Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.Vundo Help [RESOLVED]


  • This topic is locked This topic is locked

#1
Coupy

Coupy

    Member

  • Member
  • PipPip
  • 19 posts
Hi, I have been having problems with a virus on my computer. It started when i ran Norton and a virus message came up and sayed i had a virus but it didnt remove it. I am no good at computers...I hav ran ewido and norton and others to delete this virus.. But nothing

I am still infected. Really need your help.

I am windows XP

and my computer is going really slow due to the virus

I want this thing off my computer and would like you guys to help me out

i hav ran some stuff on the "Read before postin hijack this report" and nothing has worked

I'm from scotland incase you want to know my timezone

Thanks in advance.

Coupy
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Please follow all the steps in the Read Me First topic and post the necessary logs here
  • 0

#3
Coupy

Coupy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok well as im on my infected computer.....the link for HijackThis will not load....any quick links to download it ?
  • 0

#4
Coupy

Coupy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I have just tried restarting m computer and then checking if the site works

Nop, didnt work....The site will not load at all...Do u hav ANY type of dload link i could get tht would load quickly ?
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#6
Coupy

Coupy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I tried to run dss and it kept freezing

so i tried to download HijackThis and it worked!

Heres the log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:11:42, on 03/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\DOCUME~1\RYANCO~1\MYDOCU~1\YMANTE~1\nopdb.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\RYANCO~1\LOCALS~1\Temp\~nuzajvu.tmp\swreg.exe
C:\DOCUME~1\RYANCO~1\LOCALS~1\Temp\~nuzajvu.tmp\sed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {31A8522E-0837-4C71-98B4-13E46282614B} - (no file)
O2 - BHO: (no name) - {33C46161-1FCF-470B-9F52-25036400EF67} - (no file)
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\knqnmugu.dll
O2 - BHO: (no name) - {531720A4-1B5C-474B-B6E9-5E624DB02039} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55CDFDD3-21CD-469E-B11D-504BCBC54479} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9A3F997E-2513-4D4E-88EA-3D45B5EA5616} - (no file)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C3B710E2-FEC3-4061-ACC9-ABFECEF07726} - C:\WINDOWS\system32\efcBsPFV.dll
O2 - BHO: (no name) - {da0366c4-9a28-4102-8242-d13259988ffc} - (no file)
O2 - BHO: (no name) - {DA03E6F3-3B64-4E55-A3EB-B8C3524CE07D} - (no file)
O2 - BHO: (no name) - {EA589903-1C2E-4E37-B010-CBFF50A651B2} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [Support audio cool poll] "C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\gram data.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SetIcon] "C:\Program Files\Icons\SetIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [c0fa22bc] "rundll32.exe" "C:\WINDOWS\system32\gddtkgia.dll",b
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,[email protected]
O4 - HKLM\..\Run: [BMc3c91120] Rundll32.exe "C:\WINDOWS\system32\symwpbnl.dll",s
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\RYANCO~1\MYDOCU~1\YMANTE~1\nopdb.exe" -vt ndrv
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [IncrediMail] "C:\Program Files\IncrediMail\bin\IncMail.exe" /c
O4 - HKCU\..\Run: [Hgpqv] "C:\Documents and Settings\Ryan Coupland\My Documents\s?stem32\l?gonui.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [comp blah] C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\proxynew.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZCxdm579YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 15516 bytes
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#8
Coupy

Coupy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hey, thanks for your help, While u were helping me a friend told me to download a free trial version of spy sweeper and i did and it took the virus away (i think) No norton tellin me iv got a virus...i hav a Hijack This log....could u tell me if im clean?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:06, on 2008-05-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {31A8522E-0837-4C71-98B4-13E46282614B} - (no file)
O2 - BHO: (no name) - {33C46161-1FCF-470B-9F52-25036400EF67} - (no file)
O2 - BHO: (no name) - {531720A4-1B5C-474B-B6E9-5E624DB02039} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55CDFDD3-21CD-469E-B11D-504BCBC54479} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9A3F997E-2513-4D4E-88EA-3D45B5EA5616} - (no file)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {da0366c4-9a28-4102-8242-d13259988ffc} - (no file)
O2 - BHO: (no name) - {DA03E6F3-3B64-4E55-A3EB-B8C3524CE07D} - (no file)
O2 - BHO: (no name) - {E95CEF46-F6B2-473D-AC01-3C7EBD53352E} - C:\WINDOWS\system32\efcBsPFV.dll (file missing)
O2 - BHO: (no name) - {EA589903-1C2E-4E37-B010-CBFF50A651B2} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [Support audio cool poll] "C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\gram data.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SetIcon] "C:\Program Files\Icons\SetIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [c0fa22bc] "rundll32.exe" "C:\WINDOWS\system32\gddtkgia.dll",b
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,[email protected]
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BMc3c91120] Rundll32.exe "C:\WINDOWS\system32\symwpbnl.dll",s
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\RYANCO~1\MYDOCU~1\YMANTE~1\nopdb.exe" -vt ndrv
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [IncrediMail] "C:\Program Files\IncrediMail\bin\IncMail.exe" /c
O4 - HKCU\..\Run: [Hgpqv] "C:\Documents and Settings\Ryan Coupland\My Documents\s?stem32\l?gonui.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [comp blah] C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\proxynew.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZCxdm579YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 15073 bytes
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your not clean

Can you run ComboFix.exe
  • 0

#10
Coupy

Coupy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I did run combofix but my comp froze
  • 0

Advertisements


#11
Coupy

Coupy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
got it :)


ComboFix 08-05-01.3 - Ryan Coupland 2008-05-04 15:36:02.2 - NTFSx86
Running from: C:\Documents and Settings\Ryan Coupland\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Ryan Coupland\My Documents\SSTEM3~1
C:\Documents and Settings\Ryan Coupland\My Documents\SSTEM3~1\l?gonui.exe
C:\Documents and Settings\Ryan Coupland\My Documents\YMANTE~1
C:\Documents and Settings\Ryan Coupland\My Documents\YMANTE~1\?ssembly\
C:\Documents and Settings\Ryan Coupland\My Documents\YMANTE~1\nopdb.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Temporary
C:\Program Files\xInsIDE
C:\Temp\isgTi19
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\racle~1
C:\WINDOWS\system32\acshwypi.ini
C:\WINDOWS\system32\aigktddg.ini
C:\WINDOWS\system32\crvwttfw.ini
C:\WINDOWS\system32\DKnXFfhk.ini
C:\WINDOWS\system32\DKnXFfhk.ini2
C:\WINDOWS\system32\eijbvtli.ini
C:\WINDOWS\system32\gaeqqmkx.ini
C:\WINDOWS\system32\gyiexjnh.ini
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\oymrbsft.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\symwpbnl.dll
C:\WINDOWS\system32\VFPsBcfe.ini
C:\WINDOWS\system32\VFPsBcfe.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-03 21:44 . 2008-05-04 10:17 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-03 17:52 . 2008-05-03 17:52 <DIR> d-------- C:\Deckard
2008-05-03 16:40 . 2008-05-03 16:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-03 16:11 . 2008-05-03 16:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-03 16:11 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-05-03 16:11 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-05-03 16:11 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-05-03 16:11 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-05-03 16:10 . 2008-05-03 16:10 <DIR> d-------- C:\Program Files\Webroot
2008-05-03 16:10 . 2008-05-03 16:10 <DIR> d-------- C:\Documents and Settings\Ryan Coupland\Application Data\Webroot
2008-05-03 16:10 . 2008-05-03 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-03 16:10 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-05-03 16:09 . 2008-05-03 18:39 164 --a------ C:\install.dat
2008-05-02 00:16 . 2008-05-02 00:17 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-01 16:53 . 2008-05-01 16:53 <DIR> d-------- C:\VundoFix Backups
2008-05-01 16:33 . 2008-05-01 16:33 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-30 15:59 . 2008-04-30 15:59 53,312 --a------ C:\WINDOWS\system32\knqnmugu.dll
2008-04-29 15:53 . 2008-04-29 15:53 53,312 --a------ C:\WINDOWS\system32\ykredcuy.dll
2008-04-28 15:52 . 2008-04-28 15:52 53,312 --a------ C:\WINDOWS\system32\yptjcdra.dll
2008-04-27 18:23 . 2008-04-27 18:23 53,312 --a------ C:\WINDOWS\system32\wxbmloxr.dll
2008-04-27 00:54 . 2008-04-27 00:54 53,312 --a------ C:\WINDOWS\system32\fwliclwi.dll
2008-04-26 00:57 . 2008-04-26 00:57 53,312 --a------ C:\WINDOWS\system32\vsndnxex.dll
2008-04-25 00:56 . 2008-04-25 00:56 53,312 --a------ C:\WINDOWS\system32\xmgpgkys.dll
2008-04-25 00:53 . 2008-05-03 20:08 109,752 --a------ C:\WINDOWS\BMc3c91120.xml
2008-04-24 12:45 . 2008-04-24 12:45 <DIR> d-------- C:\WINDOWS\RegCure
2008-04-23 18:52 . 2008-04-24 13:07 <DIR> d-------- C:\Program Files\RegCure
2008-04-23 18:12 . 2008-04-23 18:12 <DIR> d-------- C:\Documents and Settings\Ryan Coupland\Application Data\Uniblue
2008-04-12 02:31 . 2008-04-12 02:31 <DIR> d-------- C:\Logs
2008-04-11 19:05 . 2008-04-19 11:56 <DIR> d-------- C:\Program Files\World of Warcraft
2008-04-07 17:09 . 2008-04-07 17:09 <DIR> d-------- C:\Program Files\Safari
2008-04-06 13:34 . 2008-04-06 13:34 <DIR> d-------- C:\Program Files\ChicSeek
2008-04-06 13:33 . 2008-05-01 14:12 <DIR> d-------- C:\Program Files\Circle Developement
2008-04-05 14:39 . 2008-04-05 14:39 13,502 --a------ C:\WINDOWS\system32\CelldoradoIconUK.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 14:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-04 14:33 --------- d-----w C:\Documents and Settings\Ryan Coupland\Application Data\DNA
2008-05-04 09:15 --------- d-----w C:\Program Files\Dl_cats
2008-05-03 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\HOLD WIN FLAP HEART
2008-05-01 13:12 --------- d-----w C:\Documents and Settings\Ryan Coupland\Application Data\ChicSeek
2008-05-01 13:12 --------- d-----w C:\Documents and Settings\Margaret Coupland\Application Data\ChicSeek
2008-05-01 10:34 --------- d-----w C:\Documents and Settings\Ryan Coupland\Application Data\Symantec
2008-05-01 10:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-28 14:57 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-11 18:27 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-04-07 16:06 --------- d-----w C:\Program Files\iTunes
2008-04-07 16:06 --------- d-----w C:\Program Files\iPod
2008-04-07 16:03 --------- d-----w C:\Program Files\QuickTime
2008-04-06 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO
2008-04-06 12:33 --------- d-----w C:\Program Files\MSN Messenger
2008-04-06 12:33 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-29 16:16 --------- d-----w C:\Program Files\HyCam2
2008-03-29 16:16 --------- d-----w C:\Program Files\Covey Inc
2008-03-29 16:05 --------- d-----w C:\Program Files\SwiftSwitch
2008-03-29 16:05 --------- d-----w C:\Program Files\SwiftKit
2008-03-29 16:05 --------- d-----w C:\Program Files\Azureus
2008-03-24 12:56 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-24 12:55 --------- d-----w C:\Program Files\Windows Live
2008-03-24 12:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-23 16:16 --------- d-----w C:\Program Files\DivX
2008-03-16 02:06 --------- d-----w C:\Program Files\XviD
2008-03-10 20:04 --------- d-----w C:\Documents and Settings\Margaret Coupland\Application Data\Sonic
2008-03-10 20:04 --------- d-----w C:\Documents and Settings\Margaret Coupland\Application Data\Leadertech
2008-03-09 19:28 --------- d-----w C:\Documents and Settings\Ryan Coupland\Application Data\BitTorrent
2008-03-06 19:42 --------- d-----w C:\Documents and Settings\Ryan Coupland\Application Data\dvdcss
2007-05-17 08:01 2,846 ----a-w C:\Documents and Settings\Margaret Coupland\Application Data\wklnhst.dat
2007-02-25 19:38 2,472 ----a-w C:\Documents and Settings\Ryan Coupland\Application Data\wklnhst.dat
2007-02-14 22:05 69,520 ----a-w C:\Documents and Settings\Margaret Coupland\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31A8522E-0837-4C71-98B4-13E46282614B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33C46161-1FCF-470B-9F52-25036400EF67}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{531720A4-1B5C-474B-B6E9-5E624DB02039}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55CDFDD3-21CD-469E-B11D-504BCBC54479}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A3F997E-2513-4D4E-88EA-3D45B5EA5616}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da0366c4-9a28-4102-8242-d13259988ffc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA03E6F3-3B64-4E55-A3EB-B8C3524CE07D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E95CEF46-F6B2-473D-AC01-3C7EBD53352E}]
C:\WINDOWS\system32\efcBsPFV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA589903-1C2E-4E37-B010-CBFF50A651B2}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-30 14:11 3497984]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 17:46 1460560]
"Sen"="C:\DOCUME~1\RYANCO~1\MYDOCU~1\YMANTE~1\nopdb.exe" [ ]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 12:23 1032640]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2006-10-31 15:06 204843]
"Hgpqv"="C:\Documents and Settings\Ryan Coupland\My Documents\s?stem32\l?gonui.exe" [ ]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"comp blah"="C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\proxynew.exe" [2008-02-10 15:42 423936]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 12:33 288576]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 22:46 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-14 23:58 100056]
"Support audio cool poll"="C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\gram data.exe" [2008-05-04 10:17 5744128]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]
"SetIcon"="C:\Program Files\Icons\SetIcon.exe" [2002-12-16 10:02 39936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 18:05 282624]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 20:45 430080]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 12:42 58728]
"c0fa22bc"="rundll32.exe" [2004-08-04 06:00 33280 C:\WINDOWS\system32\rundll32.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 12:23 1032640]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 19:39 69632]
"BMc3c91120"="Rundll32.exe" [2004-08-04 06:00 33280 C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\Ryan Coupland\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2006-06-07 06:25:20 4154504]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-28 16:33:07 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-08 10:32:32 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-09-13 18:16 4650488 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncrediMail_Install.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-05-04 10:17]
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 21:19]
R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys [2006-07-26 01:18]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2007-04-03 06:06]
S2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2004-11-02 16:12]
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 09:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 09:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 09:42]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 09:42]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 09:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 14:00:00 C:\WINDOWS\Tasks\A71547989122F03C.job"
- c:\docume~1\ryanco~1\applic~1\chicseek\Keep Remote Size.exe
"2008-04-25 22:58:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-04 14:00:00 C:\WINDOWS\Tasks\B7AA7BCF9185E54B.job"
- c:\docume~1\margar~1\applic~1\chicseek\Keep Remote Size.exe
"2008-05-04 14:12:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-02 22:08:10 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Ryan Coupland.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
"2008-05-04 09:12:06 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-23 17:52:37 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-04 14:43:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2008-05-03 15:11:34 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-05-04 15:44:13
ComboFix-quarantined-files.txt 2008-05-04 14:44:06

Pre-Run: 159,832,358,912 bytes free
Post-Run: 159,822,254,080 bytes free

249 --- E O F --- 2008-04-12 10:43:20
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\knqnmugu.dll
C:\WINDOWS\system32\ykredcuy.dll
C:\WINDOWS\system32\yptjcdra.dll
C:\WINDOWS\system32\wxbmloxr.dll
C:\WINDOWS\system32\fwliclwi.dll
C:\WINDOWS\system32\vsndnxex.dll
C:\WINDOWS\system32\xmgpgkys.dll
C:\WINDOWS\BMc3c91120.xml
C:\WINDOWS\Tasks\A71547989122F03C.job
c:\docume~1\ryanco~1\applic~1\chicseek\Keep Remote Size.exe
C:\WINDOWS\Tasks\B7AA7BCF9185E54B.job

Folder::
C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek
C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO
C:\Program Files\ChicSeek

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#13
Coupy

Coupy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Are we getting better? :)

Heres HijackThis :



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:20:04, on 04/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E95CEF46-F6B2-473D-AC01-3C7EBD53352E} - C:\WINDOWS\system32\efcBsPFV.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [Support audio cool poll] "C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\gram data.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SetIcon] "C:\Program Files\Icons\SetIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [c0fa22bc] "rundll32.exe" "C:\WINDOWS\system32\gddtkgia.dll",b
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,[email protected]
O4 - HKLM\..\Run: [BMc3c91120] "Rundll32.exe" "C:\WINDOWS\system32\symwpbnl.dll",s
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\RYANCO~1\MYDOCU~1\YMANTE~1\nopdb.exe" -vt ndrv
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [IncrediMail] "C:\Program Files\IncrediMail\bin\IncMail.exe" /c
O4 - HKCU\..\Run: [Hgpqv] "C:\Documents and Settings\Ryan Coupland\My Documents\s?stem32\l?gonui.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [comp blah] C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\proxynew.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZCxdm579YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 14230 bytes




Heres the log from ComboFix :

ComboFix 08-05-01.3 - Ryan Coupland 2008-05-04 16:08:14.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.630 [GMT 1:00]
Running from: C:\Documents and Settings\Ryan Coupland\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan Coupland\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\docume~1\ryanco~1\applic~1\chicseek\Keep Remote Size.exe
C:\WINDOWS\BMc3c91120.xml
C:\WINDOWS\system32\fwliclwi.dll
C:\WINDOWS\system32\knqnmugu.dll
C:\WINDOWS\system32\vsndnxex.dll
C:\WINDOWS\system32\wxbmloxr.dll
C:\WINDOWS\system32\xmgpgkys.dll
C:\WINDOWS\system32\ykredcuy.dll
C:\WINDOWS\system32\yptjcdra.dll
C:\WINDOWS\Tasks\A71547989122F03C.job
C:\WINDOWS\Tasks\B7AA7BCF9185E54B.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek
C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\0
C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\B5F186C2
C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\gqykqsqh.exe
C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\kwotwbwp.exe
C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\proxynew.exe
C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\udrchggj.exe
C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO
C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\gram data.exe
C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\Memo phone.exe
C:\Program Files\ChicSeek
C:\WINDOWS\b153.exe
C:\WINDOWS\BMc3c91120.xml
C:\WINDOWS\system32\fwliclwi.dll
C:\WINDOWS\system32\knqnmugu.dll
C:\WINDOWS\system32\vsndnxex.dll
C:\WINDOWS\system32\wxbmloxr.dll
C:\WINDOWS\system32\xmgpgkys.dll
C:\WINDOWS\system32\ykredcuy.dll
C:\WINDOWS\system32\yptjcdra.dll
C:\WINDOWS\Tasks\A71547989122F03C.job
C:\WINDOWS\Tasks\B7AA7BCF9185E54B.job

.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-03 21:44 . 2008-05-04 10:17 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-03 17:52 . 2008-05-03 17:52 <DIR> d-------- C:\Deckard
2008-05-03 16:40 . 2008-05-03 16:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-03 16:11 . 2008-05-03 16:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-03 16:11 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-05-03 16:11 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-05-03 16:11 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-05-03 16:11 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-05-03 16:10 . 2008-05-03 16:10 <DIR> d-------- C:\Program Files\Webroot
2008-05-03 16:10 . 2008-05-03 16:10 <DIR> d-------- C:\Documents and Settings\Ryan Coupland\Application Data\Webroot
2008-05-03 16:10 . 2008-05-03 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-03 16:10 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-05-03 16:09 . 2008-05-03 18:39 164 --a------ C:\install.dat
2008-05-02 00:16 . 2008-05-02 00:17 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-01 16:53 . 2008-05-01 16:53 <DIR> d-------- C:\VundoFix Backups
2008-05-01 16:33 . 2008-05-01 16:33 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-24 12:45 . 2008-04-24 12:45 <DIR> d-------- C:\WINDOWS\RegCure
2008-04-23 18:52 . 2008-04-24 13:07 <DIR> d-------- C:\Program Files\RegCure
2008-04-23 18:12 . 2008-04-23 18:12 <DIR> d-------- C:\Documents and Settings\Ryan Coupland\Application Data\Uniblue
2008-04-12 02:31 . 2008-04-12 02:31 <DIR> d-------- C:\Logs
2008-04-11 19:05 . 2008-04-19 11:56 <DIR> d-------- C:\Program Files\World of Warcraft
2008-04-07 17:09 . 2008-04-07 17:09 <DIR> d-------- C:\Program Files\Safari
2008-04-06 13:33 . 2008-05-01 14:12 <DIR> d-------- C:\Program Files\Circle Developement
2008-04-05 14:39 . 2008-04-05 14:39 13,502 --a------ C:\WINDOWS\system32\CelldoradoIconUK.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-04 15:03 --------- d-----w C:\Documents and Settings\Ryan Coupland\Application Data\DNA
2008-05-04 09:15 --------- d-----w C:\Program Files\Dl_cats
2008-05-03 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\HOLD WIN FLAP HEART
2008-05-01 13:12 --------- d-----w C:\Documents and Settings\Margaret Coupland\Application Data\ChicSeek
2008-05-01 10:34 --------- d-----w C:\Documents and Settings\Ryan Coupland\Application Data\Symantec
2008-05-01 10:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-28 14:57 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-11 18:27 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-04-07 16:06 --------- d-----w C:\Program Files\iTunes
2008-04-07 16:06 --------- d-----w C:\Program Files\iPod
2008-04-07 16:03 --------- d-----w C:\Program Files\QuickTime
2008-04-06 12:33 --------- d-----w C:\Program Files\MSN Messenger
2008-04-06 12:33 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-29 16:16 --------- d-----w C:\Program Files\HyCam2
2008-03-29 16:16 --------- d-----w C:\Program Files\Covey Inc
2008-03-29 16:05 --------- d-----w C:\Program Files\SwiftSwitch
2008-03-29 16:05 --------- d-----w C:\Program Files\SwiftKit
2008-03-29 16:05 --------- d-----w C:\Program Files\Azureus
2008-03-24 12:56 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-24 12:55 --------- d-----w C:\Program Files\Windows Live
2008-03-24 12:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-23 16:16 --------- d-----w C:\Program Files\DivX
2008-03-16 02:06 --------- d-----w C:\Program Files\XviD
2008-03-10 20:04 --------- d-----w C:\Documents and Settings\Margaret Coupland\Application Data\Sonic
2008-03-10 20:04 --------- d-----w C:\Documents and Settings\Margaret Coupland\Application Data\Leadertech
2008-03-09 19:28 --------- d-----w C:\Documents and Settings\Ryan Coupland\Application Data\BitTorrent
2008-03-06 19:42 --------- d-----w C:\Documents and Settings\Ryan Coupland\Application Data\dvdcss
2007-05-17 08:01 2,846 ----a-w C:\Documents and Settings\Margaret Coupland\Application Data\wklnhst.dat
2007-02-25 19:38 2,472 ----a-w C:\Documents and Settings\Ryan Coupland\Application Data\wklnhst.dat
2007-02-14 22:05 69,520 ----a-w C:\Documents and Settings\Margaret Coupland\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E95CEF46-F6B2-473D-AC01-3C7EBD53352E}]
C:\WINDOWS\system32\efcBsPFV.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-30 14:11 3497984]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 17:46 1460560]
"Sen"="C:\DOCUME~1\RYANCO~1\MYDOCU~1\YMANTE~1\nopdb.exe" [ ]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 12:23 1032640]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2006-10-31 15:06 204843]
"Hgpqv"="C:\Documents and Settings\Ryan Coupland\My Documents\s?stem32\l?gonui.exe" [ ]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"comp blah"="C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\proxynew.exe" [ ]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 12:33 288576]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 22:46 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-14 23:58 100056]
"Support audio cool poll"="C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\gram data.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]
"SetIcon"="C:\Program Files\Icons\SetIcon.exe" [2002-12-16 10:02 39936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 18:05 282624]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 20:45 430080]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 12:42 58728]
"c0fa22bc"="rundll32.exe" [2004-08-04 06:00 33280 C:\WINDOWS\system32\rundll32.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 12:23 1032640]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 19:39 69632]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"BMc3c91120"="Rundll32.exe" [2004-08-04 06:00 33280 C:\WINDOWS\system32\rundll32.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\Ryan Coupland\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2006-06-07 06:25:20 4154504]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-28 16:33:07 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-08 10:32:32 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-09-13 18:16 4650488 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncrediMail_Install.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-05-04 10:17]
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 21:19]
R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys [2006-07-26 01:18]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2007-04-03 06:06]
S2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2004-11-02 16:12]
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 09:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 09:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 09:42]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 09:42]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 09:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 22:58:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-04 15:12:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-02 22:08:10 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Ryan Coupland.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
"2008-05-04 09:12:06 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-23 17:52:37 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-04 15:08:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2008-05-03 15:11:34 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-05-04 16:12:48
ComboFix-quarantined-files.txt 2008-05-04 15:12:42
ComboFix2.txt 2008-05-04 14:44:15

Pre-Run: 159,788,089,344 bytes free
Post-Run: 159,758,733,312 bytes free

231 --- E O F --- 2008-04-12 10:43:20
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Nearly there now :)

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {E95CEF46-F6B2-473D-AC01-3C7EBD53352E} - C:\WINDOWS\system32\efcBsPFV.dll (file missing)
O4 - HKLM\..\Run: [Support audio cool poll] "C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\gram data.exe"
O4 - HKLM\..\Run: [c0fa22bc] "rundll32.exe" "C:\WINDOWS\system32\gddtkgia.dll",b
O4 - HKLM\..\Run: [BMc3c91120] "Rundll32.exe" "C:\WINDOWS\system32\symwpbnl.dll",s
O4 - HKCU\..\Run: [Hgpqv] "C:\Documents and Settings\Ryan Coupland\My Documents\s?stem32\l?gonui.exe"
O4 - HKCU\..\Run: [comp blah] C:\DOCUME~1\RYANCO~1\APPLIC~1\ChicSeek\proxynew.exe


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Reboot and post a new HijackThis log and tell me how your PC is running
  • 0

#15
Coupy

Coupy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
scan finished, here is log


Malwarebytes' Anti-Malware 1.11
Database version: 715

Scan type: Full Scan (C:\|D:\|H:\|)
Objects scanned: 186169
Time elapsed: 1 hour(s), 27 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\xInsIDE (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMc3c91120 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Deckard\System Scanner\20080503180107\backup\DOCUME~1\RYANCO~1\LOCALS~1\Temp\!update.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\20080503180107\backup\DOCUME~1\RYANCO~1\LOCALS~1\Temp\NDRAA.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\20080503180107\backup\DOCUME~1\RYANCO~1\LOCALS~1\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Ryan Coupland\My Documents\YMANTE~1\nopdb.exe.vir (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\symwpbnl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0003145.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0003155.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0003182.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\la_r4.vxd (Adware.Winad) -> Quarantined and deleted successfully.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP