
C:\Documents and Settings\owner\Downloads\Nero-9.4.13.2c_update.exe Win32/Toolbar.AskSBar application
C:\Documents and Settings\owner\Downloads\Nero-9.4.13.2d_trial.exe Win32/Toolbar.AskSBar application
C:\Documents and Settings\owner\Downloads\nero9.exe Win32/Toolbar.AskSBar application
D:\agent\Video tools\windows media recorder 10.2\patch.exe a variant of Win32/HackTool.Patcher.A application
F:\ACDC\TEMP\Nero Multi Keygenerator.exe probably a variant of Win32/SdBot trojan
F:\dvd\alt.binaries.boneless\NewsBin Pro 5.35.rar probably a variant of Win32/Agent trojan
F:\dvd\d4d.cc - martijny post - QuickTime Pro 7.20\d4d.cc - martijny post - QuickTime Pro 7.20\keymaker.exe probably a variant of Win32/Agent trojan
F:\dvd\LasVegas casino Masters\LasVegas casino Masters.iso a variant of Win32/Adware.Casino application
F:\xp downloads\Nero-7.8.5.0_eng_update.exe Win32/Toolbar.AskSBar application
G:\agent download\alt.binaries.boneless\Lucky Casino Delux 2007\Lucky Casino Delux 2007.iso a variant of Win32/Adware.Casino application
G:\agent download\alt.binaries.boneless\Nero 8 Full\Nero 8 Full\Nero 8 Latest Version\Nero-8.1.1.4_eng_trial.exe Win32/Toolbar.AskSBar application
G:\agent download\alt.binaries.boneless\Nero 8 Full\Nero 8 Full\Nero 8 NL\Nero 8 NL.iso Win32/Toolbar.AskSBar application
G:\agent download\alt.binaries.boneless\Nero.v8.1.1.4.Ultra.Edition\Nero.v8.1.1.4.Ultra.Edition\Nero.v8.1.1.4.Ultra.Edition\Nero-8.1.1.4_eng_trial.exe Win32/Toolbar.AskSBar application
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:03 AM, on 8/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5287\ULiRaid.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\DU Meter\DUMETER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol toolbar\aoltbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULI5287\ULiRaid.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMETER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250327666185
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - C:\Program Files\MCataloguer\MCatProt.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5158 bytes
Bio-Hazard
2009-08-31, 20:29
Is this particular nasty just a browser hijacker or do I need to worry about keylogging passwords and credit cards too?You dont have to be worried about your passwords or your credit card details. This infection blocks lot of tools we use and it is pain in the neck.
You need to delete this file: F:\ACDC\TEMP\Nero Multi Keygenerator.exe
Lets make sure everything ok before i will give all clear.
ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.
Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop.
Alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
Alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the Perform Full Scan option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Malwarebytes Antimalware log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
boss123b
2009-09-01, 07:37
Hello,
The system seems to be running fine. No issues that I can notice.
Malwarebytes' Anti-Malware 1.40
Database version: 2722
Windows 5.1.2600 Service Pack 3
9/1/2009 12:16:40 AM
mbam-log-2009-09-01 (00-16-40).txt
Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 507049
Time elapsed: 2 hour(s), 57 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
D:\System Volume Information\_restore{02DBBC02-FE97-4A59-B24F-2A426B27E4DD}\RP218\A0331532.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{5C58B51C-A324-4792-AFA8-802275A26B96}\RP806\A0323037.exe (Backdoor.Sdbot) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{FE89B679-31AF-424A-BE74-EC57E4402084}\RP55\A0013378.exe (Backdoor.Sdbot) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{02DBBC02-FE97-4A59-B24F-2A426B27E4DD}\RP216\A0308375.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:27 AM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\ULI5287\ULiRaid.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\DU Meter\DUMETER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol toolbar\aoltbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULI5287\ULiRaid.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMETER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250327666185
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - C:\Program Files\MCataloguer\MCatProt.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5158 bytes
Bio-Hazard
2009-09-01, 11:34
Your log now appears to be clean. Congratulations!
You can get rid of the tools we used:
DDS - (You can just delete the exe file from your desktop)
ATF cleaner - (You can just delete the exe file from your desktop)
ERUNT - (You can uninstall it from Add/Remove Programs)
Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
http://i147.photobucket.com/albums/r301/DFW_photos/CF_Cleanup.png
Please advise if this step is missed for any reason as it performs some important actions.
OTC
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) or F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html). I suggest that you run one of them at least once a month.
Recommended Programs
I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.
WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE (http://www.malwarebytes.org/mbam.php). Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926) and Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/) or Google Chrome (http://www.google.com/chrome)
Here is a great article by miekiemoes How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html).
Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php). You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy surfing and stay clean!
Bio-Hazard
boss123b
2009-09-01, 16:51
All you have suggested is done. I hope I never need your services again but I greatly appreciate and admire your selflessness and dedication to this problem. Keep fighting the good fight and Bless you!
Bio-Hazard
2009-09-01, 16:57
Thank you for your kind words.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.