Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

spyware/trojan infection [RESOLVED]


  • This topic is locked This topic is locked

#1
bigtrain

bigtrain

    Member

  • Member
  • PipPip
  • 13 posts
Hi,

My XP Home PC was badly infected with the the "Alert: Windows has detected spware..." popup spyware, some keyloggers, and a trojan horses. I have SpySweeper and ran that, then ran Anti-Malware, SuperAntiSpyware, Panda Scan, and Norton Antivirus (my antivirus SW), as directed in the "You Must Read This..." post.

My PC appears to be working OK again, and I'm not getting the popups anymore, but I'd greatly appreciate it if someone could take a look at my HijackThis log and confirm that for me. I'm particularly worried about the keylogger that SpySweeper found.

Thanks! Log files to follow...
  • 0

Advertisements


#2
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hijack this log (before the cleaning)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:15 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MEDIC] "C:\Program Files\MEDIC\bin\sprtcmd.exe" /P MEDIC
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZMzGY8TYMc] C:\Documents and Settings\All Users\Application Data\nmbidgje\vovangha.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexibase Express.lnk = C:\Program Files\Softissimo\Lexibase Standard\exe\L-Express.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activatio...ads/tgctlcm.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189905789468
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...ploader_v10.cab
O21 - SSODL: WinSys - {ade28052-fd28-4b54-bec0-734460153aaf} - C:\WINDOWS\Resources\WinSys.dll
O21 - SSODL: mgsvflkw - {454C740E-3A09-43FE-B98C-A3990B153AFE} - C:\WINDOWS\mgsvflkw.dll
O21 - SSODL: qdnkewfa - {163827A6-E0CD-4F1F-AEE4-F9EA15BD85C6} - C:\WINDOWS\qdnkewfa.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Unknown owner - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8801 bytes
  • 0

#3
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
log from first sweep with malwarebytes....

Malwarebytes' Anti-Malware 1.11
Database version: 617

Scan type: Quick Scan
Objects scanned: 29183
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 36
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vtULDtTL.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dc968f14-7b70-4e25-9f21-17b6e41338ea} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{dc968f14-7b70-4e25-9f21-17b6e41338ea} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{518fcfca-2ff9-4837-ad4f-e4e054285b31} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5e684cfe-e366-4172-accd-5ee49a5bd8e6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{fcaba9a1-64f7-4aeb-860e-bc48003884e3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fa9fc1fb-0776-4900-8a18-a3e46f0f5842} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cf66d2ce-e013-450d-939c-a1c12375a840} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{566c6071-fbb6-490c-a333-e489dde9424d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{566c6071-fbb6-490c-a333-e489dde9424d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vnbptxlf.bopq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4126a715-7157-459a-be7f-d19c9770e169} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vnbptxlf.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{163827a6-e0cd-4f1f-aee4-f9ea15bd85c6} (Trojan.FalkeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ade28052-fd28-4b54-bec0-734460153aaf} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{454c740e-3a09-43fe-b98c-a3990b153afe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\vnbptxlf.bopq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\vnbptxlf.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZMzGY8TYMc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qdnkewfa (Trojan.FalkeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WinSys (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mgsvflkw (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtuldttl -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lance Bodnar\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\vtULDtTL.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LTtDLUtv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LTtDLUtv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\nmbidgje\vovangha.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\temlxopqrxg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\vnbptxlf.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zmjujmrk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\qdnkewfa.dll (Trojan.FalkeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lance Bodnar\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lance Bodnar\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lance Bodnar\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lance Bodnar\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lance Bodnar\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Resources\WinSys.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mgsvflkw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\apoxqwfv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
  • 0

#4
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
log from second sweep with malwarebytes....

Malwarebytes' Anti-Malware 1.11
Database version: 617

Scan type: Quick Scan
Objects scanned: 28968
Time elapsed: 8 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dc968f14-7b70-4e25-9f21-17b6e41338ea} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc968f14-7b70-4e25-9f21-17b6e41338ea} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vtULDtTL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LTtDLUtv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LTtDLUtv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
  • 0

#5
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
log file from SuperAntiSpyware...

SUPERAntiSpyware Scan Log
Generated 04/12/2008 at 01:40 PM

Application Version : 3.6.1000

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Complete Scan
Total Scan Time : 02:04:06

Memory items scanned : 531
Memory threats detected : 0
Registry items scanned : 5584
Registry threats detected : 2
File items scanned : 100415
File threats detected : 1

Unclassified.Unknown Origin
HKU\S-1-5-21-1644491937-790525478-725345543-1004\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
HKCR\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
  • 0

#6
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hijack this log (after the cleanings)...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:40 PM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MEDIC\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
C:\Program Files\Softissimo\Lexibase Standard\exe\L-Express.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Softissimo\Lexibase Standard\exe\lexibase.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MEDIC] "C:\Program Files\MEDIC\bin\sprtcmd.exe" /P MEDIC
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ServUTrayIcon] "C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\DOCUME~1\LANCEB~1\LOCALS~1\Temp\SSUPDATE.EXE" Software\SUPERAntiSpyware.com\SUPERAntiSpyware
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexibase Express.lnk = C:\Program Files\Softissimo\Lexibase Standard\exe\L-Express.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activatio...ads/tgctlcm.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189905789468
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: khfDtRIY - khfDtRIY.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 11605 bytes
  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay but as you replied to yourself we assumed it was taken..

Lets have a fresh look at your system

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#8
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi,

Thanks very much for getting back to me. Sorry for the breach in protocol by replying to myself.

I seem to still be infected with something. Norton is telling me that it is intercepting Trojan Zlob, and Spysweeper quarantined something called EncLoad.

Here are the DSS reports:

Deckard's System Scanner v20071014.68
Run by Lance Bodnar on 2008-04-24 23:57:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
40: 2008-04-25 06:58:08 UTC - RP552 - Deckard's System Scanner Restore Point
39: 2008-04-21 00:48:31 UTC - RP551 - System Checkpoint
38: 2008-04-19 19:59:43 UTC - RP550 - System Checkpoint
37: 2008-04-12 22:58:28 UTC - RP549 - Software Distribution Service 3.0
36: 2008-04-12 18:30:52 UTC - RP548 - Installed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2008-04-10 04:24:56 UTC - RP513 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Lance Bodnar.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:25 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MEDIC\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
C:\Program Files\Softissimo\Lexibase Standard\exe\L-Express.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Softissimo\Lexibase Standard\exe\lexibase.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Lance Bodnar\Local Settings\Temporary Internet Files\Content.IE5\APMHI5LS\MediaTubeCodec_ver1.1210.0[1].exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Lance Bodnar\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Lance Bodnar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MEDIC] "C:\Program Files\MEDIC\bin\sprtcmd.exe" /P MEDIC
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ServUTrayIcon] "C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\DOCUME~1\LANCEB~1\LOCALS~1\Temp\SSUPDATE.EXE" Software\SUPERAntiSpyware.com\SUPERAntiSpyware
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Lance Bodnar"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexibase Express.lnk = C:\Program Files\Softissimo\Lexibase Standard\exe\L-Express.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activatio...ads/tgctlcm.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189905789468
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: khfDtRIY - khfDtRIY.dll (file missing)
O21 - SSODL: WinSetup - {f06a233a-e948-4469-b57a-456296ef951f} - C:\WINDOWS\Resources\WinSetup.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 11885 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>

S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>

S3 PictureTaker - c:\windows\system32\pctkrnt.sys <Not Verified; LANovation; PictureTaker Software Family>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\5000C14123C00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\5000C14123C00
Service: NIC1394

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&3A2C8C4B&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&3A2C8C4B&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-04-19 10:22:12 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-29 10:37:01 544 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Lance Bodnar.job


-- Files created between 2008-03-24 and 2008-04-24 -----------------------------

2008-04-24 23:51:14 0 d-------- C:\WINDOWS\system32\382077
2008-04-19 10:39:20 0 d-------- C:\Program Files\iTunes
2008-04-19 10:34:46 0 d-------- C:\Program Files\QuickTime
2008-04-13 08:44:43 0 d-------- C:\VundoFix Backups
2008-04-12 11:31:11 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-12 11:30:54 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-12 11:30:53 0 d-------- C:\Documents and Settings\Lance Bodnar\Application Data\SUPERAntiSpyware.com
2008-04-12 11:25:01 0 d-------- C:\Documents and Settings\Lance Bodnar\Application Data\Malwarebytes
2008-04-12 11:16:05 0 d-------- C:\Program Files\Panda Security
2008-04-12 11:13:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-12 11:04:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 10:39:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-12 10:39:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-12 10:39:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-12 10:38:35 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-09 22:06:21 0 d-------- C:\Program Files\Trend Micro
2008-04-09 22:05:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-04-08 11:38:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-04-08 11:30:22 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-08 11:30:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-08 11:30:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-08 11:30:22 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-08 11:30:22 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-08 11:30:22 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-08 11:30:22 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-08 11:30:22 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-08 11:30:22 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-08 11:30:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-08 11:30:22 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-08 11:30:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-08 11:30:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-08 11:30:21 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-08 11:30:00 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-07 19:12:00 0 d-------- C:\Documents and Settings\Lance Bodnar\Application Data\TmpRecentIcons
2008-04-07 16:39:04 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-07 16:39:04 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-07 16:39:04 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-07 16:39:02 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-07 16:39:02 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-07 16:39:02 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-07 16:39:02 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-07 16:39:02 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-07 16:39:02 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-07 16:39:02 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-07 16:39:02 4096 --a------ C:\WINDOWS\a.bat
2008-04-07 16:39:01 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-07 16:39:01 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-07 16:39:01 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-07 16:39:01 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-07 16:39:00 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-07 16:39:00 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-07 16:39:00 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-07 16:39:00 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-07 16:39:00 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-07 16:39:00 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-07 16:39:00 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-07 16:38:45 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-07 16:38:45 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-07 16:38:45 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-07 16:38:45 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-07 16:38:45 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-07 16:38:45 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-07 16:38:45 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-07 16:38:45 4096 --a------ C:\WINDOWS\[email protected]@@k.dll
2008-04-07 16:38:45 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-07 16:38:45 4096 --a------ C:\Documents and Settings\Lance Bodnar\Desktopfilemanagerclient.exe
2008-04-07 16:38:44 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-07 16:38:44 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-07 16:38:44 4096 --a------ C:\Documents and Settings\Lance Bodnar\DesktopFWebdEditor.exe
2008-04-07 16:38:44 4096 --a------ C:\Documents and Settings\Lance Bodnar\Desktopfwebd.exe
2008-04-07 16:37:49 4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-07 16:37:49 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-07 16:37:49 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-07 16:37:49 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-07 16:37:49 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-07 16:37:49 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-07 16:37:49 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-07 16:37:48 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-07 16:37:48 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-07 16:37:48 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-07 16:37:48 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-07 16:37:48 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-07 16:37:47 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-07 16:37:10 0 d-------- C:\Documents and Settings\All Users\Application Data\nmbidgje


-- Find3M Report ---------------------------------------------------------------

2008-04-24 18:58:47 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000D-00001102-00000004-00581102}.dat
2008-04-24 18:58:47 24 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000D-00001102-00000004-00581102}.dat
2008-04-24 16:35:52 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-19 10:39:43 0 d-------- C:\Program Files\iPod
2008-04-19 10:22:08 0 d-------- C:\Program Files\Apple Software Update
2008-04-12 13:55:23 0 d-------- C:\Documents and Settings\Lance Bodnar\Application Data\Share-to-Web Upload Folder
2008-04-12 10:38:35 0 d-------- C:\Program Files\Common Files
2008-03-22 09:39:53 0 d-------- C:\Documents and Settings\Lance Bodnar\Application Data\Adobe
2008-03-08 19:18:10 0 d-------- C:\Program Files\Unity
2008-03-02 14:19:15 0 d-------- C:\Documents and Settings\Lance Bodnar\Application Data\Intuit
2008-03-02 14:11:52 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-02 14:11:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-02 14:03:47 0 d-------- C:\Program Files\TurboTax


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PROMon.exe"="PROMon.exe" [04/18/2002 06:32 PM C:\WINDOWS\system32\PROMon.exe]
"CTHelper"="CTHELPER.EXE" [10/01/2005 06:58 PM C:\WINDOWS\system32\cthelper.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [10/04/2001 01:00 AM]
"GWMDMMSG"="GWMDMMSG.exe" [10/01/2005 06:58 PM C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [10/01/2005 06:58 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [05/24/2002 05:46 AM]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [06/20/2002 12:06 PM]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [05/24/2002 05:47 AM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [04/17/2002 10:42 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/22/2007 10:19 PM]
"MEDIC"="C:\Program Files\MEDIC\bin\sprtcmd.exe" [07/06/2006 08:45 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 09:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [10/13/2004 09:24 AM]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [09/05/2007 03:43 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"ServUTrayIcon"="C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe" [06/12/2006 09:09 AM]
"SUPERAntiSpyware"="C:\DOCUME~1\LANCEB~1\LOCALS~1\Temp\SSUPDATE.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Index Washer"=C:\Program Files\Webroot\Washer\WashIdx.exe "Lance Bodnar"

C:\Documents and Settings\Lance Bodnar\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Lexibase Express.lnk - C:\Program Files\Softissimo\Lexibase Standard\exe\L-Express.exe [4/26/2006 10:46:03 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WinSetup"= {f06a233a-e948-4469-b57a-456296ef951f} - C:\WINDOWS\Resources\WinSetup.dll [04/24/2008 11:50 PM 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/12/2008 01:55 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDtRIY]
khfDtRIY.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-25 00:03:53 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 511.3 MiB / 178.64 MiB
Pagefile Memory (total/avail): 1248.08 MiB / 804.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.51 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 17.96 GiB free.
D: is Fixed (NTFS) - 111.79 GiB total, 82.21 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is Removable (Unformatted)

\\.\PHYSICALDRIVE1 -

\\.\PHYSICALDRIVE0 - WDC WD1600JB-22GVC0 - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 111.79 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec)
AV: Norton AntiVirus 2006 v2005 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ubi Soft\\Chessmaster 9000\\Chessmaster.exe"="C:\\Program Files\\Ubi Soft\\Chessmaster 9000\\Chessmaster.exe:*:Enabled:Chessmaster 9000"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Disabled:btdownloadgui"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\TurboTax\\TurboTax Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\TurboTax Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\TurboTax Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\TurboTax Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Disabled:BitTorrent"
"C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"="C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe:*:Disabled:Serv-U FTP Server"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lance Bodnar\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BODNAR1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lance Bodnar
LOGONSERVER=\\BODNAR1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\program files\pc-doctor for windows\services;C:\Program Files\MATLAB_SV71\bin\win32;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LANCEB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\LANCEB~1\LOCALS~1\Temp
USERDOMAIN=BODNAR1
USERNAME=Lance Bodnar
USERPROFILE=C:\Documents and Settings\Lance Bodnar
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Lance Bodnar (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type9782 / Warning
Event Submitted/Written: 04/13/2008 01:20:49 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type9728 / Warning
Event Submitted/Written: 04/12/2008 04:07:09 PM
Event ID/Source: 1020 / ASP.NET 2.0.50727.0
Event Description:
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Event Record #/Type9648 / Error
Event Submitted/Written: 04/12/2008 11:09:38 AM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_3_6_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event Record #/Type9647 / Error
Event Submitted/Written: 04/12/2008 11:09:30 AM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_3_6_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event Record #/Type9634 / Error
Event Submitted/Written: 04/12/2008 11:05:09 AM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_3_6_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type23268 / Error
Event Submitted/Written: 04/22/2008 00:12:43 AM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.1.100 on the
Network Card with network address 0007E9BDEBD8.

Event Record #/Type23267 / Warning
Event Submitted/Written: 04/22/2008 00:12:43 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0007E9BDEBD8. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type23259 / Error
Event Submitted/Written: 04/20/2008 11:04:09 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code 100000ea, parameter1 82a21020, parameter2 82cdff60, parameter3 ed4dccb4, parameter4 00000001.

Event Record #/Type23224 / Error
Event Submitted/Written: 04/20/2008 05:27:00 PM / 04/20/2008 05:28:06 PM
Event ID/Source: 108 / nv
Event Description:
The driver nv4_disp for the display device \Device\Video0 got stuck in an infinite loop. This
usually indicates a problem with the device itself or with the device
driver programming the hardware incorrectly. Please check with your
hardware device vendor for any driver updates.

Event Record #/Type23153 / Warning
Event Submitted/Written: 04/20/2008 11:33:13 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0007E9BDEBD8. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-04-25 00:03:53 ------------
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK then lets get ready for a massacre :) You will lose your desktop for the duration of this fix - be warned :)

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\Lance Bodnar\Local Settings\Temporary Internet Files\Content.IE5\APMHI5LS\MediaTubeCodec_ver1.1210.0[1].exe
    C:\WINDOWS\system32\382077
    C:\WINDOWS\userconfig9x.dll
    C:\WINDOWS\system32winlogonpc.exe
    C:\WINDOWS\FVProtect.exe
    C:\WINDOWS\system32taack.exe
    C:\WINDOWS\system32taack.dat
    C:\WINDOWS\system32sncntr.exe
    C:\WINDOWS\system32mwin32.exe
    C:\WINDOWS\system32hxiwlgpm.exe
    C:\WINDOWS\system32hxiwlgpm.dat
    C:\WINDOWS\system32hoproxy.dll
    C:\WINDOWS\a.bat
    C:\WINDOWS\system32psoft1.exe
    C:\WINDOWS\system32psof1.exe
    C:\WINDOWS\system32ps1.exe
    C:\WINDOWS\system32bsva-egihsg52.exe
    C:\WINDOWS\system32ssurf022.dll
    C:\WINDOWS\system32netode.exe
    C:\WINDOWS\system32mtr2.exe
    C:\WINDOWS\system32msnbho.dll
    C:\WINDOWS\system32msgp.exe
    C:\WINDOWS\system32medup020.dll
    C:\WINDOWS\system32medup012.dll
    C:\WINDOWS\system32thun32.dll
    C:\WINDOWS\system32temp#01.exe
    C:\WINDOWS\system32ssvchost.exe
    C:\WINDOWS\system32ssvchost.com
    C:\WINDOWS\system32regm64.dll
    C:\WINDOWS\system32regc64.dll
    C:\WINDOWS\system32msvchost.exe
    C:\WINDOWS\[email protected]@@k.dll
    C:\WINDOWS\system32dpcproxy.exe
    C:\Documents and Settings\Lance Bodnar\Desktopfilemanagerclient.exe
    C:\WINDOWS\system32thun.dll
    C:\WINDOWS\system32Rundl1.exe
    C:\Documents and Settings\Lance Bodnar\DesktopFWebdEditor.exe
    C:\Documents and Settings\Lance Bodnar\Desktopfwebd.exe
    C:\WINDOWS\winsystem.exe
    C:\WINDOWS\system32winsystem.exe
    C:\WINDOWS\system32vcatchpi.dll
    C:\WINDOWS\system32newsd32.exe
    C:\WINDOWS\system32emesx.dll
    C:\WINDOWS\system32anticipator.dll
    C:\WINDOWS\system32akttzn.exe
    C:\WINDOWS\system32WINWGPX.EXE
    C:\WINDOWS\system32sysreq.exe
    C:\WINDOWS\system32mssecu.exe
    C:\WINDOWS\system32bdn.com
    C:\WINDOWS\system32awtoolb.dll
    C:\WINDOWS\system32vbsys2.dll
    C:\Documents and Settings\All Users\Application Data\nmbidgje
    C:\WINDOWS\Resources\WinSetup.dll
    C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_3_6_0_1000.MSI 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WinSetup
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDtRIY
    Purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FOLLOWED BY

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTMoveit and Combofix
  • 0

#10
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It didn't move everything in the list of the previous post, and gave me warnings on files it couldn't find. I ran Malwarebytes, so perhaps that removed the missing files?

Anyway, here's the log...

Explorer killed successfully
< C:\Documents and Settings\Lance Bodnar\Local Settings\Temporary Internet Files\Content.IE5\APMHI5LS\MediaTubeCodec_ver1.1210.0[1].exe >
File/Folder C:\Documents and Settings\Lance Bodnar\Local Settings\Temporary Internet Files\Content.IE5\APMHI5LS\MediaTubeCodec_ver1.1210.0[1].exe not found.
C:\WINDOWS\system32\382077 moved successfully.
LoadLibrary failed for C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\userconfig9x.dll NOT unregistered.
C:\WINDOWS\userconfig9x.dll moved successfully.
C:\WINDOWS\system32winlogonpc.exe moved successfully.
C:\WINDOWS\FVProtect.exe moved successfully.
C:\WINDOWS\system32taack.exe moved successfully.
C:\WINDOWS\system32taack.dat moved successfully.
C:\WINDOWS\system32sncntr.exe moved successfully.
C:\WINDOWS\system32mwin32.exe moved successfully.
C:\WINDOWS\system32hxiwlgpm.exe moved successfully.
C:\WINDOWS\system32hxiwlgpm.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hoproxy.dll NOT unregistered.
C:\WINDOWS\system32hoproxy.dll moved successfully.
C:\WINDOWS\a.bat moved successfully.
C:\WINDOWS\system32psoft1.exe moved successfully.
C:\WINDOWS\system32psof1.exe moved successfully.
C:\WINDOWS\system32ps1.exe moved successfully.
C:\WINDOWS\system32bsva-egihsg52.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssurf022.dll NOT unregistered.
C:\WINDOWS\system32ssurf022.dll moved successfully.
C:\WINDOWS\system32netode.exe moved successfully.
C:\WINDOWS\system32mtr2.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32msnbho.dll NOT unregistered.
C:\WINDOWS\system32msnbho.dll moved successfully.
C:\WINDOWS\system32msgp.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32medup020.dll NOT unregistered.
C:\WINDOWS\system32medup020.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup012.dll NOT unregistered.
C:\WINDOWS\system32medup012.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32thun32.dll NOT unregistered.
C:\WINDOWS\system32thun32.dll moved successfully.
C:\WINDOWS\system32temp#01.exe moved successfully.
C:\WINDOWS\system32ssvchost.exe moved successfully.
C:\WINDOWS\system32ssvchost.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32regm64.dll NOT unregistered.
C:\WINDOWS\system32regm64.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regc64.dll NOT unregistered.
C:\WINDOWS\system32regc64.dll moved successfully.
C:\WINDOWS\system32msvchost.exe moved successfully.
< C:\WINDOWS\[email protected]@@k.dll >
LoadLibrary failed for C:\WINDOWS\[email protected]@@k.dll
C:\WINDOWS\[email protected]@@k.dll NOT unregistered.
C:\WINDOWS\[email protected]@@k.dll moved successfully.
C:\WINDOWS\system32dpcproxy.exe moved successfully.
C:\Documents and Settings\Lance Bodnar\Desktopfilemanagerclient.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun.dll NOT unregistered.
C:\WINDOWS\system32thun.dll moved successfully.
C:\WINDOWS\system32Rundl1.exe moved successfully.
C:\Documents and Settings\Lance Bodnar\DesktopFWebdEditor.exe moved successfully.
C:\Documents and Settings\Lance Bodnar\Desktopfwebd.exe moved successfully.
C:\WINDOWS\winsystem.exe moved successfully.
C:\WINDOWS\system32winsystem.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32vcatchpi.dll NOT unregistered.
C:\WINDOWS\system32vcatchpi.dll moved successfully.
C:\WINDOWS\system32newsd32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32emesx.dll NOT unregistered.
C:\WINDOWS\system32emesx.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32anticipator.dll NOT unregistered.
C:\WINDOWS\system32anticipator.dll moved successfully.
C:\WINDOWS\system32akttzn.exe moved successfully.
C:\WINDOWS\system32WINWGPX.EXE moved successfully.
C:\WINDOWS\system32sysreq.exe moved successfully.
C:\WINDOWS\system32mssecu.exe moved successfully.
C:\WINDOWS\system32bdn.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32awtoolb.dll NOT unregistered.
C:\WINDOWS\system32awtoolb.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vbsys2.dll NOT unregistered.
C:\WINDOWS\system32vbsys2.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\nmbidgje moved successfully.
File/Folder C:\WINDOWS\Resources\WinSetup.dll not found.
C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_3_6_0_1000.MSI moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WinSetup >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WinSetup not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDtRIY >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDtRIY\\ deleted successfully.
< Purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04262008_085945
  • 0

Advertisements


#11
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here's the ComboFix log

ComboFix 08-04-24.1 - Lance Bodnar 2008-04-26 9:21:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.157 [GMT -7:00]
Running from: C:\Documents and Settings\Lance Bodnar\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lance Bodnar\Desktopblackbird.jpg
C:\Documents and Settings\Lance Bodnar\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Lance Bodnar\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Lance Bodnar\Desktopfkwp1.5.exe
C:\Documents and Settings\Lance Bodnar\Desktopfkwp2.0.exe
C:\Documents and Settings\Lance Bodnar\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\base64.tmp
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 08:59 . 2008-04-26 08:59 <DIR> d-------- C:\_OTMoveIt
2008-04-24 23:55 . 2008-04-24 23:55 <DIR> d-------- C:\Deckard
2008-04-19 10:39 . 2008-04-19 10:40 <DIR> d-------- C:\Program Files\iTunes
2008-04-19 10:36 . 2008-04-26 09:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 10:36 . 2008-04-19 10:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 10:34 . 2008-04-19 10:35 <DIR> d-------- C:\Program Files\QuickTime
2008-04-13 08:44 . 2008-04-13 08:44 <DIR> d-------- C:\VundoFix Backups
2008-04-12 11:31 . 2008-04-12 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-12 11:30 . 2008-04-12 13:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-12 11:30 . 2008-04-12 11:30 <DIR> d-------- C:\Documents and Settings\Lance Bodnar\Application Data\SUPERAntiSpyware.com
2008-04-12 11:25 . 2008-04-12 11:25 <DIR> d-------- C:\Documents and Settings\Lance Bodnar\Application Data\Malwarebytes
2008-04-12 11:16 . 2008-04-12 14:01 <DIR> d-------- C:\Program Files\Panda Security
2008-04-12 11:04 . 2008-04-26 09:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 10:39 . 2008-04-12 10:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-12 10:39 . 2008-04-12 10:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-12 10:39 . 2008-04-12 10:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-12 10:38 . 2008-04-12 10:38 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-09 22:06 . 2008-04-09 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 22:05 . 2008-04-09 22:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-04-08 11:38 . 2008-04-08 11:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-04-08 11:30 . 2008-04-08 11:30 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-08 11:30 . 2008-04-08 11:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-08 11:30 . 2008-04-26 09:21 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.dat.LOG
2008-04-07 19:12 . 2008-04-07 19:12 <DIR> d-------- C:\Documents and Settings\Lance Bodnar\Application Data\TmpRecentIcons
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 14:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-19 17:39 --------- d-----w C:\Program Files\iPod
2008-04-19 17:22 --------- d-----w C:\Program Files\Apple Software Update
2008-04-12 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-12 20:55 --------- d-----w C:\Documents and Settings\Lance Bodnar\Application Data\Share-to-Web Upload Folder
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-09 02:18 --------- d-----w C:\Program Files\Unity
2008-03-02 21:19 --------- d-----w C:\Documents and Settings\Lance Bodnar\Application Data\Intuit
2008-03-02 21:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 21:11 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-02 21:03 --------- d-----w C:\Program Files\TurboTax
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 07:36 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-29 19:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-08-05 22:52 7,028,144 ----a-w C:\Documents and Settings\Lance Bodnar\medic6.exe
2006-10-19 02:19 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 09:24 1694208]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-09-05 15:43 1261384]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"ServUTrayIcon"="C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe" [2006-06-12 09:09 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 73728 C:\WINDOWS\system32\PROMon.exe]
"CTHelper"="CTHELPER.EXE" [2005-10-01 18:58 24576 C:\WINDOWS\system32\cthelper.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"GWMDMMSG"="GWMDMMSG.exe" [2005-10-01 18:58 90112 C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [2005-10-01 18:58 53248]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 05:46 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-06-20 12:06 339968]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 05:47 49152]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"MEDIC"="C:\Program Files\MEDIC\bin\sprtcmd.exe" [2006-07-06 08:45 192512]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\Lance Bodnar\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Lexibase Express.lnk - C:\Program Files\Softissimo\Lexibase Standard\exe\L-Express.exe [2006-04-26 22:46:03 81920]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-12 13:55 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ubi Soft\\Chessmaster 9000\\Chessmaster.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-09-05 15:43]
S2 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 12:36]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 17:22:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-29 17:37:01 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Lance Bodnar.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 09:26:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Program Files\Common Files\Symantec Shared\SPBBC\2008-04-26-3cb8.kc 163000 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Softissimo\Lexibase Standard\exe\hkey.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Softissimo\Lexibase Standard\exe\Lexibase.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-26 9:30:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 16:30:32

Pre-Run: 19,179,827,200 bytes free
Post-Run: 19,143,503,872 bytes free

173 --- E O F --- 2008-04-12 23:08:52







And here's the HijackThis log after ComboFix...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:52 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MEDIC\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Softissimo\Lexibase Standard\exe\L-Express.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Softissimo\Lexibase Standard\exe\lexibase.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MEDIC] "C:\Program Files\MEDIC\bin\sprtcmd.exe" /P MEDIC
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexibase Express.lnk = C:\Program Files\Softissimo\Lexibase Standard\exe\L-Express.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activatio...ads/tgctlcm.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189905789468
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 11212 bytes
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That looks a lot better now :) How is your computer running ? Any further problems ?
  • 0

#13
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It looks to be running fine. Thanks for orchestrating the malware "massacre", I really appreciate it. This site is terrifically helpful.

--Lance
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Now the best part of the day ----- Your log now appears clean :)

Double click OTMoveIt2 once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt2 wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#15
bigtrain

bigtrain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP