Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HELP.....PLEASE!


  • Please log in to reply

#1
AQUA258

AQUA258

    Member

  • Member
  • PipPipPip
  • 169 posts
DR WATSON POSTMORTEM DEBUGGER??????problem. :)
Screen keeps freezing, have to keep turning comp on and off. Have run all cleaners that i have plus two trend house calls and nothing fixing the problem.
have been at this for days......over it...please help. :) :) :) :) :) :) :)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:36 AM, on 26/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: (no name) - {2423041F-8B96-4280-95DC-709250944B8D} - C:\WINDOWS\system32\pmnnllm.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /M "Stylus CX1500" /EF "HKCU"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [System Patcher] BTCPatcher.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1186103321781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186116406453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: pmnnllm - C:\WINDOWS\SYSTEM32\pmnnllm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 9558 bytes
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
AQUA258

AQUA258

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
hope this has all come out right????? oh by the way. when this prob started my comp was making a whooshing like noise, no not the fan. then i did some updates through micro windows and the whooshing stopped. now that ive run combofix the whoosh is back. it does it like every min or so, sounds like the comp is doing something but nothing showing.


ComboFix 08-01-23.1C - Owner 2008-01-26 8:18:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT 9:00]
Running from: C:\Documents and Settings\Owner\My Documents\My Completed Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ContextTool
C:\Program Files\ContextTool\ContextHelper.dat
C:\Program Files\ContextTool\pcre3.dll
C:\Program Files\ContextTool\uninstall.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\cbxvvvt.dll
C:\WINDOWS\system32\cbxyaxw.dll
C:\WINDOWS\system32\opnkkih.dll
C:\WINDOWS\system32\opnljgf.dll
C:\WINDOWS\system32\pmnnllm.dll
C:\WINDOWS\system32\rqrpopq.dll
C:\WINDOWS\system32\rqrssqo.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-26 08:11 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 08:10 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-26 07:35 . 2008-01-26 07:35 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-26 07:35 . 2008-01-26 07:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-26 07:35 . 2008-01-26 07:35 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-26 07:34 . 2008-01-26 08:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-26 07:34 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-01-24 15:29 . 2008-01-24 17:26 <DIR> d-------- C:\Program Files\RegScrubXP
2008-01-22 09:39 . 2004-08-30 21:00 1,499,136 --a------ C:\WINDOWS\system32\BTCPatcher.exe
2008-01-22 09:39 . 2008-01-23 06:02 39,936 --a------ C:\WINDOWS\system32\NTSpool.exe
2008-01-22 09:39 . 2008-01-22 09:39 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-01-19 16:57 . 2008-01-19 16:57 <DIR> d-------- C:\Program Files\BFG
2008-01-18 07:13 . 2008-01-18 07:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 07:11 . 2008-01-18 07:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-11 23:44 . 2008-01-11 23:44 <DIR> d-------- C:\Program Files\Google
2008-01-11 21:00 . 2007-09-18 02:31 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-11 21:00 . 2007-09-18 02:31 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-11 21:00 . 2007-09-18 02:31 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-11 20:56 . 2008-01-24 17:55 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 23:00 --------- d-----w C:\Program Files\USB Storage RW
2008-01-25 22:58 --------- d-----w C:\Program Files\DAP
2008-01-25 22:55 --------- d-----w C:\Program Files\MSN Messenger
2008-01-22 22:08 --------- d-----w C:\Program Files\XoftSpySE
2008-01-22 00:53 --------- d-----w C:\Program Files\LimeWire
2008-01-17 22:50 --------- d-----w C:\Program Files\Office 2007 Enterprise Edition
2007-12-29 06:55 --------- d-----w C:\Program Files\CRACK
2007-12-23 00:45 --------- d-----w C:\Program Files\ReflexiveArcade
2007-11-17 15:37 720,896 ----a-w C:\WINDOWS\iun6002ev.exe
2007-03-15 00:38 8,823,064 ----a-w C:\Program Files\Photoshop_albumSE_en_us_320.exe
2007-08-02 23:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D}
{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:56 15360]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]
"EPSON Stylus CX1500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.exe" [2004-06-01 19:26 99840]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 02:31 488712]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 14:04 52736]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-10-16 04:18 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-16 04:05 114688]
"KYE_Showicon"="C:\Program Files\USB Storage RW\shwicon.exe" [2002-10-25 13:33 69632]
"hp Silent Service"="C:\Windows\system32\HpSrvUI.exe" [2002-06-18 18:24 32768]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 17:24 20480]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 15:42 69632]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-17 21:11 69632]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 18:56 61440]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 17:28 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 15:19 4841472]
"EPSON Stylus CX1500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.exe" [2004-06-01 19:26 99840]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 14:48 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2007-11-01 11:23 4568576]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-12-16 19:46 1393928]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 16:33 8720384]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"System Patcher"= BTCPatcher.exe

S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 08:34:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus CX1500 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /M "Stylus CX1500" /EF "HKCU"?$????$??????E????????????YB~.???????????????????????????????<????YB~????????????????????????h???X?C~????????????j?C~????????8??????|????T??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-26 8:46:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 23:46:09
.
2008-01-24 21:11:14 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:10 AM, on 26/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\BTCPatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\BTCPatcher.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /M "Stylus CX1500" /EF "HKCU"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [System Patcher] BTCPatcher.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1186103321781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186116406453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 9411 bytes
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi, that came out good

Have no idea on the sound, but ill se if I can help with it

Open notepad and copy/paste the text in RED below into it:


File::
C:\WINDOWS\system32\BTCPatcher.exe
C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\system32\rar.exe
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"System Patcher"=-




Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
  • 0

#5
AQUA258

AQUA258

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
PS; just in case it helps, another thing its doing is opening up my pages in diff sizes. (when I start any program) Still getting the send/dont send error crap. i'm not touching it cos it will freeze everything. i just move it around the screen so that i can get to the stuff i need....lol.... beats turning the comp on and off.


ComboFix 08-01-23.1C - Owner 2008-01-26 10:14:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.93 [GMT 9:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\BTCPatcher.exe
C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\system32\rar.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\BTCPatcher.exe
C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\system32\rar.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-26 08:11 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 08:10 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-26 07:35 . 2008-01-26 07:35 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-26 07:35 . 2008-01-26 07:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-26 07:35 . 2008-01-26 07:35 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-26 07:34 . 2008-01-26 08:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-24 15:29 . 2008-01-24 17:26 <DIR> d-------- C:\Program Files\RegScrubXP
2008-01-19 16:57 . 2008-01-19 16:57 <DIR> d-------- C:\Program Files\BFG
2008-01-18 07:13 . 2008-01-18 07:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 07:11 . 2008-01-18 07:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-11 23:44 . 2008-01-11 23:44 <DIR> d-------- C:\Program Files\Google
2008-01-11 21:00 . 2007-09-18 02:31 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-11 21:00 . 2007-09-18 02:31 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-11 21:00 . 2007-09-18 02:31 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-11 20:56 . 2008-01-24 17:55 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 23:00 --------- d-----w C:\Program Files\USB Storage RW
2008-01-25 22:58 --------- d-----w C:\Program Files\DAP
2008-01-25 22:55 --------- d-----w C:\Program Files\MSN Messenger
2008-01-22 22:08 --------- d-----w C:\Program Files\XoftSpySE
2008-01-22 00:53 --------- d-----w C:\Program Files\LimeWire
2008-01-17 22:50 --------- d-----w C:\Program Files\Office 2007 Enterprise Edition
2007-12-29 06:55 --------- d-----w C:\Program Files\CRACK
2007-12-23 00:45 --------- d-----w C:\Program Files\ReflexiveArcade
2007-12-21 08:47 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
2007-12-21 08:47 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2007-12-21 08:47 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2007-12-21 08:47 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
2007-12-21 08:02 849,920 ----a-w C:\WINDOWS\system32\kdfinj.dll
2007-12-14 02:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-17 15:37 720,896 ----a-w C:\WINDOWS\iun6002ev.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 08:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-03-15 00:38 8,823,064 ----a-w C:\Program Files\Photoshop_albumSE_en_us_320.exe
2007-08-02 23:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((( [email protected]_ 8.45.36.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 23:13:25 1,384,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 01:13:11 1,384,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-25 23:13:25 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 01:13:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-25 23:13:26 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 01:13:13 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-25 23:13:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 01:13:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-25 23:13:29 6,782,976 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-26 01:13:17 6,782,976 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-25 23:13:30 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 01:13:17 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D}
{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:56 15360]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]
"EPSON Stylus CX1500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.exe" [2004-06-01 19:26 99840]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 02:31 488712]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 14:04 52736]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-10-16 04:18 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-16 04:05 114688]
"KYE_Showicon"="C:\Program Files\USB Storage RW\shwicon.exe" [2002-10-25 13:33 69632]
"hp Silent Service"="C:\Windows\system32\HpSrvUI.exe" [2002-06-18 18:24 32768]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 17:24 20480]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 15:42 69632]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-17 21:11 69632]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 18:56 61440]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 17:28 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 15:19 4841472]
"EPSON Stylus CX1500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.exe" [2004-06-01 19:26 99840]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 14:48 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2007-11-01 11:23 4568576]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-12-16 19:46 1393928]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 16:33 8720384]

S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 10:24:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus CX1500 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /M "Stylus CX1500" /EF "HKCU"?$????$??????E????????????YB~.???????????????????????????????<????YB~????????????????????????h???X?C~????????????j?C~????????8??????|????T??

