Page 2 of 8 FirstFirst 123456 ... LastLast
Results 11 to 20 of 76

Thread: virtumonde

  1. #11
    Member
    Join Date
    Feb 2010
    Posts
    85

    Default again

    I downloaded a new file, and it scanned for hours and hours.
    When I wasn't paying attention, again, it went into a frozen mode where my monitor wouldn't come on. I even unplugged the blue cable in back and in plugging it back in it still wouldn't let me see the screen. I plugged in a usb mouse and not only would it not wake up my monitor, it wouldn't light up to show power to it.
    The computer, however, was running. The orange light was flickering, and the fan was running.
    The previous owner has not run this computer in over a year and a half or so.

  2. #12
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Okay so this is "old" Malware.

    Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.

    Notes:

    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

  3. #13
    Member
    Join Date
    Feb 2010
    Posts
    85

    Default comboFix

    ComboFix 10-03-01.01 - Compaq_Administrator 03/01/2010 13:00:06.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702.356 [GMT -5:00]
    Running from: c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Saf52.tmp\ComboFix.exe
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .
    The following files were disabled during the run:
    c:\windows\IA\asappsrv.dll


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\35573251.exe
    c:\documents and settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
    c:\documents and settings\Compaq_Administrator\Application Data\rhcpvoj0e57v
    c:\documents and settings\Compaq_Administrator\Cookies\_install.exe
    c:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
    c:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\CPV.stt
    c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
    C:\Microsoft
    c:\microsoft\svchost.exe
    c:\progra~1\COMMON~1\{3C622~1
    c:\progra~1\COMMON~1\{7C622~1
    c:\progra~1\COMMON~1\{7C622~1\system.dll
    c:\progra~1\COMMON~1\{7C622~1\Update.exe
    c:\progra~1\COMMON~1\{7C622~2
    c:\progra~1\COMMON~1\{7C622~2\system.dll
    c:\progra~1\COMMON~1\{7C622~2\Update.exe
    c:\progra~1\COMMON~1\{7C622~3
    c:\progra~1\COMMON~1\{7C622~3\system.dll
    c:\progra~1\COMMON~1\{7C622~3\Update.exe
    c:\program files\asks~1
    c:\program files\Common Files\curity~1
    c:\program files\Common Files\dobe~1
    c:\program files\Common Files\racle~1
    c:\program files\Common Files\smante~1
    c:\program files\Common Files\smbols~1
    c:\program files\Common Files\sstem~1
    c:\program files\Common Files\ymante~1
    c:\program files\crosof~1.net
    c:\program files\curity~1
    c:\program files\JavaCore
    c:\program files\mantec~1
    c:\program files\racle~1
    c:\program files\rhcpvoj0e57v
    c:\program files\shcrvoj0e57v
    c:\program files\Spcron
    c:\program files\sstem3~1
    c:\program files\Svconr
    c:\program files\Svconr\Svconr.exe.lzma
    c:\program files\Temporary
    c:\program files\Temporary\InsiDERInst.exe
    c:\program files\wnsxs~1
    c:\program files\ystem~1
    c:\recycler\S-1-5-21-527237240-179605362-725345543-500
    c:\windows\IA
    c:\windows\IA\asappsrv.dll.vir
    c:\windows\IA\command.exe
    c:\windows\IA\KE.vbs
    c:\windows\icroso~1
    c:\windows\icroso~1.net
    c:\windows\mcroso~1
    c:\windows\racle~1
    c:\windows\smante~1
    c:\windows\sstem~1
    c:\windows\system32\asks~1
    c:\windows\system32\atmtd.dll.tmp
    c:\windows\system32\COMCTL32.OCA
    c:\windows\system32\curity~1
    c:\windows\system32\E.tmp
    c:\windows\system32\fnts~1
    c:\windows\system32\lphctvoj0e57v.exe
    c:\windows\system32\mantec~1
    c:\windows\system32\pphctvoj0e57v.exe
    c:\windows\system32\racle~1
    c:\windows\system32\s.ico
    c:\windows\system32\sks~1
    c:\windows\system32\sstem3~1
    c:\windows\system32\stem~1
    c:\windows\system32\unsvchosts.lzma
    c:\windows\system32\wapisu.exe
    c:\windows\system32\wnsxs~1
    c:\windows\system32\ymante~1
    c:\windows\tsks~1
    c:\windows\ymbols~1
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_CMDSERVICE
    -------\Legacy_COM+_MESSAGES
    -------\Service_cmdService


    ((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
    .

    2010-03-01 00:08 . 2010-03-01 00:08 293376 ----a-w- C:\2outg8ml.exe
    2010-02-28 16:40 . 2010-02-28 16:41 -------- d-----w- c:\program files\ERUNT
    2010-02-28 16:25 . 2010-02-28 16:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\PCHealth
    2010-02-28 16:24 . 2010-02-28 16:24 60512 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-02-28 16:06 . 2010-02-28 16:06 -------- d-----w- c:\windows\ServicePackFiles
    2010-02-28 16:05 . 2010-02-28 16:05 -------- d-----w- c:\program files\MSXML 4.0
    2010-02-26 23:11 . 2010-02-26 23:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-26 23:49 . 2008-07-23 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C7.tmp
    2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C6.tmp
    2010-02-26 23:43 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C5.tmp
    2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C4.tmp
    2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C3.tmp
    2010-02-26 23:41 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C2.tmp
    2010-02-26 23:40 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C1.tmp
    2010-02-26 23:39 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C0.tmp
    2010-02-26 23:37 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BF.tmp
    2010-02-26 23:36 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BE.tmp
    2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BD.tmp
    2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BC.tmp
    2010-02-26 23:34 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BB.tmp
    2010-02-26 23:33 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B9.tmp
    2010-02-26 23:32 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B8.tmp
    2010-02-26 23:28 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B7.tmp
    2010-02-26 23:27 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B6.tmp
    2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B5.tmp
    2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B2.tmp
    2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B1.tmp
    2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B0.tmp
    2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AF.tmp
    2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AE.tmp
    2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AD.tmp
    2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AC.tmp
    2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AB.tmp
    2010-02-26 23:22 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AA.tmp
    2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A9.tmp
    2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A8.tmp
    2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A7.tmp
    2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A6.tmp
    2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A5.tmp
    2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A4.tmp
    2010-02-26 23:18 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A3.tmp
    2010-02-26 23:06 . 2007-08-16 18:02 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
    2010-02-26 10:00 . 2009-03-14 15:40 -------- d-----w- c:\program files\SeekeenSrch
    2010-02-26 09:26 . 2009-03-14 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SeekeenSrch
    2009-12-31 16:14 . 2004-08-09 21:00 352640 ------w- c:\windows\system32\drivers\srv.sys
    2009-12-22 05:35 . 2004-08-09 21:00 668672 ----a-w- c:\windows\system32\wininet.dll
    2009-12-22 05:35 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll
    2009-12-16 12:58 . 2004-08-09 21:00 343040 ------w- c:\windows\system32\mspaint.exe
    2009-12-14 07:35 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll
    2009-12-04 14:41 . 2004-08-09 21:00 453760 ------w- c:\windows\system32\drivers\mrxsmb.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sxpv"="c:\windows\S?mantec\w?auboot.exe" [?]
    "Uhqif"="c:\windows\?racle\r?ndll32.exe" [?]
    "Atdntep"="c:\documents and settings\Compaq_Administrator\My Documents\?dobe\j?vaw.exe" [?]
    "Dbbxpi"="c:\windows\system32\s?stem32\?ti2evxx.exe" [?]
    "Wvrmaf"="c:\windows\?racle\m?iexec.exe" [?]
    "Mdlhgl"="c:\windows\system32\?ymantec\??rvices.exe" [?]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "ikzo"="c:\progra~1\COMMON~1\ikzo\ikzom.exe" [2006-07-19 9216]
    "Aim6"="c:\program files\AIM6\aim6.exe" [2007-04-27 50736]
    "Csvnro"="c:\program files\Csvnro\Csvnro.exe" [2008-04-29 57344]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
    "nwiz"="nwiz.exe" [2006-01-24 1519616]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-22 180269]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

    c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-10 1474560]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 SeekeenSrch Service;SeekeenSrch Service;c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [2/26/2010 4:26 AM 4608]
    R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [1/10/2009 8:16 PM 517632]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.hotmail.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{C1B4DEC2-2623-438E-9CA2-C9043AB28508} - (no file)
    HKLM-Run-PCDrProfiler - (no file)
    HKLM-Run-{7C622FEF-089C-1033-0413-060405060001} - c:\program files\Common Files\{7C622FEF-089C-1033-0413-060405060001}\Update.exe
    HKLM-Run-{7C622FEF-089B-1033-0413-060405060001} - c:\program files\Common Files\{7C622FEF-089B-1033-0413-060405060001}\Update.exe
    HKLM-Run-{7C622FEF-089D-1033-0413-060405060001} - c:\program files\Common Files\{7C622FEF-089D-1033-0413-060405060001}\Update.exe
    HKLM-Run-lphctvoj0e57v - c:\windows\system32\lphctvoj0e57v.exe
    HKLM-Run-SMrhcpvoj0e57v - c:\program files\rhcpvoj0e57v\rhcpvoj0e57v.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-01 13:10
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3312)
    c:\program files\SeekeenSrch\seekeen.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\arservice.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\nvsvc32.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\ARPWRMSG.EXE
    c:\program files\SeekeenSrch\seekeen.exe
    c:\program files\AIM6\aolsoftware.exe
    .
    **************************************************************************
    .
    Completion time: 2010-03-01 13:18:22 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-01 18:18

    Pre-Run: 93,198,229,504 bytes free
    Post-Run: 93,758,308,352 bytes free

    - - End Of File - - D98D1C79BD649ECF2050BDCED9B9203F

  4. #14
    Member
    Join Date
    Feb 2010
    Posts
    85

    Default Hijackthis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:23:04 PM, on 3/1/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Documents and Settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\COMMON~1\ikzo\ikzom.exe
    C:\Program Files\SeekeenSrch\seekeen.exe
    C:\Program Files\Csvnro\Csvnro.exe
    C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Sxpv] C:\WINDOWS\S?mantec\w?auboot.exe
    O4 - HKCU\..\Run: [ikzo] C:\PROGRA~1\COMMON~1\ikzo\ikzom.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Uhqif] C:\WINDOWS\?racle\r?ndll32.exe
    O4 - HKCU\..\Run: [Atdntep] "C:\Documents and Settings\Compaq_Administrator\My Documents\?dobe\j?vaw.exe"
    O4 - HKCU\..\Run: [Dbbxpi] C:\WINDOWS\system32\s?stem32\?ti2evxx.exe
    O4 - HKCU\..\Run: [Wvrmaf] C:\WINDOWS\?racle\m?iexec.exe
    O4 - HKCU\..\Run: [Mdlhgl] C:\WINDOWS\system32\?ymantec\??rvices.exe
    O4 - HKCU\..\Run: [Csvnro] C:\Program Files\Csvnro\Csvnro.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
    O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
    O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SeekeenSrch Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\SeekeenSrch\seekeen155.exe

    --
    End of file - 7304 bytes

  5. #15
    Member
    Join Date
    Feb 2010
    Posts
    85

    Default This time

    Okay so
    During the ComboFix run a dialog box popped up and asked me to write down a file name that was trying to access ComboFix.
    The file name is

    C:\WINDOWS\IA\asapposrv.dll

    The program did its scan and I posted the results.
    After that I scanned with Hijackthis.
    I posted those results as well.
    I then restarted my computer and the popups that had been popping up did not pop up.
    However a red shield with a white X appears in the lower right tray with a balloon that reads: Your computer might be at risk. Antivirus software might not be installed.
    Other than that I would not question the integrity of the system had I not been told there was a problem. So Far.

  6. #16
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Hi,

    Wow, some of this Malware has been on this system for YEARS!

    Before you do anything else combofix needs to be run from the desktop as advised earlier. You downloaded it to a temp folder (c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Saf52.tmp\ComboFix.exe). Please move it from there to the desktop, or download a fresh copy to your desktop (whichever is easier for you).

    After doing that...

    1. Open Notepad

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    http://forums.spybot.info/showthread.php?p=361959#post361959
    
    Collect::
    c:\windows\IA\asappsrv.dll
    
    File::
    C:\windows\system32\C7.tmp
    c:\windows\system32\C6.tmp
    c:\windows\system32\C5.tmp
    c:\windows\system32\C4.tmp
    c:\windows\system32\C3.tmp
    c:\windows\system32\C2.tmp
    c:\windows\system32\C1.tmp
    c:\windows\system32\C0.tmp
    c:\windows\system32\BF.tmp
    c:\windows\system32\BE.tmp
    c:\windows\system32\BD.tmp
    c:\windows\system32\BC.tmp
    c:\windows\system32\BB.tmp
    c:\windows\system32\B9.tmp
    c:\windows\system32\B8.tmp
    c:\windows\system32\B7.tmp
    c:\windows\system32\B6.tmp
    c:\windows\system32\B5.tmp
    c:\windows\system32\B2.tmp
    c:\windows\system32\B1.tmp
    c:\windows\system32\B0.tmp
    c:\windows\system32\AF.tmp
    c:\windows\system32\AE.tmp
    c:\windows\system32\AD.tmp
    c:\windows\system32\AC.tmp
    c:\windows\system32\AB.tmp
    c:\windows\system32\AA.tmp
    c:\windows\system32\A9.tmp
    c:\windows\system32\A8.tmp
    c:\windows\system32\A7.tmp
    c:\windows\system32\A6.tmp
    c:\windows\system32\A5.tmp
    c:\windows\system32\A4.tmp
    c:\windows\system32\A3.tmp
    
    Folder::
    c:\program files\SeekeenSrch
    c:\documents and settings\All Users\Application Data\SeekeenSrch
    c:\progra~1\COMMON~1\ikzo
    c:\program files\Csvnro
    
    Driver:::
    SeekeenSrch Service
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sxpv"=-
    "Uhqif"=-
    "Atdntep"=-
    "Dbbxpi"=-
    "Wvrmaf"=-
    "Mdlhgl"=-
    "ikzo"=-
    "Csvnro"=-

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.

  7. #17
    Member
    Join Date
    Feb 2010
    Posts
    85

    Default oops

    ComboFix 10-03-01.01 - Compaq_Administrator 03/01/2010 17:41:53.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702.446 [GMT -5:00]
    Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
    c:\windows\Downloaded Program Files\_install.exe
    c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\_install.exe
    c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\_install.exe
    c:\windows\SoftwareDistribution\Download\00f4dcdbcc87699e75212b885cb6bebf\_install.exe
    c:\windows\SoftwareDistribution\Download\00f4dcdbcc87699e75212b885cb6bebf\sp2qfe\_install.exe
    c:\windows\SoftwareDistribution\Download\00f4dcdbcc87699e75212b885cb6bebf\update\_install.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
    .

    2010-03-01 00:08 . 2010-03-01 00:08 293376 ----a-w- C:\2outg8ml.exe
    2010-02-28 16:40 . 2010-02-28 16:41 -------- d-----w- c:\program files\ERUNT
    2010-02-28 16:25 . 2010-02-28 16:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\PCHealth
    2010-02-28 16:24 . 2010-02-28 16:24 60512 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-02-28 16:06 . 2010-02-28 16:06 -------- d-----w- c:\windows\ServicePackFiles
    2010-02-28 16:05 . 2010-02-28 16:05 -------- d-----w- c:\program files\MSXML 4.0
    2010-02-26 23:11 . 2010-02-26 23:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-02-26 09:26 . 2009-09-02 20:10 4608 ----a-w- c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-01 19:49 . 2007-06-10 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
    2010-03-01 19:43 . 2007-08-16 18:01 -------- d-----w- c:\program files\iTunes
    2010-03-01 19:43 . 2007-08-16 17:59 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-01 19:42 . 2007-08-16 18:01 -------- d-----w- c:\program files\iPod
    2010-03-01 19:26 . 2008-06-25 12:54 -------- d-----w- c:\program files\Internet Chess Club
    2010-03-01 19:22 . 2007-01-31 21:20 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Netscape
    2010-03-01 19:19 . 2007-01-13 17:57 -------- d-----w- c:\program files\Rhapsody
    2010-03-01 19:18 . 2007-05-12 01:09 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Atari
    2010-02-26 23:49 . 2008-07-23 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C7.tmp
    2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C6.tmp
    2010-02-26 23:43 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C5.tmp
    2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C4.tmp
    2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C3.tmp
    2010-02-26 23:41 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C2.tmp
    2010-02-26 23:40 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C1.tmp
    2010-02-26 23:39 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C0.tmp
    2010-02-26 23:37 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BF.tmp
    2010-02-26 23:36 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BE.tmp
    2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BD.tmp
    2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BC.tmp
    2010-02-26 23:34 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BB.tmp
    2010-02-26 23:33 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B9.tmp
    2010-02-26 23:32 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B8.tmp
    2010-02-26 23:28 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B7.tmp
    2010-02-26 23:27 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B6.tmp
    2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B5.tmp
    2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B2.tmp
    2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B1.tmp
    2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B0.tmp
    2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AF.tmp
    2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AE.tmp
    2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AD.tmp
    2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AC.tmp
    2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AB.tmp
    2010-02-26 23:22 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AA.tmp
    2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A9.tmp
    2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A8.tmp
    2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A7.tmp
    2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A6.tmp
    2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A5.tmp
    2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A4.tmp
    2010-02-26 23:18 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A3.tmp
    2010-02-26 23:06 . 2007-08-16 18:02 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
    2010-02-26 10:00 . 2009-03-14 15:40 -------- d-----w- c:\program files\SeekeenSrch
    2010-02-26 09:26 . 2009-03-14 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SeekeenSrch
    2009-12-31 16:14 . 2004-08-09 21:00 352640 ------w- c:\windows\system32\drivers\srv.sys
    2009-12-22 05:35 . 2004-08-09 21:00 668672 ------w- c:\windows\system32\wininet.dll
    2009-12-22 05:35 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll
    2009-12-16 12:58 . 2004-08-09 21:00 343040 ------w- c:\windows\system32\mspaint.exe
    2009-12-14 07:35 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll
    2009-12-08 18:55 . 2004-08-10 04:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 18:19 . 2004-08-10 04:00 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
    2009-12-04 14:41 . 2004-08-09 21:00 453760 ------w- c:\windows\system32\drivers\mrxsmb.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sxpv"="c:\windows\S?mantec\w?auboot.exe" [?]
    "Uhqif"="c:\windows\?racle\r?ndll32.exe" [?]
    "Atdntep"="c:\documents and settings\Compaq_Administrator\My Documents\?dobe\j?vaw.exe" [?]
    "Dbbxpi"="c:\windows\system32\s?stem32\?ti2evxx.exe" [?]
    "Wvrmaf"="c:\windows\?racle\m?iexec.exe" [?]
    "Mdlhgl"="c:\windows\system32\?ymantec\??rvices.exe" [?]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "ikzo"="c:\progra~1\COMMON~1\ikzo\ikzom.exe" [2006-07-19 9216]
    "Csvnro"="c:\program files\Csvnro\Csvnro.exe" [2008-04-29 57344]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
    "nwiz"="nwiz.exe" [2006-01-24 1519616]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-22 180269]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

    c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-10 1474560]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=

    R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [1/10/2009 8:16 PM 517632]
    S2 SeekeenSrch Service;SeekeenSrch Service;c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [2/26/2010 4:26 AM 4608]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.hotmail.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-01 17:46
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-03-01 17:48:29
    ComboFix-quarantined-files.txt 2010-03-01 22:48
    ComboFix2.txt 2010-03-01 18:18

    Pre-Run: 94,759,530,496 bytes free
    Post-Run: 94,705,057,792 bytes free

    - - End Of File - - AB2BB21D40DD7344D6F13CFF67449AE8

  8. #18
    Member
    Join Date
    Feb 2010
    Posts
    85

    Default okay

    I will now continue with the rest of the instructions

  9. #19
    Member
    Join Date
    Feb 2010
    Posts
    85

    Default new ComboFix run log (with pasted code to startup)

    ComboFix 10-03-01.01 - Compaq_Administrator 03/01/2010 17:55:44.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702.364 [GMT -5:00]
    Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

    FILE ::
    "c:\windows\system32\A3.tmp"
    "c:\windows\system32\A4.tmp"
    "c:\windows\system32\A5.tmp"
    "c:\windows\system32\A6.tmp"
    "c:\windows\system32\A7.tmp"
    "c:\windows\system32\A8.tmp"
    "c:\windows\system32\A9.tmp"
    "c:\windows\system32\AA.tmp"
    "c:\windows\system32\AB.tmp"
    "c:\windows\system32\AC.tmp"
    "c:\windows\system32\AD.tmp"
    "c:\windows\system32\AE.tmp"
    "c:\windows\system32\AF.tmp"
    "c:\windows\system32\B0.tmp"
    "c:\windows\system32\B1.tmp"
    "c:\windows\system32\B2.tmp"
    "c:\windows\system32\B5.tmp"
    "c:\windows\system32\B6.tmp"
    "c:\windows\system32\B7.tmp"
    "c:\windows\system32\B8.tmp"
    "c:\windows\system32\B9.tmp"
    "c:\windows\system32\BB.tmp"
    "c:\windows\system32\BC.tmp"
    "c:\windows\system32\BD.tmp"
    "c:\windows\system32\BE.tmp"
    "c:\windows\system32\BF.tmp"
    "c:\windows\system32\C0.tmp"
    "c:\windows\system32\C1.tmp"
    "c:\windows\system32\C2.tmp"
    "c:\windows\system32\C3.tmp"
    "c:\windows\system32\C4.tmp"
    "c:\windows\system32\C5.tmp"
    "c:\windows\system32\C6.tmp"
    "c:\windows\system32\C7.tmp"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\SeekeenSrch
    c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen147.exe
    c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
    c:\progra~1\COMMON~1\ikzo
    c:\progra~1\COMMON~1\ikzo\ikzoa.exe
    c:\progra~1\COMMON~1\ikzo\ikzoa.lck
    c:\progra~1\COMMON~1\ikzo\ikzod\class-barrel
    c:\progra~1\COMMON~1\ikzo\ikzod\ikzoc.dll
    c:\progra~1\COMMON~1\ikzo\ikzol.exe
    c:\progra~1\COMMON~1\ikzo\ikzol.lck
    c:\progra~1\COMMON~1\ikzo\ikzom.exe
    c:\progra~1\COMMON~1\ikzo\ikzom.lck
    c:\progra~1\COMMON~1\ikzo\ikzop.exe
    c:\progra~1\COMMON~1\ikzo\ikzop.lck
    c:\program files\Csvnro
    c:\program files\Csvnro\Csvnro.exe
    c:\program files\SeekeenSrch
    c:\program files\SeekeenSrch\home.js
    c:\program files\SeekeenSrch\readme.html
    c:\program files\SeekeenSrch\seekeen.dll
    c:\program files\SeekeenSrch\seekeen.exe
    c:\program files\SeekeenSrch\skopt.exe
    c:\program files\SeekeenSrch\uninstall.exe
    c:\windows\system32\A3.tmp
    c:\windows\system32\A4.tmp
    c:\windows\system32\A5.tmp
    c:\windows\system32\A6.tmp
    c:\windows\system32\A7.tmp
    c:\windows\system32\A8.tmp
    c:\windows\system32\A9.tmp
    c:\windows\system32\AA.tmp
    c:\windows\system32\AB.tmp
    c:\windows\system32\AC.tmp
    c:\windows\system32\AD.tmp
    c:\windows\system32\AE.tmp
    c:\windows\system32\AF.tmp
    c:\windows\system32\B0.tmp
    c:\windows\system32\B1.tmp
    c:\windows\system32\B2.tmp
    c:\windows\system32\B5.tmp
    c:\windows\system32\B6.tmp
    c:\windows\system32\B7.tmp
    c:\windows\system32\B8.tmp
    c:\windows\system32\B9.tmp
    c:\windows\system32\BB.tmp
    c:\windows\system32\BC.tmp
    c:\windows\system32\BD.tmp
    c:\windows\system32\BE.tmp
    c:\windows\system32\BF.tmp
    c:\windows\system32\C0.tmp
    c:\windows\system32\C1.tmp
    c:\windows\system32\C2.tmp
    c:\windows\system32\C3.tmp
    c:\windows\system32\C4.tmp
    c:\windows\system32\C5.tmp
    c:\windows\system32\C6.tmp
    c:\windows\system32\C7.tmp

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SEEKEENSRCH_SERVICE
    -------\Service_SeekeenSrch Service


    ((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
    .

    2010-03-01 00:08 . 2010-03-01 00:08 293376 ----a-w- C:\2outg8ml.exe
    2010-02-28 16:40 . 2010-02-28 16:41 -------- d-----w- c:\program files\ERUNT
    2010-02-28 16:25 . 2010-02-28 16:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\PCHealth
    2010-02-28 16:24 . 2010-02-28 16:24 60512 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-02-28 16:06 . 2010-02-28 16:06 -------- d-----w- c:\windows\ServicePackFiles
    2010-02-28 16:05 . 2010-02-28 16:05 -------- d-----w- c:\program files\MSXML 4.0
    2010-02-26 23:11 . 2010-02-26 23:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-01 19:49 . 2007-06-10 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
    2010-03-01 19:43 . 2007-08-16 18:01 -------- d-----w- c:\program files\iTunes
    2010-03-01 19:43 . 2007-08-16 17:59 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-01 19:42 . 2007-08-16 18:01 -------- d-----w- c:\program files\iPod
    2010-03-01 19:26 . 2008-06-25 12:54 -------- d-----w- c:\program files\Internet Chess Club
    2010-03-01 19:22 . 2007-01-31 21:20 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Netscape
    2010-03-01 19:19 . 2007-01-13 17:57 -------- d-----w- c:\program files\Rhapsody
    2010-03-01 19:18 . 2007-05-12 01:09 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Atari
    2010-02-26 23:49 . 2008-07-23 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-26 23:06 . 2007-08-16 18:02 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
    2009-12-31 16:14 . 2004-08-09 21:00 352640 ------w- c:\windows\system32\drivers\srv.sys
    2009-12-22 05:35 . 2004-08-09 21:00 668672 ------w- c:\windows\system32\wininet.dll
    2009-12-22 05:35 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll
    2009-12-16 12:58 . 2004-08-09 21:00 343040 ------w- c:\windows\system32\mspaint.exe
    2009-12-14 07:35 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll
    2009-12-08 18:55 . 2004-08-10 04:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 18:19 . 2004-08-10 04:00 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
    2009-12-04 14:41 . 2004-08-09 21:00 453760 ------w- c:\windows\system32\drivers\mrxsmb.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
    "nwiz"="nwiz.exe" [2006-01-24 1519616]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-22 180269]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

    c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-10 1474560]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=

    R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [1/10/2009 8:16 PM 517632]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.hotmail.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-SeekeenSrch - c:\program files\SeekeenSrch\uninstall.exe
    AddRemove-Csvnro - c:\program files\Csvnro\Csvnro.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-01 18:00
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\arservice.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\nvsvc32.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\ARPWRMSG.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-03-01 18:05:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-01 23:05
    ComboFix2.txt 2010-03-01 22:48
    ComboFix3.txt 2010-03-01 18:18

    Pre-Run: 94,738,001,920 bytes free
    Post-Run: 94,696,960,000 bytes free

    - - End Of File - - EDB6E351B8194884D6EF4F82B8FAB408

  10. #20
    Member
    Join Date
    Feb 2010
    Posts
    85

    Default HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:08:13 PM, on 3/1/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Safari\Safari.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
    O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
    O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6015 bytes

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •