The ComboFix Log that you posted got cut off.
Please post the rest of it starting at 2006-06-07 22:40 132,848 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll in the Find3M Report section of the log.
--EOF-- will be at the end of the Log.
Thanks.
this is very weird. I went and looked at ComboFix.txt again and I have actually posted everything that is present in that file. I do NOT have the EOF line in my ComboFix.txt file. I noticed that during the generating log file step, my computer rebooted during the process. Perhaps it got cut off. Should I rerun combofix and try to generate a new log file?
That is strange.
Go ahead and rerun ComboFix again and see if you can get a new log file and post it back here.
okay, so i reran and got the complete log file this time.
here it is:
ComboFix 08-08-10.01 - Andy 2008-08-11 19:43:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1625 [GMT -7:00]
Running from: C:\Documents and Settings\Andy\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM333e2456.txt
C:\WINDOWS\BM333e2456.xml
C:\WINDOWS\pskt.ini
.
---- Previous Run -------
.
C:\Autorun.inf
C:\Documents and Settings\Andy\Application Data\macromedia\Flash Player\#SharedObjects\93BHBHVA\interclick.com
C:\Documents and Settings\Andy\Application Data\macromedia\Flash Player\#SharedObjects\93BHBHVA\interclick.com\ud.sol
C:\Documents and Settings\Andy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Andy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\g.exe
C:\p0sc9t.cmd
C:\WINDOWS\BM333e2456.txt
C:\WINDOWS\BM333e2456.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ceorcy.dll
C:\WINDOWS\system32\efcAQKAt.dll
C:\WINDOWS\system32\elhnpdhm.ini
C:\WINDOWS\system32\fkjnxcgs.ini
C:\WINDOWS\system32\fxqhsfel.ini
C:\WINDOWS\system32\jodwkrmg.ini
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\ltlmhq.dll
C:\WINDOWS\system32\nkiacynd.ini
C:\WINDOWS\system32\pmlrrftx.dll
C:\WINDOWS\system32\qxmrynwe.ini
C:\WINDOWS\system32\rjmltyiw.ini
C:\WINDOWS\system32\salbjabu.ini
C:\WINDOWS\system32\sgcxnjkf.dll
C:\WINDOWS\system32\tAKQAcfe.ini
C:\WINDOWS\system32\tAKQAcfe.ini2
C:\WINDOWS\system32\vowjechj.dll
C:\WINDOWS\system32\wukrijyv.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.
2008-08-09 13:21 . 2008-08-09 13:21 <DIR> d-------- C:\Program Files\Sun
2008-08-09 13:21 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-04 19:43 . 2008-08-04 19:43 2,048 --a------ C:\WINDOWS\system32\hviatwxg.exe
2008-08-04 19:41 . 2008-08-04 19:41 91,648 --a------ C:\WINDOWS\system32\durpjwdg.dll
2008-08-03 13:17 . 2008-08-03 13:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-03 13:17 . 2008-08-03 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 13:16 . 2008-08-03 13:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 12:13 . 2008-08-10 13:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-03 12:11 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-03 12:11 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-03 12:09 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-03 12:09 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-03 12:09 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-03 12:09 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-30 17:50 . 2008-07-30 17:50 <DIR> d-------- C:\VundoFix Backups
2008-07-30 17:44 . 2008-07-30 17:44 <DIR> d-------- C:\Program Files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 20:14 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware
2008-08-10 20:14 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-08-10 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-08-09 20:21 --------- d-----w C:\Program Files\Java
2008-08-08 07:58 --------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 2
2008-08-05 04:42 --------- d-----w C:\Documents and Settings\Andy\Application Data\FileZilla
2008-08-03 18:49 --------- d-----w C:\Documents and Settings\Andy\Application Data\VMware
2008-08-03 18:42 --------- d-----w C:\Documents and Settings\Andy\Application Data\.purple
2008-08-03 01:25 --------- d-----w C:\Documents and Settings\Andy\Application Data\Azureus
2008-07-26 18:13 --------- d-----w C:\Program Files\Dl_cats
2008-07-26 08:34 --------- d-----w C:\Program Files\Call of Duty 2
2008-07-10 06:41 --------- d-----w C:\Program Files\Azureus
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 09:57 --------- d-----w C:\Documents and Settings\Andy\Application Data\gtk-2.0
2008-06-13 09:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 09:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-13 08:22 --------- d-----w C:\Program Files\Opera
2008-06-13 06:37 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-05-28 03:30 119,463 --sh--r C:\sdc.bat
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-23 16:00 40,360 ----a-w C:\Documents and Settings\Andy\Application Data\GDIPFONTCACHEV1.DAT
2007-03-26 03:27 450,560 ----a-w C:\Program Files\fxdecod1.dll
2006-09-13 01:35 3,805,184 ----a-w C:\Program Files\FoxitReader.exe
2006-01-23 18:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2006-06-07 22:40 132,848 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 14:20 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 03:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 03:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 03:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 03:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 03:00 455168]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 06:50 73728]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 08:40 430080]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BM333e2456"="C:\WINDOWS\system32\durpjwdg.dll" [2008-08-04 19:41 91648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 20:00 282624 C:\WINDOWS\stsystra.exe]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Andy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Andy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2006-08-27 13:43 61440 c:\dell\bldbubg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
--a------ 2007-08-21 21:05 73728 C:\Program Files\ClamWin\bin\ClamTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 15:29 165784 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2006-07-26 15:05 28672 c:\dell\E-Center\EULAl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 14:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 14:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 18:14 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-08-31 21:59 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-02-10 10:39 1269760 C:\Program Files\Steam\steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"niSvcLoc"=2 (0x2)
"NIDomainService"=2 (0x2)
"Microsoft Validation Service"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"lkTimeSync"=2 (0x2)
"lkClassAds"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Mozilla Firefox 2 Beta 2\\firefox.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"=
"C:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\Mathematica.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\MathKernel.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\math.exe"=
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-07-27 11:00]
R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 08:22]
R2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2006-08-09 15:40]
S3 ICSCard;ICSCard;C:\WINDOWS\system32\drivers\ICSCard.sys [2001-12-11 23:10]
S4 Microsoft Validation Service;Microsoft Validation Service;C:\WINDOWS\wmiprsv.exe []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d534d8cd-7463-11db-b423-0013729216ee}]
\Shell\AutoRun\command - G:\g.exe
\Shell\explore\Command - G:\g.exe
\Shell\open\Command - G:\g.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-300d17ca - C:\WINDOWS\system32\sgcxnjkf.dll
Notify-rqRKcDVp - rqRKcDVp.dll
MSConfigStartUp-300d17ca - C:\WINDOWS\system32\gmrkwdoj.dll
MSConfigStartUp-BM333e2456 - C:\WINDOWS\system32\uodofoxc.dll
MSConfigStartUp-kava - C:\WINDOWS\system32\kavo.exe
MSConfigStartUp-RivaTunerStartupDaemon - C:\Program Files\RivaTuner v2.0 RC 16\RivaTuner.exe
MSConfigStartUp-runner1 - C:\WINDOWS\mrofinu572.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\g6b5m1td.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\g6b5m1td.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\np32dsw.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\NPLV80Win32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\NPLV82Win32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\nppsynth.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 2 Beta 2\plugins\npqtplugin7.dll
FF -: plugin - C:\WINDOWS\system32\Photosynth\nppsynth.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 19:47:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-11 19:58:12
ComboFix-quarantined-files.txt 2008-08-12 02:58:10
ComboFix2.txt 2008-08-09 20:31:09
Pre-Run: 94,603,550,720 bytes free
Post-Run: 94,590,824,448 bytes free
256 --- E O F --- 2008-08-10 20:05:00
Do you recognize the following file?
G:\g.exe
Step # 1: Run CFScript
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:KILLALL:: File:: C:\WINDOWS\system32\hviatwxg.exe C:\WINDOWS\system32\durpjwdg.dll Folder:: C:\VundoFix Backups C:\Documents and Settings\Andy\Application Data\Azureus C:\Program Files\Azureus Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BM333e2456"=- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Azureus\\Azureus.exe"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d534d8cd-7463-11db-b423-0013729216ee}]- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Note: This CFScript is for use on fermion's computer only! Do not use it on your computer.
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. ComboFix Log that appears after Step 1 has been completed
2. A fresh HiJackThis Log taken after Step 2 has been completed
combofix log:
ComboFix 08-08-10.01 - Andy 2008-08-12 18:54:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1605 [GMT -7:00]
Running from: C:\Documents and Settings\Andy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andy\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\durpjwdg.dll
C:\WINDOWS\system32\hviatwxg.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Andy\Application Data\Azureus
C:\Documents and Settings\Andy\Application Data\Azureus\.keystore
C:\Documents and Settings\Andy\Application Data\Azureus\active\cache.dat
C:\Documents and Settings\Andy\Application Data\Azureus\azureus.config
C:\Documents and Settings\Andy\Application Data\Azureus\azureus.config.bak
C:\Documents and Settings\Andy\Application Data\Azureus\azureus.statistics
C:\Documents and Settings\Andy\Application Data\Azureus\azureus.statistics.bak
C:\Documents and Settings\Andy\Application Data\Azureus\banips.config
C:\Documents and Settings\Andy\Application Data\Azureus\banips.config.bak
C:\Documents and Settings\Andy\Application Data\Azureus\dht\addresses.dat
C:\Documents and Settings\Andy\Application Data\Azureus\dht\contacts.dat
C:\Documents and Settings\Andy\Application Data\Azureus\dht\diverse.dat
C:\Documents and Settings\Andy\Application Data\Azureus\dht\general.dat
C:\Documents and Settings\Andy\Application Data\Azureus\dht\version.dat
C:\Documents and Settings\Andy\Application Data\Azureus\downloads.config
C:\Documents and Settings\Andy\Application Data\Azureus\downloads.config.bak
C:\Documents and Settings\Andy\Application Data\Azureus\friends.config
C:\Documents and Settings\Andy\Application Data\Azureus\friends.config.bak
C:\Documents and Settings\Andy\Application Data\Azureus\ipfilter.cache
C:\Documents and Settings\Andy\Application Data\Azureus\logs\alerts_1.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\AutoSpeed_1.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\debug_1.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\debug_2.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\Friends_1.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\NetStatus_1.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\seltrace_1.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\seltrace_2.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\SpeedMan_1.log
C:\Documents and Settings\Andy\Application Data\Azureus\logs\SpeedMan_2.log
C:\Documents and Settings\Andy\Application Data\Azureus\net\pm_20001.dat
C:\Documents and Settings\Andy\Application Data\Azureus\net\pm_22291.dat
C:\Documents and Settings\Andy\Application Data\Azureus\net\pm_31.dat
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.jar
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.zip
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.jar
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.zip
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\plugin.properties
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.3
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.7
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.1
C:\Documents and Settings\Andy\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.2
C:\Documents and Settings\Andy\Application Data\Azureus\tables.config
C:\Documents and Settings\Andy\Application Data\Azureus\tables.config.bak
C:\Documents and Settings\Andy\Application Data\Azureus\tmp\AZU52363.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\tmp\AZU52364.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\tmp\AZU52365.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\tmp\AZU52366.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\tmp\AZU52367.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\tmp\AZU52368.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\tmp\AZU52369.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\tmp\AZU52371.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\torrents\AZU36013.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\torrents\AZU3762.tmp
C:\Documents and Settings\Andy\Application Data\Azureus\tracker.config
C:\Documents and Settings\Andy\Application Data\Azureus\tracker.config.bak
C:\Documents and Settings\Andy\Application Data\Azureus\update.log
C:\Documents and Settings\Andy\Application Data\Azureus\update.properties
C:\Program Files\Azureus
C:\Program Files\Azureus\AzureusUpdater.exe
C:\Program Files\Azureus\msvcr71.dll
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.1.1.jar
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.1.4.jar
C:\Program Files\Azureus\plugins\azrating\azrating_1.3.1.jar
C:\Program Files\Azureus\plugins\azupdater\azupdater_1.8.5.zip
C:\Program Files\Azureus\plugins\azupdater\azupdater_1.8.8.zip
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.3.jar
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.5.jar
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.8.jar
C:\Program Files\Azureus\plugins\azupdater\plugin.properties
C:\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.5
C:\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.8
C:\Program Files\Azureus\plugins\azupdater\Updater.jar
C:\Program Files\Azureus\plugins\azupdater\Updater.jar.bak
C:\Program Files\Azureus\plugins\safepeer\azureus.sig
C:\Program Files\Azureus\plugins\safepeer\blocklist.cache
C:\Program Files\Azureus\plugins\safepeer\blocklist.properties
C:\Program Files\Azureus\plugins\safepeer\history.txt
C:\Program Files\Azureus\plugins\safepeer\License.txt
C:\Program Files\Azureus\plugins\safepeer\plugin.properties
C:\Program Files\Azureus\plugins\safepeer\Readme.txt
C:\Program Files\Azureus\plugins\safepeer\safepeer.log
C:\Program Files\Azureus\plugins\safepeer\safepeer.properties
C:\Program Files\Azureus\plugins\safepeer\safepeer_2.5.1.jar
C:\Program Files\Azureus\swt-awt-win32-3318.dll
C:\Program Files\Azureus\swt-gdip-win32-3318.dll
C:\Program Files\Azureus\swt-wgl-win32-3318.dll
C:\Program Files\Azureus\swt-win32-3318.dll
C:\Program Files\Azureus\Uninstall.exe
C:\VundoFix Backups
C:\WINDOWS\system32\durpjwdg.dll
C:\WINDOWS\system32\hviatwxg.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.
2008-08-09 13:21 . 2008-08-09 13:21 <DIR> d-------- C:\Program Files\Sun
2008-08-09 13:21 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-03 13:17 . 2008-08-03 13:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-03 13:17 . 2008-08-03 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 13:16 . 2008-08-03 13:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 12:13 . 2008-08-10 13:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-03 12:11 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-03 12:11 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-03 12:09 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-03 12:09 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-03 12:09 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-03 12:09 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-30 17:44 . 2008-07-30 17:44 <DIR> d-------- C:\Program Files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 01:59 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-08-13 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-08-13 01:54 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware
2008-08-09 20:21 --------- d-----w C:\Program Files\Java
2008-08-08 07:58 --------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 2
2008-08-05 04:42 --------- d-----w C:\Documents and Settings\Andy\Application Data\FileZilla
2008-08-03 18:49 --------- d-----w C:\Documents and Settings\Andy\Application Data\VMware
2008-08-03 18:42 --------- d-----w C:\Documents and Settings\Andy\Application Data\.purple
2008-07-26 18:13 --------- d-----w C:\Program Files\Dl_cats
2008-07-26 08:34 --------- d-----w C:\Program Files\Call of Duty 2
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 09:57 --------- d-----w C:\Documents and Settings\Andy\Application Data\gtk-2.0
2008-06-13 09:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 09:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-13 08:22 --------- d-----w C:\Program Files\Opera
2008-06-13 06:37 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-05-28 03:30 119,463 --sh--r C:\sdc.bat
2008-02-23 16:00 40,360 ----a-w C:\Documents and Settings\Andy\Application Data\GDIPFONTCACHEV1.DAT
2007-03-26 03:27 450,560 ----a-w C:\Program Files\fxdecod1.dll
2006-09-13 01:35 3,805,184 ----a-w C:\Program Files\FoxitReader.exe
2006-01-23 18:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2006-06-07 22:40 132,848 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 14:20 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 03:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 03:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 03:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 03:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 03:00 455168]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 06:50 73728]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 08:40 430080]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 20:00 282624 C:\WINDOWS\stsystra.exe]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Andy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Andy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2006-08-27 13:43 61440 c:\dell\bldbubg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
--a------ 2007-08-21 21:05 73728 C:\Program Files\ClamWin\bin\ClamTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 15:29 165784 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2006-07-26 15:05 28672 c:\dell\E-Center\EULAl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 14:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 14:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 18:14 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-08-31 21:59 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-02-10 10:39 1269760 C:\Program Files\Steam\steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"niSvcLoc"=2 (0x2)
"NIDomainService"=2 (0x2)
"Microsoft Validation Service"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"lkTimeSync"=2 (0x2)
"lkClassAds"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox 2 Beta 2\\firefox.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"=
"C:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\Mathematica.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\MathKernel.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\math.exe"=
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-07-27 11:00]
R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 08:22]
R2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2006-08-09 15:40]
S3 ICSCard;ICSCard;C:\WINDOWS\system32\drivers\ICSCard.sys [2001-12-11 23:10]
S4 Microsoft Validation Service;Microsoft Validation Service;C:\WINDOWS\wmiprsv.exe []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 18:58:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\dlcccoms.exe
.
**************************************************************************
.
Completion time: 2008-08-12 19:14:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-13 02:14:11
ComboFix2.txt 2008-08-12 02:58:13
ComboFix3.txt 2008-08-09 20:31:09
Pre-Run: 94,557,630,464 bytes free
Post-Run: 94,545,821,696 bytes free
281 --- E O F --- 2008-08-10 20:05:00
hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:46 PM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\fermion.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 8187 bytes
Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 2 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
- Next click the Scanner tab and select Perform Quick Scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. Please save it to a convenient location.
- You can also access the log by doing the following:
- Click on the Malwarebytes' Anti-Malware icon to launch the program.
- Click on the Logs tab.
- Click on the log at the bottom of those listed to highlight it.
- Click Open.
In your next post/reply, I need to see the following:
1. MalwareBytes' Log
2. A fresh HiJackThis Log
fermion? How are things coming along?
sorry for the delay, i was a little bit tied up with work the last couple days.
i ran ATF-Cleaner and ran into a small problem. The firefox tab was greyed out and i was unable to select it. I have no idea why that is.
Here is the Anti-Malware log:
Malwarebytes' Anti-Malware 1.24
Database version: 1054
Windows 5.1.2600 Service Pack 2
11:48:32 AM 8/15/2008
mbam-log-8-15-2008 (11-48-32).txt
Scan type: Quick Scan
Objects scanned: 40270
Time elapsed: 3 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
and here is the fresh hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:48 AM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\fermion.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 8222 bytes
It was greyed out because you don't have FireFox installed on your computer. Its nothing to worry about.i ran ATF-Cleaner and ran into a small problem. The firefox tab was greyed out and i was unable to select it. I have no idea why that is
Step # 1: Run Kaspersky Online Scan
Please go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases- Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
- Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
Posting Permissions