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-01-26 10:28:11
ComboFix-quarantined-files.txt 2008-01-26 01:27:16
ComboFix2.txt 2008-01-25 23:46:19
.
2008-01-24 21:11:14 --- E O F ---


PS; forgot to add. I have a website...lets[bleep] dot net....up until the problem did not have any drama getting into it. Now it wont let me in, then when it does it wont let me use ACP, in fact it doesnt show anywhere. Sent myself a "forgot my password "(thought that might have been affected). Got the new one ok, went in to change it to something i could remember and now i'm back to square one. Would you know, 1; is this because of the virus i had or a seperate issue. Have never had this prob before????????

Edited by AQUA258, 26 January 2008 - 01:25 AM.

  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

What is this folder C:\Program Files\CRACK

I have no idea onthe other problems, I have never seen them before from this virus or running combo fix. Lets keep cleaning

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Please post the log with a new Hijack log

  • 0

#7
AQUA258

AQUA258

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
OK...firstly, CRACK is a password to one of my games.

As for d/loading from that link it will not work. yes it does d/load but won't install.

SAYS....."The archive is either in unknown format or damaged" Cannot open C:\Documents and settings\owner\completed d/oads. So I tried just the desktop and its telling me the same???????
  • 0

#8
AQUA258

AQUA258

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Was still trying to d/load, now it says "you have been disconnected from the website. Check your internet connection"????????????

I'm obviously connected if I'm writing this?
  • 0

#9
AQUA258

AQUA258

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
UPDATE:

Have been trying to d/load it from four diff sites and still no luck. Little box came up and told me" DAP encountered problems will have to close. Send/don't send error report.
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok lets try something else

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

Advertisements


#11
AQUA258

AQUA258

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
HEY HEY,
Once the scan was finished i couldn't believe it said i had 80+ viruses....say what??


Incident Status Location

Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\Documents and Settings\Default User\Local Settings\Temp\Temporary Directory 1 for Vista-Theme.zip\Setup.exe[wfpdisable.exe]
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\Documents and Settings\Default User\My Documents\Zipped Files\Vista-Theme.zip[Setup.exe][wfpdisable.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\Owner\Google Earth Pro 4.2\Google Earth Pro 4.2\gep_addon_4.2.180.1134.exe
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\Owner\Google Earth Pro 4.2\Google Earth Pro 4.2\GoogleEarthWinProSetup.exe
Possible Virus. Not disinfected C:\Documents and Settings\Owner\My Documents\My Games\Mahjong match\Mahjong.RWG
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\Owner\My Documents\Trend.Micro.Internet.Security.Pro.2008.v16.00.1412.Incl.Keymaker-CORE\Trend.Micro.Internet.Security.Pro.2008.v16.00.1412.Incl.Keymaker-CORE\keygen.exe
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\Owner\My Documents\Trend.Micro.Internet.Security.Pro.2008.v16.00.1412.Incl.Keymaker-CORE\Trend.Micro.Internet.Security.Pro.2008.v16.00.1412.Incl.Keymaker-CORE\setup.exe
Virus:Trj/SpaBot.AI Not disinfected C:\Documents and Settings\Owner\My Documents\Zipped Files\007.Spy.Software.v3.874.Datecode.rar[007.Spy.Software.v3.874.Datecode\007.Spy.Software.v3.874.Datecode\setup.exe]
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\Owner\My Documents\Zipped Files\Trend.Micro.Internet.Security.Pro.2008.v16.00.1412.Incl.zip[Trend.Micro.Int
ernet.Security.Pro.2008.v16.00.1412.Incl.Keymaker-CORE/Trend.Micro.Internet.Security.Pro.2008.v16.00.1412.Incl.Keymaker-CORE/k
Virus:Trj/SpaBot.AI Disinfected C:\Documents and Settings\Owner\My Documents\Zipped Files\Trend.Micro.Internet.Security.Pro.2008.v16.00.1412.Incl.zip[Trend.Micro.Int
ernet.Security.Pro.2008.v16.00.1412.Incl.Keymaker-CORE/Trend.Micro.Internet.Security.Pro.2008.v16.00.1412.Incl.Keymaker-CORE/s
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\Documents and Settings\Owner\My Documents\Zipped Files\Vista-Theme.zip[Setup.exe][wfpdisable.exe]
Virus:Trj/SpaBot.AI Not disinfected C:\Documents and Settings\Owner\Shared\007.Spy.Software.v3.874.Datecode.zip[007.Spy.Software.v3.874.Datecode\setup.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\3D Studio Max 9 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Adobe Acrobat Professional 8.1 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Adobe Creative Suite 3 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Adobe Photoshop CS3 Crack.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Adobe Photoshop CS3 Lite KEY.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Adobe Photoshop Elements v6.0 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Adobe Photoshop Lightroom 1.3 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Adobe Premiere Pro CS3 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Advanced System Optimizer 2.20.4.746 Crack.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Advanced Uninstaller Professional 8.5.1 + Working KEY.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Alcohol 120 v.1.9.6 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Alive YouTube Video Converter 1.2.6.9.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\ALL.Adobe.Products.Cracks.and.Keygens.(ALL.in.One).rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\All.Antivirus.Keygen-Serials-Cracks.(Symantec-Antivir-McAfee-Kaspersky-Nod32-AVG).by.ElL0cos.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\All.MicroSoft.Products.Keygens.and.Cracks.(all-in-one).rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\AnyDVD & AnyDVD HD 6.3 Crack.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Ashampoo Office 2008 3.00 + KEY.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Autodesk 3DS MAX 2008 Crack.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Autodesk AutoCAD 2008 Crack.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Autodesk Inventor Suite 2008 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Black XP 5.0 DVD Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\ConvertXtoDVD 2.2.3.2 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\CyberLink PowerDVD 7.3.3516 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Daemon Tools Pro Basic 4.11.0219 Serial.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\DivX Bundle 6.8 Professional + Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\DivX-XviD.Multi.Converter.1.9.[Converte.movies.en.el.fomrat.de.tu.selciòn).rar[BTCPat
cher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\DVDFab Platinum 4.0.1.2 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\DVDFab Platinum 4.0.3 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Easy DVD Creator 1.6.2 Working KEY! Espanòl.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\ESET NOD32 Antivirus 3.0.566 Patcher to have ALL updates.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\FL Studio 7 Crack.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\FlashFXP.v3.6.MULTiLiNGUAL-(ESP-ITA-ENG-DEU-FRA)-KeyGen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\FlashGet 1.9.6.1073 [Best Download manager] + Key.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Google Earth 4.2 Keygen.rar[BTCPatcher.exe]
Virus:Trj/SpaBot.AI Not disinfected C:\Documents and Settings\Owner\Shared\Google Earth Pro 4.2.zip[Google Earth Pro 4.2\gep_addon_4.2.180.1134.exe]
Virus:Trj/SpaBot.AI Not disinfected C:\Documents and Settings\Owner\Shared\Google Earth Pro 4.2.zip[Google Earth Pro 4.2\GoogleEarthWinProSetup.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Guitar Pro v5.2 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Internet Download Manager 5.11.10 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Intervideo WinDVD Platinum 8.0 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Kaspersky Antivirus Working Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Macromedia DreamWeaver CS3 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Magic DVD Ripper 5.2.1[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Magic ISO 5.4 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Magic Video Converter 8.0.2.18 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Matlab 2007 Crack.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\McAfee.Total.Protection.2007.Multilingual.Working.Crack-DAiMX.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\McAfee.Total.Protection.2008.WorkingPatch.Update.TILL.2010.rar[BTCPatcher.e
xe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Mega.CODEC.Video.and.Audio.for.WindowsXP.and.Windows.VISTA.colleciòn.by.Mus
taX.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Microsoft Office 2007 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Microsoft Windows VISTA Validation Crack 2008 Patch.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Nero 8 Ultra Edition 8.1.1.4 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\NOD32 3.xx Universal Fix Patch.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Norton 360 Working Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Norton Ghost 12 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Norton Product Suite 2007 Keygen (WORK).rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\NortonInternetSecurity 2008 Espanol [gracias oN0x].rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\O&O Defrag Professional 10.0.1634 Key (funciona).rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Oxygen Phone Manager for Nokia Phones II 2.12.1.5.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Pinnacle Studio Plus v11 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\PlayStation 2 Emulator for PC (PCSX2).rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Power ISO 3.8 + Aiudos + Cracks.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Power ISO 3.8 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\RapidGet.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Rapidshare Leecher 2008 + All Rapidshare Tools.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Rapidshare Premium Donloader.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Real Player 11.0.0.372 Crack-W0rking.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Roxio Easy Media Creator 10 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Spyware Doctor 5.1.0.273.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\TuneUp Utilities 2007 6.0.2311 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Winamp Pro v5.5 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\WinAVI Video Converter 8.0 Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Windows Vista x86 Ultimate Genuine Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\Windows XP Professional Genuine Keygen.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\WinRar 3.71 Crack.rar[BTCPatcher.exe]
Virus:W32/P2PShared.D.worm Not disinfected C:\Documents and Settings\Owner\Shared\YouTube Downloader.rar[BTCPatcher.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\DAP\Offers\VA21_DAPSO.exe
Virus:W32/P2PShared.D.worm Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\BTCPatcher.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
Spyware:Cookie/Tucows Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temporary Directory 1 for Vista-Theme.zip\Setup.exe[wfpdisable.exe]
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\WINDOWS\system32\config\systemprofile\My Documents\Zipped Files\Vista-Theme.zip[Setup.exe][wfpdisable.exe]



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:57 PM, on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE
C:\WINDOWS\vsnpstd.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /M "Stylus CX1500" /EF "HKCU"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1186103321781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186116406453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9574 bytes
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts

Once the scan was finished i couldn't believe it said i had 80+ viruses....say what??

Basically all the cracks and keygens are what it is finding infected :) I wonder how you were infected?? :)

C:\Documents and Settings\Owner\Shared Whats inside of this folder is the main culprit. I'll write a script to take them out or you can do it manually. What do you prefer
  • 0

#13
AQUA258

AQUA258

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
HEY HEY, Had to laugh when i saw all those infections. Got that crap a while ago, thought i'd deleted it all. None of the scanners were picking them up so I assumed it was all gone and that it was something else causing the problem. Have deleted and re-scanned, gotta say it's looking somewhat better...lol...
Needs a tad more cleaning though?????.....lol

Incident Status Location

Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\Documents and Settings\Default User\Local Settings\Temp\Temporary Directory 1 for Vista-Theme.zip\Setup.exe[wfpdisable.exe]
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\Documents and Settings\Default User\My Documents\Zipped Files\Vista-Theme.zip[Setup.exe][wfpdisable.exe]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Possible Virus. Not disinfected C:\Documents and Settings\Owner\My Documents\My Games\Mahjong match\Mahjong.RWG
Virus:Trj/SpaBot.AI Not disinfected C:\Documents and Settings\Owner\My Documents\Zipped Files\007.Spy.Software.v3.874.Datecode.rar[007.Spy.Software.v3.874.Datecode\007.Spy.Software.v3.874.Datecode\setup.exe]
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\Documents and Settings\Owner\My Documents\Zipped Files\Vista-Theme.zip[Setup.exe][wfpdisable.exe]
Virus:Trj/SpaBot.AI Not disinfected C:\Documents and Settings\Owner\Shared\007.Spy.Software.v3.874.Datecode.zip[007.Spy.Software.v3.874.Datecode\setup.exe]
Virus:Trj/SpaBot.AI Not disinfected C:\Documents and Settings\Owner\Shared\Google Earth Pro 4.2.zip[Google Earth Pro 4.2\gep_addon_4.2.180.1134.exe]
Virus:Trj/SpaBot.AI Not disinfected C:\Documents and Settings\Owner\Shared\Google Earth Pro 4.2.zip[Google Earth Pro 4.2\GoogleEarthWinProSetup.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\DAP\Offers\VA21_DAPSO.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
Spyware:Cookie/Tucows Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temporary Directory 1 for Vista-Theme.zip\Setup.exe[wfpdisable.exe]
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\WINDOWS\system32\config\systemprofile\My Documents\Zipped Files\Vista-Theme.zip[Setup.exe][wfpdisable.exe]


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:17 PM, on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE
C:\WINDOWS\vsnpstd.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /M "Stylus CX1500" /EF "HKCU"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1186103321781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186116406453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9540 bytes
  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again :)

Please manually delete these folders:

C:\Documents and Settings\Default User\My Documents\Zipped Files\Vista-Theme.zip
C:\Documents and Settings\Owner\My Documents\Zipped Files\007.Spy.Software.v3.874.Datecode.rar
C:\Documents and Settings\Owner\Shared\Google Earth Pro 4.2.zip
C:\Program Files\DAP\Offers
C:\WINDOWS\system32\config\systemprofile\My Documents\Zipped Files\Vista-Theme.zip

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


  • Posted Image

Your computer is clean :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#15
AQUA258

AQUA258

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
HEY HEY,

ALL DELETED. :)

YOUR AN ABSOLUTE BABE :) ...........THANK YOU. :) :) :)


:)

PS; Should I create a restore point know that i'm good to go????
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP