Trojan: Firewall / Internet Access

[kileyp]

Combo Fix Log

ComboFix 09-06-12.02 - kileyp 06/13/2009 2:14.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.266 [GMT -4:00]
Running from: c:\documents and settings\kileyp\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kileyp\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\websrvx
c:\program files\websrvx\websrvx.exe
c:\windows\f23567.dat
c:\windows\freddy44.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_websrvx
-------\Service_websrvx


((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-03 02:29 . 2009-06-03 02:29 -------- d-----w- C:\rsit
2009-06-03 02:29 . 2009-06-03 02:29 -------- d-----w- c:\program files\trend micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 06:19 . 2009-02-21 22:05 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-06-13 05:57 . 2005-02-21 04:04 -------- d-----w- c:\program files\SpywareBlaster
2009-06-13 05:55 . 2005-02-21 04:21 -------- d-----w- c:\documents and settings\kileyp\Application Data\Lavasoft
2009-06-05 16:48 . 2005-02-23 15:28 -------- d-----w- c:\program files\Network Associates
2009-06-05 16:48 . 2005-05-20 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates
2009-05-09 00:20 . 2005-02-20 21:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-05 01:46 . 2008-03-24 02:05 -------- d-----w- c:\documents and settings\kileyp\Application Data\ZoomBrowser EX
2009-05-05 01:46 . 2008-03-24 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
.

((((((((((((((((((((((((((((( SnapShot@2009-06-05_16.59.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-13 06:10 . 2009-06-13 06:10 388608 c:\windows\system32\CF1986.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-02-25 139320]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-07 323584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-01-30 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-8-3 25214]
EMC VPN Client.lnk - c:\program files\EMC VPN\VPN Client\vpngui.exe [2006-2-21 1445904]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R2 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [7/12/2005 6:30 PM 847872]
R4 black;black;c:\windows\system32\drivers\blackdrv.sys [7/12/2005 6:30 PM 227285]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [7/12/2005 6:30 PM 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [7/12/2005 6:30 PM 24344]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2005-03-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-02-20 23:38]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-sysfbtray - c:\windows\freddy44.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: emc.com\itcentral.corp
Trusted Zone: emc.com\itonline.isus
Trusted Zone: emc.com\itportal.corp
Trusted Zone: emc.com\www.emcu.isus
Trusted Zone: optonline.net\webmail2
Trusted Zone: emc.com\itcentral.corp
Trusted Zone: emc.com\itonline.isus
Trusted Zone: emc.com\itportal.corp
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://www.vclass.emc.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase70/OrgPubX.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 02:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\EMC VPN\VPN Client\cvpnd.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\CF1986.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-13 2:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 06:26
ComboFix2.txt 2009-06-05 17:04
ComboFix3.txt 2008-08-02 21:52

Pre-Run: 47,144,505,344 bytes free
Post-Run: 47,077,031,936 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=alwaysoff

158 --- E O F --- 2009-04-20 23:31

 

[kileyp]

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29 AM, on 6/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\kileyp\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\vpngui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://itcentral.corp.emc.com
O15 - Trusted Zone: http://itonline.isus.emc.com
O15 - Trusted Zone: http://itportal.corp.emc.com
O15 - Trusted Zone: http://www.emcu.isus.emc.com
O15 - Trusted Zone: http://itcentral.corp.emc.com (HKLM)
O15 - Trusted Zone: http://itonline.isus.emc.com (HKLM)
O15 - Trusted Zone: http://itportal.corp.emc.com (HKLM)
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://www.vclass.emc.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase70/OrgPubX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 9179 bytes

 

[Bio-Hazard]

Hello!

It is looking good.

Run CFScript

• Close any open browsers.
• Open Notepad by click start
• Click Run
• Type notepad into the box and click enter
• Notepad will open
• Copy and Paste everything from the Code box into Notepad:

Driver::
SNDSrvc

Folder::
C:\WINDOWS\system32\796525
C:\Program Files\BearShare
C:\Program Files\LimeWire
C:\Program Files\Common Files\Symantec Shared

DDS::
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171

• Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)
  
  
  
• Refering to the picture below, drag CFScript into ComboFix.exe
  
  
  
• When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.



Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 14.

• Go to HERE
• Scroll down to where it says Java Runtime Environment (JRE) 6 Update 14
• Click the Download button to the right
• From the dropdown menu choose your platform. Which is Windows
• Dont change the language box.
• Click on the radio button to Accept License Agreement and after that click continue
• Click on Windows Offline Installation Multi-language and save the downloaded file to your computer
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java (Java 2 Runtime Environment JRE or JSE)
• Reboot your computer
• Delete the folder C:\Program Files\Java if present
• Install the new version by running the newly-downloaded file and follow the on-screen instructions.
• Reboot your computer

ATF-Cleaner

Please download ATF Cleaner by Atribune.

• Save it to your desktop
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  
  If you use Firefox browser
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  
  NOTE: If you would like to keep your saved passwords please click No at the prompt.
• Click Exit on the Main menu to close the program.

Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Please go to Kaspersky website and perform an online antivirus scan.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply along with a fresh HijackThis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

• ComboFix log (found at C:\Combofix.txt)
• KAspersky Log
• A fresh HijackThis Log ( after all the above has been done)
• A description of how your computer is behaving

 

[kileyp]

Combofix log

ComboFix 09-06-12.02 - kileyp 06/13/2009 13:59.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.257 [GMT -4:00]
Running from: c:\documents and settings\kileyp\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kileyp\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Symantec Shared
c:\windows\system32\796525
c:\program files\Common Files\Symantec Shared\Default.rul
c:\program files\Common Files\Symantec Shared\DefUpdateCheck.dll
c:\program files\Common Files\Symantec Shared\IDS\DefUtDcd.dll
c:\program files\Common Files\Symantec Shared\IDS\IDSaux.dll
c:\program files\Common Files\Symantec Shared\IDS\IdsInst.exe
c:\program files\Common Files\Symantec Shared\IDS\Patch25.dll
c:\program files\Common Files\Symantec Shared\IDS\SymIDSLU.dll
c:\program files\Common Files\Symantec Shared\SEVINST.EXE
c:\program files\Common Files\Symantec Shared\SNDInst.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SNDunin.dll
c:\program files\Common Files\Symantec Shared\Validate.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SNDSrvc


((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-03 02:29 . 2009-06-03 02:29 -------- d-----w- C:\rsit
2009-06-03 02:29 . 2009-06-03 02:29 -------- d-----w- c:\program files\trend micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 18:05 . 2009-02-21 22:05 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-06-13 05:57 . 2005-02-21 04:04 -------- d-----w- c:\program files\SpywareBlaster
2009-06-13 05:55 . 2005-02-21 04:21 -------- d-----w- c:\documents and settings\kileyp\Application Data\Lavasoft
2009-06-05 16:48 . 2005-02-23 15:28 -------- d-----w- c:\program files\Network Associates
2009-06-05 16:48 . 2005-05-20 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates
2009-05-09 00:20 . 2005-02-20 21:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-05 01:46 . 2008-03-24 02:05 -------- d-----w- c:\documents and settings\kileyp\Application Data\ZoomBrowser EX
2009-05-05 01:46 . 2008-03-24 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-02-25 139320]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-07 323584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-01-30 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-8-3 25214]
EMC VPN Client.lnk - c:\program files\EMC VPN\VPN Client\vpngui.exe [2006-2-21 1445904]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R2 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [7/12/2005 6:30 PM 847872]
R4 black;black;c:\windows\system32\drivers\blackdrv.sys [7/12/2005 6:30 PM 227285]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [7/12/2005 6:30 PM 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [7/12/2005 6:30 PM 24344]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2005-03-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-02-20 23:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: emc.com\itcentral.corp
Trusted Zone: emc.com\itonline.isus
Trusted Zone: emc.com\itportal.corp
Trusted Zone: emc.com\www.emcu.isus
Trusted Zone: optonline.net\webmail2
Trusted Zone: emc.com\itcentral.corp
Trusted Zone: emc.com\itonline.isus
Trusted Zone: emc.com\itportal.corp
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://www.vclass.emc.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase70/OrgPubX.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 14:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?6?7?3??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\EMC VPN\VPN Client\cvpnd.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-13 14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 18:12
ComboFix2.txt 2009-06-13 06:26
ComboFix3.txt 2009-06-05 17:04
ComboFix4.txt 2008-08-02 21:52

Pre-Run: 47,070,425,088 bytes free
Post-Run: 47,044,546,560 bytes free

155 --- E O F --- 2009-04-20 23:31

 

[kileyp]

Kaspersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, June 13, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, June 13, 2009 20:03:58
Records in database: 2339214
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 74929
Threat name: 17
Infected objects: 135
Suspicious objects: 0
Duration of the scan: 02:45:07


File name / Threat name / Threats count
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\Incomplete\Preview-T-5745425-innocent when you sleep(1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\freeway aimee mann.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\i am your child barry manilo CD quality.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep [unreleased rare track].mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep(1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep(2).mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\love is all around us.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\measure of man CD quality.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\roots wings anne murray - greatest hits.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\roots wings anne murray.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\summertime fantasia barrino.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\superstar ruben studdard.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\superstar ruben studdard.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\way i am ingrid michaelson.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Qoobox\Quarantine\C\Program Files\websrvx\websrvx.exe.vir Infected: Trojan-Downloader.Win32.Zlob.beqg 1
C:\Qoobox\Quarantine\C\WINDOWS\freddy42.exe.vir Infected: Net-Worm.Win32.Koobface.ij 1
C:\Qoobox\Quarantine\C\WINDOWS\freddy44.exe.vir Infected: Net-Worm.Win32.Koobface.ld 1
C:\Qoobox\Quarantine\C\WINDOWS\ld08.exe.vir Infected: Net-Worm.Win32.Koobface.ig 1
C:\Qoobox\Quarantine\C\WINDOWS\pp06.exe.vir Infected: Net-Worm.Win32.Koobface.hw 1
C:\Qoobox\Quarantine\C\WINDOWS\pp10.exe.vir Infected: Trojan.Win32.Agent2.jxi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sysloc\sysloc.dll.vir Infected: Trojan.Win32.BHO.tli 1
C:\quarantine\0Dayz Nokia Gamez Appz Torrentboyz com Pack 12.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\202 ICONs aplics.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\a.zip.Vir.Vir Infected: Worm.Win32.VB.an 1
C:\quarantine\ABBA - Rare Collected Remixes.(WWW.FACTORFORUMS.CO.UKFORUMS).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Adobe Photoshop Plugins.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Adobe Photoshop Pro CS2 v9 0 Full + Keygen.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Advanced search.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Aero Glass Themes XP Version IV + 32 themes (AIO).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Air America Radio - The Al Franken Show 080406 [mp3].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Alcohol 120 retail v1 9 5 4327 + Alcohol 120 retail - v1 95 4212.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\AOL Search records for 500,000 users AOL-data tgz.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Barnyard CAM XViD-SubAtom[www moviex info].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Big Brother US S07E14 PDTV XviD-VSS [eztv].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Blur-The Best Of 2CD(Darkside RG).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Browse categories.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Burn the Fat, Feed the Muscle { www IPTorrents com }.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\CAPCOM CPS2 Emulator for PSP beta 4.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Copyright policy.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\DC Batman - The Killing Joke (comic book).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Deadwood S03E09 HDTV XviD-LOL [eztv].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\DJ Shadow - The Outsider - (Proper Advance) - 2006 - VOiCE.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Dungeon Siege 2 Broken World KEYGEN-RELOADED.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\EasyFileSearch com-Jessica Simpson 1500+pix.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\EasyFileSearch com-Pamela Anderson 500+pix.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Ember rar.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Entourage S03E09 HDTV XviD-LOL [eztv].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Flat Out 2 Crack Only-RELOADED.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Google Earth Pro 4 Patch NeW Release 08-06-06 by Glbez Team Hackz zip.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Google Earth Pro Final And a tutorial to make it a perfect working pro (full).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Harvard Business Review (July-August 2006) - [www slotorrent net].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Harvard Business Review Jan 2005.zip.Vir.Vir Infected: Worm.Win32.VB.an 1
C:\quarantine\Harvard Business Review July-Aug 2005(1).zip.Vir.Vir Infected: Worm.Win32.VB.an 1
C:\quarantine\Harvard Business Review July-Aug 2005.zip.Vir.Vir Infected: Worm.Win32.VB.an 1
C:\quarantine\Harvard Business Review, June 2006.zip.Vir.0.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Harvard Business Review, June 2006.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Harvard Business Review, May 2006.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\How To Do Everything With vol 1 - 5in1 (AIO).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\How To Do Everything With vol 2 - 5in1 (AIO).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\How To Do Everything With vol 3 - 6in1 (AIO).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\How to Solve Every Sudoku (Number Place) Puzzle { www IPTorrents com }.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Howard the Duck Issues 1-2.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\IGPX - 023 - Fate [C-W] HQ.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\IRC chat.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Justin Timberlake feat T I- My Love.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\l'Equipe du 06 08 2006 pdf.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Lucky Louie S01E09 HDTV XviD-LOL [eztv].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Marvel Civil War.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Mastodon - Blood Mountain [2006].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\MegaArchive 8ooo Karaoke ita fr eng esp VanBascos ByMiraiam rar.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Nancy Drew Danger By Design [PCCD][English][www newpct com].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\National Geographic August 2006.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\New WordPress blog.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Noein - Mou Hitori no Kimi e [Shinsen-Subs].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\p.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\PC Civilization IV 4 RELOADED ShadowCast.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\PC World Power Guides - Available only to Subscribers { www IPTorrents com }.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Privacy policy.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Rapidshare Premium Pack 2006 version 4 - 43in1 (AIO).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Redneck Rampage Rides Again.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Redneck Rampage.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Scripts 2006 (AIO).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Search Cloud.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\SHOCKING! British Police destroy a memorial to race victims .wmv.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Show all of today →.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Simply Acoustic Various 2CD's With covers (NiTrO).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Sinchronicity S01E04 WS PDTV XviD-RiVER [eztv].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\SlySoft new Update 3-8-06 - 5in1 (AIO).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Space images super-high resolution [www ultratorrent net].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Speed 2 - Cruise Control 1997 DVDrip SWE.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Spikes Women of Action 2006 WS PDTV XviD-PAP [eztv].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\SYS32DLL.exe.Vir Infected: Trojan-Proxy.Win32.Agent.bmm 1
C:\quarantine\SYS32DLL.exe.Vir.0 Infected: Trojan-Proxy.Win32.Agent.bny 1
C:\quarantine\SYSDLL.exe.Vir Infected: Trojan.Win32.Agent2.jyw 1
C:\quarantine\Talladega Nights CAM XViD-SubAtom( widges-den com ).zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Talladega Nights CAM XViD-SubAtom-ZCCUSTOMS.NET.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Talladega Nights CAM XViD-SubAtom[www moviex info].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\The 4400 3x10 (DSRip-ORENJi)[VTV].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\The 4400 S03E10 DSR XviD-ORENJi [eztv].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\The Ant Bully [TS-Screener][V O English+Subs Spanish][2006][www newpct com].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\The Beatles Complete Songbook.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\The Complete Idiots Guide To Learning French On Your Own { www IPTorrents com }.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\The Dead Zone 5x08 (DSRip-ORENJi)[VTV].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\The Economist 2006-08-05 { www IPTorrents com }.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\The Night Listener 2006 CAM XViD - SubAtom { www IPTorrents com }.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Three Moons Over Milford S01E01 DSR XviD-ORENJi [eztv].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\TMPGEnc Xpress v3 3 8 117 rar.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Top 100 [HipHop+R&B]Billboard][August-06[Vol2]+Charts[@224].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\TV Shows.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Ultimate Ghosts n Goblins Goku Makaimura - JAP-PSP.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\Upload a torrent.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\user-ct-test-collection-01 txt-PARTIAL rar.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\VA - Big Tunes X-Rated.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\VA-Miami Vice-OST-2006-RNS [SOUNDTRACK].zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\XG Step Up 06.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\You're Under Arrest Artbook.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[A-Keep & gg] Night Head Genesis - 02 [5E35B201] mkv.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[ADC-Elites] One Piece 274 [128ABB09] avi.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[A_Z]Greg Martin {Hi Res}.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[EMD][Zero no Tsukaima][06][GB] rmvb.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[HCG] Jya no Michi wa [Hebi Soft] zip.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[KissSub]Innocent Venus - 02[D1F2079C]Xvid avi.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[maplesnow][one piece][274][jap chn][HDTV][rv10] rmvb.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[Nipponsei] NARUTO BEST HIT COLLECTION 2 zip.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[PSP]Every Extend Extra[JAP] [FULL] - [www ESPALPSP com] rar.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[Shinsen-Subs] Noein 24 [FINAL][CA131F86] avi.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\quarantine\[S^M] One Piece 274 RAW avi.zip.Vir.Vir Infected: P2P-Worm.Win32.VB.dw 1
C:\System Volume Information\_restore{A53AFC92-EDE6-4047-A115-B8F9660A6BBE}\RP112\A0039625.exe Infected: Trojan.Win32.Agent2.jxi 1
C:\System Volume Information\_restore{A53AFC92-EDE6-4047-A115-B8F9660A6BBE}\RP112\A0039626.dll Infected: Trojan.Win32.BHO.tli 1
C:\System Volume Information\_restore{A53AFC92-EDE6-4047-A115-B8F9660A6BBE}\RP112\A0039628.exe Infected: Net-Worm.Win32.Koobface.ij 1
C:\System Volume Information\_restore{A53AFC92-EDE6-4047-A115-B8F9660A6BBE}\RP112\A0039629.exe Infected: Net-Worm.Win32.Koobface.ig 1
C:\System Volume Information\_restore{A53AFC92-EDE6-4047-A115-B8F9660A6BBE}\RP112\A0039630.exe Infected: Net-Worm.Win32.Koobface.hw 1
C:\System Volume Information\_restore{A53AFC92-EDE6-4047-A115-B8F9660A6BBE}\RP112\A0039833.exe Infected: Trojan-Downloader.Win32.Zlob.beqg 1
C:\System Volume Information\_restore{A53AFC92-EDE6-4047-A115-B8F9660A6BBE}\RP112\A0039835.exe Infected: Net-Worm.Win32.Koobface.ld 1

The selected area was scanned.

 

[kileyp]

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24 PM, on 6/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kileyp\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\vpngui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://itcentral.corp.emc.com
O15 - Trusted Zone: http://itonline.isus.emc.com
O15 - Trusted Zone: http://itportal.corp.emc.com
O15 - Trusted Zone: http://www.emcu.isus.emc.com
O15 - Trusted Zone: http://itcentral.corp.emc.com (HKLM)
O15 - Trusted Zone: http://itonline.isus.emc.com (HKLM)
O15 - Trusted Zone: http://itportal.corp.emc.com (HKLM)
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://www.vclass.emc.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase70/OrgPubX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 8907 bytes

 

[Bio-Hazard]

Helllo!

You need to empty this folder: C:\quarantine


There are infected music files in Itunes folder which we need to deleted.

Download and run OTM

Download OTM by Old Timer and save it to your Desktop.

• Double-click OTM.exe to run it.
• Paste the following code under the
  
  area. Do not include the word Code.

:Processes
explorer.exe

:Files
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\Incomplete\Preview-T-5745425-innocent when you sleep(1).mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\freeway aimee mann.mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\i am your child barry manilo CD quality.mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep [unreleased rare track].mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep(1).mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep(2).mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep.mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\love is all around us.mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\measure of man CD quality.mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\roots wings anne murray - greatest hits.mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\roots wings anne murray.wma
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\summertime fantasia barrino.mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\superstar ruben studdard.mp3
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\superstar ruben studdard.wma
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\way i am ingrid michaelson.mp3

:Commands
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large
  
  button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

• OTM Log
• A fresh HijackThis Log ( after all the above has been done)
• A description of how your computer is behaving

 

[kileyp]

OTM Log

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\Incomplete\Preview-T-5745425-innocent when you sleep(1).mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\freeway aimee mann.mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\i am your child barry manilo CD quality.mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep [unreleased rare track].mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep(1).mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep(2).mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\innocent when you sleep.mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\love is all around us.mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\measure of man CD quality.mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\roots wings anne murray - greatest hits.mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\roots wings anne murray.wma moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\summertime fantasia barrino.mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\superstar ruben studdard.mp3 moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\superstar ruben studdard.wma moved successfully.
C:\Documents and Settings\kileyp\Desktop\My Music\iTunes\iTunes Music\way i am ingrid michaelson.mp3 moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\kileyp\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_ec.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\kileyp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\37_1____________________Vaya_con_Dios._______________________________-_Johnny_Utah_0_Bauhaus93_0.0_30_0.0_1.0_0.0_0.0_3.84_0.235_0.0_0.867.eps.gif-77c311f4-6309c197.gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\kileyp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\37_1____________________Vaya_con_Dios._______________________________-_Johnny_Utah_0_Bauhaus93_0.0_30_0.0_1.0_0.0_0.0_3.84_0.235_0.0_0.867.eps.gif-77c311f4-6309c197.idx scheduled to be deleted on reboot.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTM by OldTimer - Version 2.1.0.1 log created on 06142009_011549

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_ec.dat not found!
File C:\Documents and Settings\kileyp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\37_1____________________Vaya_con_Dios._______________________________-_Johnny_Utah_0_Bauhaus93_0.0_30_0.0_1.0_0.0_0.0_3.84_0.235_0.0_0.867.eps.gif-77c311f4-6309c197.gif not found!
File C:\Documents and Settings\kileyp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\37_1____________________Vaya_con_Dios._______________________________-_Johnny_Utah_0_Bauhaus93_0.0_30_0.0_1.0_0.0_0.0_3.84_0.235_0.0_0.867.eps.gif-77c311f4-6309c197.idx not found!

Registry entries deleted on Reboot...

 

[kileyp]

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27 AM, on 6/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\kileyp\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\vpngui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://itcentral.corp.emc.com
O15 - Trusted Zone: http://itonline.isus.emc.com
O15 - Trusted Zone: http://itportal.corp.emc.com
O15 - Trusted Zone: http://www.emcu.isus.emc.com
O15 - Trusted Zone: http://itcentral.corp.emc.com (HKLM)
O15 - Trusted Zone: http://itonline.isus.emc.com (HKLM)
O15 - Trusted Zone: http://itportal.corp.emc.com (HKLM)
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://www.vclass.emc.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase70/OrgPubX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 8966 bytes

 

[kileyp]

Computer Behavior

Hi,

Thanks for your quick replies!

I haven't been doing anything with the computer other than following your instructions. I have kept the Internet turned off, except to run the Kaspersky scan... figured it might be safer if I keep the computer offline.

 

[kileyp]

Computer Behavior 2

Sorry, submitted before I was ready. One strange thing happened in the last set of actions. OTM asked me to restart... but the computer was stuck at "logging off" stage. So eventually (after about 5+ minutes), I just turned the computer off manually and restarted on my own. When I restarted the OTM log was the first thing that popped up.

Otherwise, computer seems to be behaving normally.

Let me know if you need any more information.

 

[kileyp]

Question

Just looking at the last log file (and I have no idea what I'm reading), but had a quick question. Those files that were supposed to be deleted upon reboot, and then were not found upon reboot. Is that a problem? Did the virus rename them?

 

[Bio-Hazard]

Hello!

Sorry, submitted before I was ready. One strange thing happened in the last set of actions. OTM asked me to restart... but the computer was stuck at "logging off" stage. So eventually (after about 5+ minutes), I just turned the computer off manually and restarted on my own. When I restarted the OTM log was the first thing that popped up.

Not to worry. All the information you give me makes my job easier. Thank you for letting me know. OTM has done its job so no problems. Can you reboot for me and see it works normally.

Just looking at the last log file (and I have no idea what I'm reading), but had a quick question. Those files that were supposed to be deleted upon reboot, and then were not found upon reboot. Is that a problem? Did the virus rename them?

That is not a problem. OTM didnt find them beause they werent there so they have already been deleted. They are in cache which is a temporary storage area where frequently accessed data can be stored for rapid access.

So now i want you to go online with this computer but before you do any surfing make sure all the security programs are updated also apply all the windows updates. When you have done that, please post a new HijackThis log and any problems you encounter.

You have Spywareblaster installed on your computer which is outdated. Latest version of Spywareblaster is 4.2 and you are using version 3.5. So i recommend updating it when you do your updates. You can download the latest version from here.

 

[kileyp]

Next Steps

Thanks.

The computer rebooted normally... though this time it did install 5 of 5 updates before restarting. I assume these are the Windows updates you referred to in your last post?

Since I uninstalled all the virus programs, I will need to redownload everything including:

Ad-Aware SE Personal
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
SpywareBlaster

Is there anything else I should download, install or uninstall before I get on the internet (system restore, firewall, IE settings)?

 

[Bio-Hazard]

Reeinstall all of the security programs and all the updates for windows then surf and let me know how things are going.

I would also like to see a new HijackThis log.

 

[kileyp]

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56 PM, on 6/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\kileyp\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\vpngui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://itcentral.corp.emc.com
O15 - Trusted Zone: http://itonline.isus.emc.com
O15 - Trusted Zone: http://itportal.corp.emc.com
O15 - Trusted Zone: http://www.emcu.isus.emc.com
O15 - Trusted Zone: http://itcentral.corp.emc.com (HKLM)
O15 - Trusted Zone: http://itonline.isus.emc.com (HKLM)
O15 - Trusted Zone: http://itportal.corp.emc.com (HKLM)
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://www.vclass.emc.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase70/OrgPubX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0061151245005137) (0061151245005137mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\kileyp\LOCALS~1\Temp\006115~1.EXE
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 11442 bytes

 

[kileyp]

Malware Bytes Log

Hi,

Since I reinstalled Malware Bytes, I ran a quick scan and figured I'd post that log (I removed all detected items from the scan):

Malwarebytes' Anti-Malware 1.37
Database version: 2277
Windows 5.1.2600 Service Pack 2

6/14/2009 4:13:17 PM
mbam-log-2009-06-14 (16-13-17).txt

Scan type: Quick Scan
Objects scanned: 97567
Time elapsed: 18 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\fe345.fe345mgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fe345.fe345mgr.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rt586.rt586mgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rt586.rt586mgr.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[kileyp]

System Behavior

System behavior is fine - but even before I was aware my computer was infected, the symptoms were sporadic. I'm actually using the infected computer now to post these replies - so I am on the Internet not.

Please let me know if you need anything else.

 

[Bio-Hazard]

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:

• ATF cleaner - (You can just delete the exe file from your desktop)

• Delete ComboFix and Clean Up
  Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
  
  
  
  Please advise if this step is missed for any reason as it performs some important actions.
  
  
  OTC
  
  Download OTC by Old Timer and save it to your Desktop.
  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself
  
  
  Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  
  
  General Security and Computer Health
  Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
• Make sure that you keep your antivirus updated
  New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
• Security Updates for Windows, Internet Explorer & Microsoft Office
  Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
  NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
• Update Non-Microsoft Programs
  Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.
• Make Internet Explorer More Secure
  You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

• WinPatrol
  As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
• Hosts File
  For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
• Use an alternative Internet Browser
  Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or Opera

Here is a great article by miekiemoes How to prevent Malware.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard

 

[kileyp]

Thanks and a couple of questions

Hi,

Thanks for all your help in cleaning up this virus! It was a lot of work, and your help and speedy replies were really great!

I tried to uninstall combofix, but when I ran the command I got a message that the file was not found. I think I did delete it during an earlier phase. Do I need to something else with this?

I am going to start using Firefox instead of IE.

In terms of multiple Anti-virus softwars: as you may have seen from my logs and posts, I have upgraded to McAfee Total Protection which will provide automatic updates. I also installed Malware Bytes. Should I remove that program because it will intefere with McAfee - or would it be a good idea to run a Malware Bytes scan every so often? Does the same go for Spyware Blaster and Ad-aware?

Thanks again!