Random files in shared folder

L

lalsoong01

New member
I noiced a couple of days ago about 300 rar files in my shared folder. When I delete them, they return a few hours later. I have Norton Antivirus installed and it blocked HTTP Trojan vundo Activity a few times. I have run Vundofix.exe and it said that it deleted and fixed a bunch of stuff. Norton again said that it blocked this virus and the random files reappeared. I ran combofix.exe yesterday and since then have not seen the trojan. However, this morning I had to delete the random files again. Any ideas what else I can try? Thanks!
 
Hi lalsoong01

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 
Random files appearing in shared folder

Thanks for the help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:43 AM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
F:\Program Files\Norton Ghost\Agent\VProSvc.exe
F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\ehome\ehtray.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\WINDOWS\CTHELPER.EXE
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\WINDOWS\system32\CTXFIHLP.EXE
F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
F:\Program Files\Dell\Media Experience\DMXLauncher.exe
F:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\D-Link\AirPlus G\AirGCFG.exe
F:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Norton Ghost\Agent\VProTray.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\Upromise\Upromise.exe
F:\Program Files\Upromise\UpromiseUa.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
F:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
F:\Program Files\Outlook Express\msimn.exe
F:\Program Files\BitLord\BitLord.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.msn.com/local.aspx?wealocations=wc:USMI0605
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - F:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BB4CE310-DC6D-40BD-8550-897C95E3D56F} - F:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: ToolHelper - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - F:\Program Files\Upromise\upromisetoolbar.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - F:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Upromise IE Toolbar - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - F:\Program Files\Upromise\upromisetoolbar.dll
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "F:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] F:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DVDLauncher] "F:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] F:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTDVDDET] "F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickFinder Scheduler] "F:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NSWosCheck] "F:\Program Files\Norton SystemWorks\osCheck.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 14.0] "F:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Upromise] F:\Program Files\Upromise\Upromise.exe
O4 - HKCU\..\Run: [Upromise Update] F:\Program Files\Upromise\UpromiseUa.exe
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = F:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Norton GoBack.lnk = F:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: Dictionary (VMN Toolbar) - file://F:\Program Files\VMNTOOLBAR\Cache\SelectedContextTranslation.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - F:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Translate (VMN Toolbar) - file://F:\Program Files\VMNTOOLBAR\Cache\SelectedContextSearch.htm
O9 - Extra button: Upromise IE Toolbar - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - F:\Program Files\Upromise\upromisetoolbar.dll
O9 - Extra 'Tools' menuitem: Upromise IE Toolbar - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - F:\Program Files\Upromise\upromisetoolbar.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - F:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - F:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - F:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - F:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 13281 bytes
 
ComboFix 08-03-04.5 - Administrator 2008-03-04 22:01:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1207 [GMT -5:00]
Running from: F:\Documents and Settings\Administrator\My Documents\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\system32\awtqo.dll
F:\WINDOWS\system32\cbxvvsq.dll
F:\WINDOWS\system32\oqtwa.ini
F:\WINDOWS\system32\oqtwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-04 22:01 . 2008-03-04 22:01 6,736 --a------ F:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-03-04 18:07 . 2008-03-04 18:52 <DIR> d-------- F:\VundoFix Backups
2008-03-03 12:13 . 2008-02-02 18:04 215,144 -ra------ F:\WINDOWS\patchw32.dll
2008-03-03 12:11 . 2008-02-02 18:04 215,144 -ra------ F:\WINDOWS\pw32a.dll
2008-03-03 11:53 . 2008-03-03 11:53 <DIR> d-------- F:\Program Files\Norton Ghost
2008-03-03 11:53 . 2007-12-20 17:13 136,416 --a------ F:\WINDOWS\system32\drivers\symsnap.sys
2008-03-03 11:53 . 2008-01-19 20:12 128,104 --a------ F:\WINDOWS\system32\drivers\WimFltr.sys
2008-03-03 11:53 . 2008-01-19 19:45 38,112 --a------ F:\WINDOWS\system32\drivers\v2imount.sys
2008-03-03 11:53 . 2008-01-19 19:40 15,088 --a------ F:\WINDOWS\system32\drivers\vproeventmonitor.sys
2008-03-03 11:42 . 2008-03-04 18:58 <DIR> d-a------ F:\Documents and Settings\All Users\Application Data\TEMP
2008-03-03 11:42 . 2004-08-30 21:00 1,244,672 --a------ F:\WINDOWS\system32\WinSpooler.exe
2008-03-03 11:42 . 2008-03-03 11:42 37,888 --a------ F:\WINDOWS\system32\rar.exe
2008-03-01 20:35 . 2008-03-03 23:42 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2008-03-01 20:35 . 2008-03-01 20:35 1,409 --a------ F:\WINDOWS\QTFont.for
2008-03-01 20:30 . 2008-03-01 20:31 <DIR> d-------- F:\Program Files\QuickTime
2008-02-29 12:05 . 2008-02-29 12:05 <DIR> d-------- F:\WINDOWS\BBSTORE
2008-02-29 12:04 . 2008-02-29 12:04 <DIR> d-------- F:\Program Files\The Learning Company
2008-02-29 11:56 . 2008-02-29 11:56 0 --a------ F:\WINDOWS\SETUP32.INI
2008-02-16 00:22 . 2008-02-16 00:22 0 --a------ F:\WINDOWS\Textart.INI
2008-02-09 14:05 . 2008-02-09 14:05 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Meridian93
2008-02-08 20:30 . 2008-02-09 17:36 <DIR> d-------- F:\Program Files\MagicFarm
2008-02-06 06:19 . 2008-02-25 11:24 244 --ah----- F:\sqmnoopt19.sqm
2008-02-06 06:19 . 2008-02-25 11:15 244 --ah----- F:\sqmnoopt18.sqm
2008-02-06 06:19 . 2008-02-25 11:24 232 --ah----- F:\sqmdata19.sqm
2008-02-06 06:19 . 2008-02-25 11:15 232 --ah----- F:\sqmdata18.sqm
2008-02-05 05:14 . 2008-02-24 08:17 244 --ah----- F:\sqmnoopt17.sqm
2008-02-05 05:14 . 2008-02-24 08:17 244 --ah----- F:\sqmnoopt16.sqm
2008-02-05 05:14 . 2008-02-24 08:17 232 --ah----- F:\sqmdata17.sqm
2008-02-05 05:14 . 2008-02-24 08:17 232 --ah----- F:\sqmdata16.sqm
2008-02-05 05:07 . 2008-02-28 15:51 244 --ah----- F:\sqmnoopt15.sqm
2008-02-05 05:07 . 2008-02-28 15:50 244 --ah----- F:\sqmnoopt14.sqm
2008-02-05 05:07 . 2008-02-28 15:51 232 --ah----- F:\sqmdata15.sqm
2008-02-05 05:07 . 2008-02-28 15:50 232 --ah----- F:\sqmdata14.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 20:25 --------- d-----w F:\Program Files\ESPNMotion
2008-03-03 17:19 --------- d-----w F:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-03 17:02 --------- d-----w F:\Documents and Settings\All Users\Application Data\Symantec
2008-03-03 16:53 --------- d-----w F:\Program Files\Common Files\Symantec Shared
2008-02-28 17:28 --------- d-----w F:\Program Files\Disney Interactive
2008-02-25 22:47 --------- d-----w F:\Program Files\Norton SystemWorks
2008-02-25 22:35 --------- d-----w F:\Program Files\I LOVE Kittens
2008-02-24 17:03 --------- d-----w F:\Program Files\I LOVE Puppies
2008-02-11 22:11 --------- d-----w F:\Program Files\Monarch The Butterfly King
2008-02-06 04:38 --------- d-----w F:\Documents and Settings\Administrator\Application Data\Aim
2008-01-24 00:08 --------- d-----w F:\Program Files\The Digital Field Trip to The Rainforest Demo
2008-01-23 00:55 --------- d-----w F:\Program Files\Atlantis Quest
2008-01-20 00:31 15,664 ----a-w F:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-01-18 08:26 --------- d-----w F:\Program Files\Virtual Earth 3D
2008-01-17 13:16 --------- d-----w F:\Program Files\Upromise
2008-01-16 01:15 --------- d-----w F:\Documents and Settings\Administrator\Application Data\upromise
2008-01-15 14:54 10,537 ----a-w F:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 10:28 706 ----a-w F:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w F:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-12 18:06 --------- d-----w F:\Documents and Settings\Administrator\Application Data\cerasus.media
2008-01-12 03:01 --------- d-----w F:\Program Files\MoneyMania
2008-01-11 18:02 --------- d-----w F:\Program Files\ReflexiveArcade
2007-12-23 06:39 8,388,608,000 --sha-w F:\gobackio.bin
2007-09-09 17:14 8,422,640 ----a-w F:\Documents and Settings\Administrator\Plus51R2.exe
2006-12-16 14:30 19,203,280 ----a-w F:\Documents and Settings\Administrator\nsb-install-8-1-2.exe
2006-09-26 01:33 457 ----a-w F:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 02:16 116088 --a------ F:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB4CE310-DC6D-40BD-8550-897C95E3D56F}]
F:\WINDOWS\system32\pmnno.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="F:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"swg"="F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 22:35 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03 152872]
"Upromise"="F:\Program Files\Upromise\Upromise.exe" [2007-07-10 15:00 385024]
"Upromise Update"="F:\Program Files\Upromise\UpromiseUa.exe" [2007-07-10 15:00 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="F:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56 64512]
"AudioDrvEmulator"="F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 17:25 49152]
"CTHelper"="CTHELPER.EXE" [2005-08-08 01:10 16384 F:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-08 01:10 18944 F:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="F:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"ATIPTA"="F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 21:05 344064]
"ISUSPM Startup"="F:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30 249856]
"ISUSScheduler"="F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]
"DMXLauncher"="F:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 02:12 98304]
"DVDLauncher"="F:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"D-Link AirPlus G"="F:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 03:34 1228800]
"ANIWZCS2Service"="F:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 49152]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
"CTDVDDET"="F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00 45056]
"VolPanel"="F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 10:34 122880]
"TkBellExe"="F:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 06:14 185896]
"QuickFinder Scheduler"="F:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2006-07-04 23:01 77892]
"NeroFilterCheck"="F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"ccApp"="F:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"NSWosCheck"="F:\Program Files\Norton SystemWorks\osCheck.exe" [2007-09-18 08:22 25472]
"osCheck"="F:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 23:53 714608]
"QuickTime Task"="F:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"Norton Ghost 14.0"="F:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-02-02 18:30 2245984]
"UserFaultCheck"="F:\WINDOWS\system32\dumprep 0 -u" [ ]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]
Kodak EasyShare software.lnk - F:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Norton GoBack.lnk - F:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2006-07-19 11:45:12 861872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= F:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= F:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdating"= WinUpdating.exe
"Windows Printing Driver"= WinSpooler.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ADA4AB54-F034-41A4-9A68-95DF06976B68}"= F:\WINDOWS\system32\cbxvvsq.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Program Files\\BitLord\\BitLord.exe"=
"F:\\Program Files\\ICQ\\Icq.exe"=
"F:\\Program Files\\AIM\\aim.exe"=
"F:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"F:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;F:\WINDOWS\system32\dllhost.exe [2004-08-10 06:00]
R3 atinewp2;ATI eHomeWonder, WDM Video CODEC;F:\WINDOWS\system32\DRIVERS\atinewp2.sys [2004-07-27 20:43]
R3 ha20x2k;Creative 20X HAL Driver;F:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-08 00:54]
R3 SymIMMP;SymIMMP;F:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]
S3 COH_Mon;COH_Mon;F:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;F:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45b87b6d-e837-11db-8dc0-00123f7e4544}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45b87b6e-e837-11db-8dc0-00123f7e4544}]
\Shell\AutoRun\command - LinksysConnectPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5258a6d5-525d-11dc-8e06-00123f7e4544}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{813479e6-d2d4-11db-8db4-00123f7e4544}]
\Shell\AutoRun\command - C:\LinksysConnectPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ceef8d5-6cce-11db-8d92-00123f7e4544}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a08e6d68-1792-11dc-8dcd-00123f7e4544}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf71c475-4bf3-11dc-8e02-00123f7e4544}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc285b1c-58a4-11dc-8e09-00123f7e4544}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-02 01:11:03 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-23 13:28:01 F:\WINDOWS\Tasks\EasyShare Registration Task.job"
- F:\WINDOWS\system32\rundll32.exelF:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
"2008-03-04 01:00:04 F:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Administrator.job"
- F:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-25 22:47:28 F:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- F:\Program Files\Norton SystemWorks\OBC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 22:13:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\WINDOWS\system32\Ati2evxx.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
F:\Program Files\Norton Ghost\Agent\VProSvc.exe
F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
F:\WINDOWS\ehome\mcrdsvc.exe
F:\WINDOWS\system32\imapi.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\WINDOWS\system32\msdtc.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\HP\hpcoretech\comp\hpdarc.exe
.
**************************************************************************
.
Completion time: 2008-03-04 22:20:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-05 03:20:48
.
2008-02-14 08:03:28 --- E O F ---
 
Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
SDFix: Version 1.154

Run by Administrator on Sat 03/08/2008 at 07:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: F:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\runme.exe - Deleted
F:\WINDOWS\system32\WinSpooler.exe - Deleted
F:\WINDOWS\system32\WinUpdating.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 19:37:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000002d
"TracesSuccessful"=dword:00000022

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="F:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"F:\\Program Files\\Messenger\\msmsgs.exe"="F:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\Program Files\\LimeWire\\LimeWire.exe"="F:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\BitLord\\BitLord.exe"="F:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"F:\\Program Files\\ICQ\\Icq.exe"="F:\\Program Files\\ICQ\\Icq.exe:*:Enabled:ICQ"
"F:\\Program Files\\AIM\\aim.exe"="F:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"F:\\Program Files\\MSN Messenger\\msnmsgr.exe"="F:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"F:\\Program Files\\MSN Messenger\\livecall.exe"="F:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\MSN Messenger\\msnmsgr.exe"="F:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"F:\\Program Files\\MSN Messenger\\livecall.exe"="F:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - F:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 8 Sep 2007 848 A.SH. --- "F:\found.000\dir0001.chk\A0064262.sys"
Sat 8 Mar 2008 900 A.SH. --- "F:\WINDOWS\system32\KGyGaAvL.sys"
Mon 25 Sep 2006 4,348 A.SH. --- "F:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 9 Dec 2006 0 A.SH. --- "F:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Wed 8 Aug 2007 400 A..H. --- "F:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 403 A..H. --- "F:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Thu 24 Jan 2008 0 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BITA.tmp"
Sat 8 Mar 2008 5,946 A.SH. --- "F:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE3.tmp"

Finished!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:47 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
F:\Program Files\Norton Ghost\Agent\VProSvc.exe
F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\system32\dllhost.exe
F:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\notepad.exe
F:\WINDOWS\ehome\ehtray.exe
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\WINDOWS\CTHELPER.EXE
F:\WINDOWS\system32\CTXFIHLP.EXE
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\Dell\Media Experience\DMXLauncher.exe
F:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\D-Link\AirPlus G\AirGCFG.exe
F:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Norton Ghost\Agent\VProTray.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\Upromise\Upromise.exe
F:\Program Files\Upromise\UpromiseUa.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
F:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.msn.com/local.aspx?wealocations=wc:USMI0605
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - F:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BB4CE310-DC6D-40BD-8550-897C95E3D56F} - F:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: ToolHelper - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - F:\Program Files\Upromise\upromisetoolbar.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - F:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Upromise IE Toolbar - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - F:\Program Files\Upromise\upromisetoolbar.dll
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "F:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] F:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DVDLauncher] "F:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] F:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTDVDDET] "F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickFinder Scheduler] "F:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NSWosCheck] "F:\Program Files\Norton SystemWorks\osCheck.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 14.0] "F:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Upromise] F:\Program Files\Upromise\Upromise.exe
O4 - HKCU\..\Run: [Upromise Update] F:\Program Files\Upromise\UpromiseUa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = F:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Norton GoBack.lnk = F:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: Dictionary (VMN Toolbar) - file://F:\Program Files\VMNTOOLBAR\Cache\SelectedContextTranslation.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - F:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Translate (VMN Toolbar) - file://F:\Program Files\VMNTOOLBAR\Cache\SelectedContextSearch.htm
O9 - Extra button: Upromise IE Toolbar - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - F:\Program Files\Upromise\upromisetoolbar.dll
O9 - Extra 'Tools' menuitem: Upromise IE Toolbar - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - F:\Program Files\Upromise\upromisetoolbar.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - F:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - F:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - F:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - F:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 13113 bytes
 
Hi

Looks better :)

"I noiced a couple of days ago about 300 rar files in my shared folder."

In which folder exactly they are?
 
They appeared in the administrator/shared. I just checked and so far, they haven't reappeared again since I ran that sdfix yesterday.

Thank you so much for your help!
 
Hi

Thanks for the info.

We'll continue with this:

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
 
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top