At startup, xp states cannot find 'Data\Adobe\Manager.ex

Welcome Guest ( Log In | Join )

If you don't enter, you can't win! Enter here

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).

> Geeks to Go! » Security » Malware Removal - HijackThis™ Logs Go Here

At startup, xp states cannot find 'Data\Adobe\Manager.ex

Options

mr_sledgeka View Member Profile	Aug 15 2008, 05:36 PM Post #1
Member Posts: 40 From: Australia OS: XP	Hi all, Just recently I've been getting the below message dialogue boxes upon startup after the login window. Every time I reboot S&D Spybot starts scanning and had found traces of Trojan vundo which is eliminates then I restart and keep getting the messages below. Trojan Vundo keeps coming back no matter what I throw at it, really need some help from an expert. Windows cannot find "C:\Documents'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. Could not load or run "C:\Documents' specified in the registry. Make sure the file exists on your computer or remove the reference in the registry. Windows cannot find 'and'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. Could not load or run 'and' specified in the registry. Make sure the file exists on your computer or remove the reference in the registry. Windows cannot find 'Settings\Ryan\Application'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. Could not load or run 'Settings\Ryan\Application' specified in the registry. Make sure the file exists on your computer or remove the reference in the registry. Windows cannot find 'Data\Adobe\Manager.exe". Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. Could not load or run 'Data\Adobe\Manager.exe" specified in the registry. Make sure the file exists on your computer or remove the reference in the registry. I think I opened a file that I should haven't as Norton did not pick it up until Spybit came up and warned me. Here's the Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:35:33 AM, on 16/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\system32\E_S00RP2.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\SAgent4.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Creative\ShareDLL\Mediadet.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Tweak-XP Pro\AdBlocker.exe C:\Program Files\Ccy Cookies Remover v203\ccycookr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Opera\opera.exe C:\WINDOWS\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.abc.net.au R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0<local>;localhost F3 - REG:win.ini: run="C:\Documents and Settings\Brendan\Application Data\Adobe\Manager.exe" O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Speed Video Splitter\msdxm.ocx O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Brendan\LOCALS~1\Temp\IXP000.TMP\" O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Brendan\LOCALS~1\Temp\IXP001.TMP\" O4 - HKLM\..\RunOnce: [SpybotDeletingA9929] command /c del "C:\WINDOWS\SYSTEM32\qoMGXRIB.dll" O4 - HKLM\..\RunOnce: [SpybotDeletingC939] cmd /c del "C:\WINDOWS\SYSTEM32\qoMGXRIB.dll" O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe" O4 - HKCU\..\Run: [Ccy Cookies Remover v2.0.3] C:\Program Files\Ccy Cookies Remover v203\ccycookr.exe O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - http://picasaweb.google.com/s/v/23.21/uploader2.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sledgeka.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {860D5AAC-D059-4C9F-93D3-3FD6FBB6872F} (AuroraCtrl Class) - http://icebergradio.com/aurora/1.0.2.259/client.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP2.EXE O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 11858 bytes Many thanks This post has been edited by mr_sledgeka: Aug 17 2008, 02:16 AM

Stamper19 View Member Profile	Aug 18 2008, 07:12 PM Post #2
Trusted Helper Posts: 1,990 OS: Windows XP	Hi Mr. Sledgeka, Welcome to Geeks to Go! My name is Stamper19 and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point. ---------------------------------------------------------------- Please download VundoFix.exe to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. ---------------------------------------------------------------- Download ComboFix from Here or Here to your Desktop. Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall ---------------------------------------------------------------- Information to include in your next post: Vundofix.text Combofix Log

mr_sledgeka View Member Profile	Aug 19 2008, 05:49 AM Post #3
Member Posts: 40 From: Australia OS: XP	Hi thanks for your reply! Here the logs that you requested, my system ssems to be behaving now but I keep getting a message at startup 'The Specified module could not be found c/-windows/system32/hccmslwu.dll' I think this was one of the files that Vundofix deleted. Here's the Vundofix Log: VundoFix V5.1.4 Checking Java version... Java version is 1.4.2.3 Java version is 1.4.2.4 Java version is 1.5.0.6 Java version is 1.5.0.9 Scan started at 3:30:37 PM 15/08/2008 Listing files found while scanning.... No infected files were found. VundoFix V5.1.4 Checking Java version... Java version is 1.4.2.3 Java version is 1.4.2.4 Java version is 1.5.0.6 Java version is 1.5.0.9 Scan started at 11:36:08 PM 16/08/2008 Listing files found while scanning.... No infected files were found. VundoFix V7.0.6 Scan started at 8:05:17 PM 19/08/2008 Listing files found while scanning.... C:\Windows\SYSTEM32\celpgaoo.dll C:\Windows\SYSTEM32\cuyaxv.dll C:\Windows\SYSTEM32\djattpxy.dll C:\Windows\SYSTEM32\elyyjrxa.dll C:\Windows\SYSTEM32\eotoammy.dll C:\Windows\SYSTEM32\evrbrkku.dll C:\Windows\SYSTEM32\ezwjgp.dll C:\Windows\SYSTEM32\guuvsktj.ini C:\Windows\SYSTEM32\hbmsfrlr.dll C:\Windows\SYSTEM32\hccmslwu.dll C:\Windows\SYSTEM32\hwffmewm.dll C:\Windows\SYSTEM32\jhfbkx.dll C:\Windows\SYSTEM32\jtksvuug.dll C:\Windows\SYSTEM32\ljzses.dll C:\Windows\SYSTEM32\nbcvkdjk.dll C:\Windows\SYSTEM32\ovsuhdly.dll C:\Windows\SYSTEM32\qenienfh.dll C:\Windows\SYSTEM32\qksuolde.dll C:\Windows\SYSTEM32\qogrfgkc.dll C:\Windows\SYSTEM32\qsgdrlsf.dll C:\Windows\SYSTEM32\qvlewwiy.dll C:\Windows\SYSTEM32\rleemfaw.dll Beginning removal... Attempting to delete C:\Windows\SYSTEM32\celpgaoo.dll C:\Windows\SYSTEM32\celpgaoo.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\cuyaxv.dll C:\Windows\SYSTEM32\cuyaxv.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\djattpxy.dll C:\Windows\SYSTEM32\djattpxy.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\elyyjrxa.dll C:\Windows\SYSTEM32\elyyjrxa.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\eotoammy.dll C:\Windows\SYSTEM32\eotoammy.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\evrbrkku.dll C:\Windows\SYSTEM32\evrbrkku.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\ezwjgp.dll C:\Windows\SYSTEM32\ezwjgp.dll Could not be deleted. Attempting to delete C:\Windows\SYSTEM32\guuvsktj.ini C:\Windows\SYSTEM32\guuvsktj.ini Has been deleted! Attempting to delete C:\Windows\SYSTEM32\hbmsfrlr.dll C:\Windows\SYSTEM32\hbmsfrlr.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\hccmslwu.dll C:\Windows\SYSTEM32\hccmslwu.dll Could not be deleted. Attempting to delete C:\Windows\SYSTEM32\hwffmewm.dll C:\Windows\SYSTEM32\hwffmewm.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\jhfbkx.dll C:\Windows\SYSTEM32\jhfbkx.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\jtksvuug.dll C:\Windows\SYSTEM32\jtksvuug.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\ljzses.dll C:\Windows\SYSTEM32\ljzses.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\nbcvkdjk.dll C:\Windows\SYSTEM32\nbcvkdjk.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\ovsuhdly.dll C:\Windows\SYSTEM32\ovsuhdly.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\qenienfh.dll C:\Windows\SYSTEM32\qenienfh.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\qksuolde.dll C:\Windows\SYSTEM32\qksuolde.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\qogrfgkc.dll C:\Windows\SYSTEM32\qogrfgkc.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\qsgdrlsf.dll C:\Windows\SYSTEM32\qsgdrlsf.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\qvlewwiy.dll C:\Windows\SYSTEM32\qvlewwiy.dll Has been deleted! Attempting to delete C:\Windows\SYSTEM32\rleemfaw.dll C:\Windows\SYSTEM32\rleemfaw.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\Windows\SYSTEM32\ezwjgp.dll C:\Windows\SYSTEM32\ezwjgp.dll Could not be deleted. Attempting to delete C:\Windows\SYSTEM32\hccmslwu.dll C:\Windows\SYSTEM32\hccmslwu.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Combofix Log: ComboFix 08-08-18.04 - Brendan 2008-08-19 21:04:38.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.551 [GMT 10:00] Running from: C:\Documents and Settings\Brendan\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Brendan\Application Data\inst.exe C:\Documents and Settings\Brendan\Application Data\macromedia\Flash Player\#SharedObjects\WD3B9K6W\interclick.com C:\Documents and Settings\Brendan\Application Data\macromedia\Flash Player\#SharedObjects\WD3B9K6W\interclick.com\ud.sol C:\Documents and Settings\Brendan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Brendan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Brendan\UserData C:\Documents and Settings\Brendan\UserData\8N05EFBT\oWindowsUpdate[1].xml C:\Documents and Settings\Brendan\UserData\8N05EFBT\showHideState[2].xml C:\Documents and Settings\Brendan\UserData\8N05EFBT\showHideState[3].xml C:\Documents and Settings\Brendan\UserData\8N05EFBT\YL[1].xml C:\Documents and Settings\Brendan\UserData\ED9GBILO\BlogIt[1].xml C:\Documents and Settings\Brendan\UserData\ED9GBILO\iconState[1].xml C:\Documents and Settings\Brendan\UserData\ED9GBILO\oWindowsUpdate[1].xml C:\Documents and Settings\Brendan\UserData\ER0QYG32\iconState[2].xml C:\Documents and Settings\Brendan\UserData\ER0QYG32\oWindowsUpdate[1].xml C:\Documents and Settings\Brendan\UserData\ER0QYG32\showHideState[1].xml C:\Documents and Settings\Brendan\UserData\ER0QYG32\showHideState[2].xml C:\Documents and Settings\Brendan\UserData\index.dat C:\Documents and Settings\Brendan\UserData\J7SSCNCS\BlogIt[1].xml C:\Documents and Settings\Brendan\UserData\J7SSCNCS\iconState[1].xml C:\Documents and Settings\Brendan\UserData\J7SSCNCS\iconState[2].xml C:\Documents and Settings\Brendan\UserData\J7SSCNCS\IsOnIE6tbPromo[1].xml C:\WINDOWS\BMe37b4b88.txt C:\WINDOWS\BMe37b4b88.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\ezwjgp.dll C:\WINDOWS\system32\fslrdgsq.ini C:\WINDOWS\system32\fxlvshnr.ini C:\WINDOWS\SYSTEM32\hxcsmnoy.ini C:\WINDOWS\system32\jrkmudws.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\SYSTEM32\mpAGOUtv.ini C:\WINDOWS\SYSTEM32\mpAGOUtv.ini2 C:\WINDOWS\system32\pwokwaby.exe C:\WINDOWS\system32\qoxlcrsi.exe C:\WINDOWS\system32\qqsrldew.ini C:\WINDOWS\SYSTEM32\rrutv.bak1 C:\WINDOWS\SYSTEM32\rrutv.bak2 C:\WINDOWS\SYSTEM32\rrutv.ini C:\WINDOWS\SYSTEM32\rrutv.ini2 C:\WINDOWS\SYSTEM32\rrutv.tmp C:\WINDOWS\SYSTEM32\ttutv.bak1 C:\WINDOWS\SYSTEM32\ttutv.tmp C:\WINDOWS\system32\turaiqnn.dll C:\WINDOWS\system32\uadtucro.ini C:\WINDOWS\system32\vtUOGApm.dll C:\WINDOWS\system32\wedlrsqq.dll C:\WINDOWS\system32\wvpriyyu.dll C:\WINDOWS\system32\xvryyxfj.exe C:\WINDOWS\system32\ykfzwt.dll C:\WINDOWS\system32\yonmscxh.dll ----- BITS: Possible infected sites ----- http://195.225.176.25 . ((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 ))))))))))))))))))))))))))))))) . 2008-08-19 17:15 . 2008-08-19 17:15 119,808 --a------ C:\WINDOWS\SYSTEM32\eafxigsm.dll_old 2008-08-19 17:03 . 2008-08-19 17:04 47,893 --a------ C:\WINDOWS\SYSTEM32\xhkapihs.dll 2008-08-18 17:04 . 2008-08-18 17:04 47,893 --a------ C:\WINDOWS\SYSTEM32\gjkhcklx.dll 2008-08-17 17:15 . 2008-08-17 17:15 47,893 --a------ C:\WINDOWS\SYSTEM32\kguanfcb.dll 2008-08-16 16:23 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-08-16 16:22 . 2002-07-17 08:20 45,056 --a------ C:\WINDOWS\SYSTEM32\wnaspi32.BAK 2008-08-16 16:22 . 2002-07-17 07:53 16,877 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aspi32.BAK 2008-08-16 16:22 . 2002-07-17 15:22 5,600 --a------ C:\WINDOWS\SYSTEM\winaspi.BAK 2008-08-16 16:22 . 2002-07-17 15:22 4,672 --a------ C:\WINDOWS\SYSTEM\wowpost.BAK 2008-08-16 16:21 . 2008-08-16 16:21 <DIR> d-------- C:\Program Files\Panda Security 2008-08-16 14:56 . 2008-08-16 14:57 50,813 --a------ C:\WINDOWS\SYSTEM32\wqqobqgg.dll 2008-08-16 09:21 . 2008-08-16 09:21 <DIR> d-------- C:\Deckard 2008-08-15 14:55 . 2008-08-15 14:55 93,184 --a------ C:\WINDOWS\SYSTEM32\hhtttton.dll_old 2008-08-15 14:55 . 2008-08-15 14:55 47,893 --a------ C:\WINDOWS\SYSTEM32\hasttple.dll 2008-08-13 15:07 . 2008-05-02 00:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll 2008-08-10 22:42 . 2008-08-10 22:42 <DIR> d-------- C:\Documents and Settings\Brendan\Application Data\Ashampoo 2008-08-10 22:34 . 2008-08-10 22:34 <DIR> d-------- C:\Program Files\Ashampoo 2008-08-10 22:34 . 2008-08-10 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ashampoo 2008-08-08 19:46 . 2008-08-08 19:49 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-05 22:33 . 2008-08-05 22:33 <DIR> d-------- C:\Program Files\FAT32 Format 2008-08-05 22:33 . 2008-08-05 22:33 19,572 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\FNETDEVI.SYS 2008-07-28 23:45 . 2008-08-15 21:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-07-28 23:45 . 2008-07-28 23:45 1,409 --a------ C:\WINDOWS\QTFont.for 2008-07-24 16:14 . 2008-07-24 16:14 <DIR> d-------- C:\Program Files\URUSoft 2008-07-21 19:59 . 2008-07-21 19:59 <DIR> d-------- C:\Program Files\DVD Decrypter . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-19 11:19 --------- d-----w C:\Program Files\PeerGuardian2 2008-08-19 09:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-08-19 09:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-08-19 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-08-16 13:58 --------- d-----w C:\Program Files\ewido anti-spyware 4.0 2008-08-16 13:33 --------- d-----w C:\Program Files\Roguescanfix 2008-08-16 06:04 --------- d-----w C:\Documents and Settings\Brendan\Application Data\uTorrent 2008-08-16 04:02 --------- d-----w C:\Documents and Settings\Brendan\Application Data\Vso 2008-08-15 23:40 --------- d-----w C:\Program Files\Hijack this 2008-08-15 01:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-08-08 09:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-08 00:21 --------- d-----w C:\Program Files\Winamp 2008-08-05 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-07-30 07:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys 2008-07-30 07:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-07-30 07:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat 2008-07-29 22:38 --------- d-----w C:\Program Files\Norton AntiVirus 2008-07-26 08:35 --------- d-----w C:\Documents and Settings\Brendan\Application Data\dvdcss 2008-07-23 10:32 --------- d-----w C:\Program Files\Java 2008-07-11 13:27 --------- d-----w C:\Program Files\Magic Video Studio 2008-07-11 06:10 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-07-01 13:58 --------- d-----w C:\Program Files\FrostWire 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-18 11:09 691,545 ----a-w C:\WINDOWS\unins000.exe 2008-05-26 03:36 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll 2008-02-15 00:21 47,360 ----a-w C:\Documents and Settings\Brendan\Application Data\pcouffin.sys 2003-03-15 17:00 7,216 ----a-w C:\WINDOWS\INF\RAMDISK.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BlockAds"="C:\Program Files\Tweak-XP Pro\AdBlocker.exe" [2003-10-29 02:00 45056] "Ccy Cookies Remover v2.0.3"="C:\Program Files\Ccy Cookies Remover v203\ccycookr.exe" [2004-05-24 18:34 413184] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2006-07-06 17:26 573440] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360] "Gadwin PrintScreen 3.5"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2006-07-08 18:57 1101824] "PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 17:40 1421824] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-07-24 11:29 1863960] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 13:18 202024] "AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-03-07 04:26 1694656] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "NOMAD Detector"="C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe" [2002-03-05 05:15 18432] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 20:49 4662776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 04:00 191488] "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-08-29 14:17 188416] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22 26248] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 18:51 583048] "Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-03 15:46 4800512] C:\Documents and Settings\Brendan\Start Menu\Programs\Startup\ Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-05-23 17:17:00 1806336] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-18 17:34:25 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=ezwjgp.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm "wave"= DrvTrNTm.dll "mixer"= DrvTrNTm.dll "msacm.enc"= ITIG726.acm "VIDC.NSVI"= nsvideo.dll "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm "msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm "msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vtUOGApm HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry] --a------ 2003-08-13 12:27 28672 C:\WINDOWS\SYSTEM32\DSentry.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] --a------ 2003-08-29 14:20 77824 C:\Program Files\Logitech\Video\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] --a------ 2007-09-20 07:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 13:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-04-23 07:00 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2006-11-30 20:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "NOMAD Detector"="C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe" "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\FrostWire\\FrostWire.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Tweak-XP Pro\\AdBlocker.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"= "C:\\Program Files\\Opera\\opera.exe"= "C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= R0 Achernar;Achernar - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Achernar.sys [2005-09-23 13:50] R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2007-02-03 05:56] R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R0 sonypvl2;sonypvl2;C:\WINDOWS\system32\drivers\sonypvl2.sys [2003-07-25 15:02] R1 FNETDEVI;FNETDEVI;C:\WINDOWS\system32\drivers\FNETDEVI.SYS [2008-08-05 22:33] R1 sonypvf2;sonypvf2;C:\WINDOWS\system32\drivers\sonypvf2.sys [2004-04-08 11:04] R1 sonypvt2;sonypvt2;C:\WINDOWS\system32\drivers\sonypvt2.sys [2003-08-20 10:44] R2 Vqtfk;Vqtfk;C:\WINDOWS\System32\Vqtfk.sys [1999-08-11 10:49] R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Aldebaran.sys [2005-09-23 13:50] S1 sonypvd2;sonypvd2;C:\WINDOWS\system32\DRIVERS\sonypvd2.sys [2003-06-24 10:29] S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2003-09-16 13:41] Newly Created Service - PGFILTER . Contents of the 'Scheduled Tasks' folder 2008-08-15 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Brendan.job - C:\PROGRA~1\NORTON~1\Navw32.exe [2006-09-07 02:38] . - - - - ORPHANS REMOVED - - - - HKLM-Run-BMe37b4b88 - C:\WINDOWS\system32\hccmslwu.dll ShellExecuteHooks-{50CE3245-BDBF-47CE-ADD6-8D738AF3807E} - (no file) Notify-WgaLogon - (no file) MSConfigStartUp-Eraser - K:\Eraser\eraser.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = www.abc.net.au R0 -: HKLM-Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage R1 -: HKCU-Internet Settings,ProxyOverride = 0<local>;localhost O8 -: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 -: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 -: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O16 -: {860D5AAC-D059-4C9F-93D3-3FD6FBB6872F} - hxxp://icebergradio.com/aurora/1.0.2.259/client.cab C:\WINDOWS\Downloaded Program Files\imaurora.inf C:\WINDOWS\System32\imaurora.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-19 21:17:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?P?????B???@?????P?????@???????????A~??????????@???????????????????B?????\???????????????????????????r?B scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\SYSTEM32\nvsvc32.exe C:\WINDOWS\SYSTEM32\SAgent4.exe C:\WINDOWS\SYSTEM32\MsPMSPSv.exe C:\Program Files\Creative\ShareDLL\Mediadet.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe C:\WINDOWS\SYSTEM32\locator.exe . ************************************************************************ . Completion time: 2008-08-19 21:31:20 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-19 11:31:14 Pre-Run: 17,254,064,128 bytes free Post-Run: 17,227,698,176 bytes free 279 --- E O F --- 2008-08-13 14:07:49 Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:47:12 PM, on 19/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\SAgent4.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\Creative\ShareDLL\Mediadet.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Tweak-XP Pro\AdBlocker.exe C:\Program Files\Ccy Cookies Remover v203\ccycookr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\explorer.exe C:\Program Files\Opera\opera.exe C:\Program Files\Hijack this\Hijack this v2.02\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.abc.net.au R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0<local>;localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Speed Video Splitter\msdxm.ocx O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe" O4 - HKCU\..\Run: [Ccy Cookies Remover v2.0.3] C:\Program Files\Ccy Cookies Remover v203\ccycookr.exe O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - http://picasaweb.google.com/s/v/23.21/uploader2.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sledgeka.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {860D5AAC-D059-4C9F-93D3-3FD6FBB6872F} (AuroraCtrl Class) - http://icebergradio.com/aurora/1.0.2.259/client.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - AppInit_DLLs: ezwjgp.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP2.EXE O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 11377 bytes If there's anything I should be aware please let me know. Windows Recover Console Missing? Thanks for your assistance.

Stamper19 View Member Profile	Aug 19 2008, 06:22 AM Post #4
Trusted Helper Posts: 1,990 OS: Windows XP	Hi Mr. Sledgeka, Happy to help out The message you are getting at boot is in fact related to the virus. We will get it taken care of. The file it is pointing was in fact deleted, and the registry entry that was causing that message should be gone now also. Check to see if you are still getting the message. Recovery Console is a Windows component that can be very useful if things go wrong. We will get yours installed now. First, I see that you are running, or have previously installed, uTorrent and FrostWire. Although these applications are not malware themselves, the files downloaded with them are often a major source of infection. Hence, I strongly advise that they be removed. If you choose to do so, go to the Add/Remove Programs option in the Control Panel, and Uninstall uTorrent and FrostWire ---------------------------------------------------------------- Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System. Download the file & save it as it's originally named, next to ComboFix.exe. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log. Please do not reboot your machine until we have reviewed the log. ---------------------------------------------------------------- Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. ---------------------------------------------------------------- Information to include in your next post: ComboFix Log Malwarebytes Log

mr_sledgeka

Aug 19 2008, 07:33 AM

Post #5

Member

Posts: 40
From: Australia
OS: XP

Hi Again!

Thanks for your assistance. Here's the log u requested.

Combofix log:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

MBAM log:

Malwarebytes' Anti-Malware 1.25
Database version: 1070
Windows 5.1.2600 Service Pack 2

11:27:28 PM 19/08/2008
mbam-log-08-19-2008 (23-27-28).txt

Scan type: Quick Scan
Objects scanned: 51897
Time elapsed: 5 minute(s), 13 second(s)

Memory Pro